[Django] #28028: Support HTTP_HOST header: 'xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, ...'

6 views
Skip to first unread message

Django

unread,
Apr 5, 2017, 9:40:39 AM4/5/17
to django-...@googlegroups.com
#28028: Support HTTP_HOST header: 'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,...'
-------------------------------------+-------------------------------------
Reporter: Rafael | Owner: nobody
Herrero Solís |
Type: Bug | Status: new
Component: HTTP | Version: 1.10
handling | Keywords: Multiple Host
Severity: Normal | Headers
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
-------------------------------------+-------------------------------------
Using Nginx/Gunicorn to serve Django website without domain (ip) I
detected that when i use
{{{
proxy_set_header Host $host;
include proxy_params;
}}}
' the resulting header become a comma separated list like so:
'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx' giving the following error:\\
2017-04-05 14:15:49,517 ERROR [exception] Invalid HTTP_HOST
header:'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx'. The domain name provided is not
valid according to RFC 1034/1035. /home/cpc/Virtualenvs/env/lib/python2.7
/site-packages/django/core/handlers/exception.py 73

Removing the include proxy_params; directive may fix this, but it
wouldn't be hard to modify 'django.http.request.validate_host' to split
the hosts and check if all of them are in allowed hosts.

I could do it my self if you consider this host header should be accepted
in case all the hosts at the host header are allowed hosts, maybe even
expect a settings.MULTIPLE_HOST_HEADER == True

Here is an example of the nginx site.conf that would trigger it:

{{{
server {
listen 80;
server_name xxx.xxx.xxx.xxx;

location = /favicon.ico {
access_log off; log_not_found off;
alias /var/www/site/static/favicon.ico;
}

# Static root settigns
location /static/ {
root /var/www/static/;
}

# WebSocket settings
location /notifications/ {
rewrite ^/(.*) /$1 break;

proxy_pass http://127.0.0.1:8005;
proxy_redirect off;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600;
}

# Gunicorn proxy settings
location / {
proxy_set_header Host $host;
include proxy_params;
}

error_page 500 502 503 504 /custom_50x.html;

location = /custom_50x.html {
root /usr/share/nginx/html;
internal;
}
}
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/28028>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Apr 5, 2017, 9:44:36 AM4/5/17
to django-...@googlegroups.com
#28028: Support HTTP_HOST header: 'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,...'
-------------------------------------+-------------------------------------
Reporter: Rafael Herrero | Owner: nobody

Solís |
Type: Bug | Status: new
Component: HTTP handling | Version: 1.10
Severity: Normal | Resolution:
Keywords: Multiple Host | Triage Stage:
Headers | Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Aymeric Augustin):

Does the HTTP RFC specify that the Host header may have this format?

If not, I don't think Django should make a change.

You should use a different, non-standard header.

--
Ticket URL: <https://code.djangoproject.com/ticket/28028#comment:1>

Django

unread,
Apr 5, 2017, 10:02:16 AM4/5/17
to django-...@googlegroups.com
#28028: Support HTTP_HOST header: 'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,...'
-------------------------------------+-------------------------------------
Reporter: Rafael Herrero | Owner: Rafael
Solís | Herrero Solís
Type: Bug | Status: assigned

Component: HTTP handling | Version: 1.10
Severity: Normal | Resolution:
Keywords: Multiple Host | Triage Stage:
Headers | Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Rafael Herrero Solís):

* status: new => assigned
* owner: nobody => Rafael Herrero Solís


--
Ticket URL: <https://code.djangoproject.com/ticket/28028#comment:2>

Django

unread,
Apr 12, 2017, 12:14:06 PM4/12/17
to django-...@googlegroups.com
#28028: Support HTTP_HOST header: 'xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx,...'
-------------------------------------+-------------------------------------
Reporter: Rafael Herrero | Owner: Rafael
Solís | Herrero Solís
Type: Bug | Status: closed

Component: HTTP handling | Version: 1.10
Severity: Normal | Resolution: needsinfo

Keywords: Multiple Host | Triage Stage:
Headers | Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Tim Graham):

* status: assigned => closed
* resolution: => needsinfo
* easy: 1 => 0


Comment:

Closing, pending follow up to Aymeric's question.

--
Ticket URL: <https://code.djangoproject.com/ticket/28028#comment:3>

Reply all
Reply to author
Forward
0 new messages