Removing the include proxy_params; directive may fix this, but it
wouldn't be hard to modify 'django.http.request.validate_host' to split
the hosts and check if all of them are in allowed hosts.
I could do it my self if you consider this host header should be accepted
in case all the hosts at the host header are allowed hosts, maybe even
expect a settings.MULTIPLE_HOST_HEADER == True
Here is an example of the nginx site.conf that would trigger it:
{{{
server {
listen 80;
server_name xxx.xxx.xxx.xxx;
location = /favicon.ico {
access_log off; log_not_found off;
alias /var/www/site/static/favicon.ico;
}
# Static root settigns
location /static/ {
root /var/www/static/;
}
# WebSocket settings
location /notifications/ {
rewrite ^/(.*) /$1 break;
proxy_pass http://127.0.0.1:8005;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600;
}
# Gunicorn proxy settings
location / {
proxy_set_header Host $host;
include proxy_params;
}
error_page 500 502 503 504 /custom_50x.html;
location = /custom_50x.html {
root /usr/share/nginx/html;
internal;
}
}
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/28028>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Comment (by Aymeric Augustin):
Does the HTTP RFC specify that the Host header may have this format?
If not, I don't think Django should make a change.
You should use a different, non-standard header.
--
Ticket URL: <https://code.djangoproject.com/ticket/28028#comment:1>
* status: new => assigned
* owner: nobody => Rafael Herrero Solís
--
Ticket URL: <https://code.djangoproject.com/ticket/28028#comment:2>
* status: assigned => closed
* resolution: => needsinfo
* easy: 1 => 0
Comment:
Closing, pending follow up to Aymeric's question.
--
Ticket URL: <https://code.djangoproject.com/ticket/28028#comment:3>