Context Navigation

← Previous Ticket
Next Ticket →

#28028 closed Bug (needsinfo)

Support HTTP_HOST header: 'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,...'

Reported by:	Rafael Herrero Solís	Owned by:	Rafael Herrero Solís
Component:	HTTP handling	Version:	1.10
Severity:	Normal	Keywords:	Multiple Host Headers
Cc:		Triage Stage:	Unreviewed
Has patch:	no	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Using Nginx/Gunicorn to serve Django website without domain (ip) I detected that when i use

proxy_set_header Host $host;
include proxy_params;

' the resulting header become a comma separated list like so: 'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx' giving the following error:
2017-04-05 14:15:49,517 ERROR [exception] Invalid HTTP_HOST header:'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx'. The domain name provided is not valid according to RFC 1034/1035. /home/cpc/Virtualenvs/env/lib/python2.7/site-packages/django/core/handlers/exception.py 73

Removing the include proxy_params; directive may fix this, but it wouldn't be hard to modify 'django.http.request.validate_host' to split the hosts and check if all of them are in allowed hosts.

I could do it my self if you consider this host header should be accepted in case all the hosts at the host header are allowed hosts, maybe even expect a settings.MULTIPLE_HOST_HEADER == True

Here is an example of the nginx site.conf that would trigger it:

server {
    listen 80;
    server_name xxx.xxx.xxx.xxx;

    location = /favicon.ico {
        access_log off; log_not_found off;
        alias /var/www/site/static/favicon.ico;
    }

    # Static root settigns
    location /static/ {
        root /var/www/static/;
    }

    # WebSocket settings
    location /notifications/ {
        rewrite  ^/(.*)  /$1 break;

        proxy_pass http://127.0.0.1:8005;
        proxy_redirect off;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 600;
    }

    # Gunicorn proxy settings
    location / {
        proxy_set_header Host $host;
        include proxy_params;
    }

    error_page 500 502 503 504 /custom_50x.html;

    location = /custom_50x.html {
                root /usr/share/nginx/html;
                internal;
    }
}

Change History (3)

comment:1 by Aymeric Augustin, 7 years ago

Does the HTTP RFC specify that the Host header may have this format?

If not, I don't think Django should make a change.

You should use a different, non-standard header.

comment:2 by Rafael Herrero Solís, 7 years ago

Owner:	changed from nobody to Rafael Herrero Solís
Status:	new → assigned

comment:3 by Tim Graham, 7 years ago

Easy pickings:	unset
Resolution:	→ needsinfo
Status:	assigned → closed

Closing, pending follow up to Aymeric's question.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues

Context Navigation

#28028 closed Bug (needsinfo)

Support HTTP_HOST header: 'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,...'

Description

Change History (3)

comment:1 by Aymeric Augustin, 7 years ago

comment:2 by Rafael Herrero Solís, 7 years ago

comment:3 by Tim Graham, 7 years ago

Download in other formats:

Django Links

Learn More

Get Involved

Get Help

Follow Us

Support Us