Opened 8 years ago
Closed 8 years ago
#28028 closed Bug (needsinfo)
Support HTTP_HOST header: 'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,...'
| Reported by: | Rafael Herrero Solís | Owned by: | Rafael Herrero Solís |
|---|---|---|---|
| Component: | HTTP handling | Version: | 1.10 |
| Severity: | Normal | Keywords: | Multiple Host Headers |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Using Nginx/Gunicorn to serve Django website without domain (ip) I detected that when i use
proxy_set_header Host $host; include proxy_params;
' the resulting header become a comma separated list like so: 'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx' giving the following error:
2017-04-05 14:15:49,517 ERROR [exception] Invalid HTTP_HOST header:'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx'. The domain name provided is not valid according to RFC 1034/1035. /home/cpc/Virtualenvs/env/lib/python2.7/site-packages/django/core/handlers/exception.py 73
Removing the include proxy_params; directive may fix this, but it wouldn't be hard to modify 'django.http.request.validate_host' to split the hosts and check if all of them are in allowed hosts.
I could do it my self if you consider this host header should be accepted in case all the hosts at the host header are allowed hosts, maybe even expect a settings.MULTIPLE_HOST_HEADER == True
Here is an example of the nginx site.conf that would trigger it:
server {
listen 80;
server_name xxx.xxx.xxx.xxx;
location = /favicon.ico {
access_log off; log_not_found off;
alias /var/www/site/static/favicon.ico;
}
# Static root settigns
location /static/ {
root /var/www/static/;
}
# WebSocket settings
location /notifications/ {
rewrite ^/(.*) /$1 break;
proxy_pass http://127.0.0.1:8005;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600;
}
# Gunicorn proxy settings
location / {
proxy_set_header Host $host;
include proxy_params;
}
error_page 500 502 503 504 /custom_50x.html;
location = /custom_50x.html {
root /usr/share/nginx/html;
internal;
}
}
Change History (3)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 8 years ago
| Easy pickings: | unset |
|---|---|
| Resolution: | → needsinfo |
| Status: | assigned → closed |
Closing, pending follow up to Aymeric's question.
Does the HTTP RFC specify that the Host header may have this format?
If not, I don't think Django should make a change.
You should use a different, non-standard header.