#27485 new New feature Allow ALLOWED_HOSTS to accept an IP-range / wildcard

[Thomas Turner]

Hi

The other day I raise a ticket to do with ALLOWED_HOSTS and it was suggested that I post on this group before creating a patch

The ticket is https://code.djangoproject.com/ticket/27485

The problem

Now that Django 1.10.3 forces ALLOWED_HOSTS on with debug I have a problem.

The problem is that when I developing I use an ip-address range of 192.168.1.*. 

The Ip-address can change depending on the computer I use.

so I required the ability to add wildcard partly in an hostname.

ie 

ALLOWED_HOSTS = ['192.168.1.*', '.mydomain.com']

I have seen this solution that doesn't require Django to be changed however I don't like it as I feel this could be a security issue

​http://stackoverflow.com/questions/37031749/django-allowed-hosts-ips-range

I happy to do a patch for this. What do people think?

Tom

[Yo-Yo Ma]

I'm not a fan of adding more complexity, for a couple reasons:

1) you have the ['*'] option for local / office development
2) you can just add a record to /etc/hosts to point to the server and then use a name like e.g., local-office - just update the record to point to whatever IP you're using st the time

[Raphaël Barrois]

Since settings are Python code, you could also do the following:

ALLOWED_HOSTS = ['.mydomain.com'] + ['192.168.1.%d' % i for i in range(256)]

With this flexibility in mind, I don't think increasing the amount of wildcard options is required ;)

--
Raphaël

[Aymeric Augustin]

Hello,

If changes are made in this direction, allowing ip address and ip network objects in addition to strings would likely be the best API: https://docs.python.org/3/library/ipaddress.html#ipaddress.ip_network

That module is new in Python 3 but since Django is on the verge of dropping support for Python 2, the fancy new toys are available now :-)

-- 

Aymeric.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/7c03baf9-8d87-4716-be66-f6a642721a77%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tom Evans]

On Wed, Nov 16, 2016 at 10:29 PM, Thomas Turner <t...@twt.me.uk> wrote:
> Hi
>
> The other day I raise a ticket to do with ALLOWED_HOSTS and it was suggested
> that I post on this group before creating a patch
> The ticket is https://code.djangoproject.com/ticket/27485
>
> The problem
>
> Now that Django 1.10.3 forces ALLOWED_HOSTS on with debug I have a problem.
> The problem is that when I developing I use an ip-address range of
> 192.168.1.*.
> The Ip-address can change depending on the computer I use.
> so I required the ability to add wildcard partly in an hostname.
> ie
> ALLOWED_HOSTS = ['192.168.1.*', '.mydomain.com']

Or:
from socket import gethostname, gethostbyname
ALLOWED_HOSTS = [ gethostname(), gethostbyname(gethostname()), ]

?

Cheers

Tom

[Thomas Turner]

Thank you all. I will have a look to see if I can do it without patching.

Tom

[Florian Apolloner]

On Thursday, November 17, 2016 at 5:07:07 PM UTC+1, Tom Evans wrote:

Or:
  from socket import gethostname, gethostbyname
  ALLOWED_HOSTS = [ gethostname(), gethostbyname(gethostname()), ]

That a) adds your hostname and b) (assuming you properly configured your system) 127.0.0.1  -- so as long as they are using 192.* to access the site, this does not help.

Cheers,
Florian

[Tom Evans]

Our servers are configured such that "localhost" resolves to
127.0.0.1, and the hostname resolves to the local IP of the server.

I don't think our servers are in any way misconfigured, or configured
in a "special" manner - my laptop is configured in precisely the same
manner out of the box.

The offered solution works correctly on all of our development and
production servers, and also on our developers local machines running
various versions of Linux.

Cheers

Tom

[Tobias McNulty]

There is a non-development use case here, which is being able to accept the IP range for a subnet used in an EC2 VPC (used by load balancers for health checks). Sure, I could iterate through all the potential IPs and add them, divine a way to (maybe) discover it via the socket module, or make an HTTP request to retrieve it from the EC2 meta data API, but this seems like another time when being concise and explicit about the allowed IPs/subnets (without requiring a network call from settings.py) would be helpful. Using the established convention of subnets rather than wildcards would be preferred, IMHO.

Tobias

--
You received this message because you are subscribed to the Google Groups "Django developers  (Contributions to Django itself)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.

Visit this group at https://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFHbX1K_1dCLrMQm4cy0u1i1cnEzLJV%2Bb_1-p9n58ERV7%3Dghvg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Tobias McNulty
Chief Executive Officer

tob...@caktusgroup.com
www.caktusgroup.com