Django Error in ecm.log --> SuspiciousOperation: Invalid HTTP_HOST header

Question

Django Error in ecm.log --> SuspiciousOperation: Invalid HTTP_HOST header

Dharr-Guartonzec opened this issue 9 years ago · comments

2015-09-18 14:38:01,399 [ERROR] django.request - Internal Server Error: /
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 90, in get_response
response = middleware_method(request)
File "/usr/local/lib/python2.7/dist-packages/django/middleware/common.py", line 57, in process_request
host = request.get_host()
File "/usr/local/lib/python2.7/dist-packages/django/http/request.py", line 72, in get_host
"Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host)
SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): xxx.xxx.xxx.xxx

Any idea?

ggrog · Answer 1 · Sat Sep 19 2015 05:48:09 GMT+0800 (China Standard Time)

Yes - make sure the external_host is correctly set to your site's URL in settings.ini. That value is appended to ALLOWED_HOSTS in settings.py.

Dharr-Guartonzec · Answer 2 · Sat Sep 19 2015 06:22:37 GMT+0800 (China Standard Time)

external_host_name = "" in settings.ini matches exactly the hostname of the site and the FQDN of the server.

settings.py looks like this:

ALLOWED_HOSTS = [ '127.0.0.1', 'localhost' ]
if config.has_option('misc', 'external_host_name'):
ALLOWED_HOSTS += config.get('misc', 'external_host_name').split()

So the external_host_name should not be the issue.

Nicholas Steicke · Answer 3 · Sat Sep 19 2015 10:20:33 GMT+0800 (China Standard Time)

The site is being requested directly by IP address if i am reading the
masking in your log paste correctly.

You can either add your public IP address to the allowed hosts, or change
your web server confic so that only requests to the value of ALLOWED_HOSTS
are getting passed through to ECM.

On 19 September 2015 at 07:52, Dharr-Guartonzec notifications@github.com
wrote:

external_host_name = "" in settings.ini matches exactly the hostname of
the site and the FQDN of the server.

settings.py looks like this:

ALLOWED_HOSTS = [ '127.0.0.1', 'localhost' ]
if config.has_option('misc', 'external_host_name'):
ALLOWED_HOSTS += config.get('misc', 'external_host_name').split()

So the external_host_name should not be the issue.

—
Reply to this email directly or view it on GitHub
#36 (comment).

Dharr-Guartonzec · Answer 4 · Sat Sep 26 2015 00:37:16 GMT+0800 (China Standard Time)

Okay, entering the host ip address has helped for nowm, but what is this here now, that looks to me infact very suspicious:

File "/usr/local/lib/python2.7/dist-packages/django/http/request.py", line 72, in get_host
"Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host)

SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): testp3.pospr.waw.pl

<WSGIRequest
path:/testproxy.php,
GET:<QueryDict: {}>,
POST:<QueryDict: {}>,
COOKIES:{},
META:{'CONTEXT_DOCUMENT_ROOT': '/var/www',
'CONTEXT_PREFIX': '',
'DOCUMENT_ROOT': '/var/www',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate',
'HTTP_ACCEPT_LANGUAGE': 'pl,en-US;q=0.7,en;q=0.3',
'HTTP_HOST': 'testp3.pospr.waw.pl',
'HTTP_PROXY_CONNECTION': 'Keep-Alive',
'HTTP_USER_AGENT': 'Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0',
'PATH_INFO': u'/testproxy.php',
'PATH_TRANSLATED': '/var/www/ecm/wsgi/ecm.wsgi/testproxy.php',
'QUERY_STRING': '',
'REMOTE_ADDR': '91.196.50.33',
'REMOTE_PORT': '46045',
'REQUEST_METHOD': 'GET',
'REQUEST_SCHEME': 'http',
'REQUEST_URI': 'http://testp3.pospr.waw.pl/testproxy.php',
'SCRIPT_FILENAME': '/var/www/ecm/wsgi/ecm.wsgi',
'SCRIPT_NAME': u'',
'SERVER_ADDR': 'xx.xx.xx.xx',
'SERVER_ADMIN': '[no address given]',
'SERVER_NAME': 'testp3.pospr.waw.pl',
'SERVER_PORT': '80',
'SERVER_PROTOCOL': 'HTTP/1.1',
'SERVER_SIGNATURE': '

Apache/2.4.7 (Ubuntu) Server at testp3.pospr.waw.pl Port 80\n',
'SERVER_SOFTWARE': 'Apache/2.4.7 (Ubuntu)',
'mod_wsgi.application_group': 'ecm.hostname.something|',
'mod_wsgi.callable_object': 'application',
'mod_wsgi.enable_sendfile': '0',
'mod_wsgi.handler_script': '',
'mod_wsgi.input_chunked': '0',
'mod_wsgi.listener_host': '',
'mod_wsgi.listener_port': '80',
'mod_wsgi.process_group': 'mod_wsgi_ecm',
'mod_wsgi.queue_start': '1443111472050571',
'mod_wsgi.request_handler': 'wsgi-script',
'mod_wsgi.script_reloading': '1',
'mod_wsgi.version': (3, 4),
'wsgi.errors': <mod_wsgi.Log object at 0x7f261b3f3130>,
'wsgi.file_wrapper': <built-in method file_wrapper of mod_wsgi.Adapter object at 0x7f2619103dc8>,
'wsgi.input': <mod_wsgi.Input object at 0x7f261b3f3630>,
'wsgi.multiprocess': True,
'wsgi.multithread': True,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}>

Bastian Hoyer · Answer 5 · Sat Sep 26 2015 04:10:15 GMT+0800 (China Standard Time)

That's from a bot scanning servers for vulnerable PHP scripts. That's one of the reasons django is configured to only answer requests with the correct host name.
There is no reason why a user should browse your installation by just the IP address so there should be no need to add it to allowed hosts.
What server do you have in front of the ecm installation? I suggest to check the virtual host settings and only forward requests with the correct domain to your ecm installation.

Dharr-Guartonzec · Answer 6 · Sun Sep 27 2015 03:38:22 GMT+0800 (China Standard Time)

Hi, thanks for the advice. I will remove the IP from the allowed hosts then.

I use Ubuntu 14.04. There is no control panel installed so i might need to lookup how to configure apache to only answer to the hostname.

ggrog · Answer 7 · Mon Sep 28 2015 05:33:02 GMT+0800 (China Standard Time)

IMO you should set the "default" virtual host to a blank site. This will force IP address or fake dns reqs to not hit your ecm instance.