Fabric deployment with ALLOWED_HOSTS wildcard issue
72 views
Skip to first unread message
Geoffrey Eisenbarth
Oct 29, 2016, 11:13:40 AM10/29/16
to Mezzanine Users
I've been investigating a situation where deploying through fabric returns a ``ERR_EMPTY_RESPONSE`` on Chrome (haven't tried other browsers). A bit of info on my setup and the issue:
- Two domain names, geoffandkaty.com and everaftereisenbarth.com registered through Google, using Digital Ocean DNS to point to my Digital Ocean droplet (Debian Jessie)
- Both have A name records @ to my droplet IP address
- Both have CNAME records * pointing to * (which Digital Ocean filled in as "geoffandkaty.com." and "everaftereisenbarth.com.")
- Scenario One:
- If I set ``ALLOWED_HOSTS`` in both settings.py and local-settings.py to ``[".geoffandkaty.com", ".everaftereisenbarth.com"]`` I get the ``ERR_EMPTY_RESPONSE`` when trying to go to http://www.geoffandkaty.com / http://geoffandkaty.com (and the same for everaftereisenbarth.com).
- Scenario Two:
- If I set ``ALLOWED_HOSTS`` in both settings to ``["geoffandkaty.com", "www.geoffandkaty.com", "everaftereisenbarth.com", "www.everaftereisenbarth.com"]``, then everything works fine.
I know Django supports ".domain-name.com" syntax, so I initially thought that maybe nginx didn't, although I see in their docs that they do. I notice in my sites-enabled/wedding.conf file that manually changing ``server_name`` and the code for denying illegal host headers to the dot syntax creates the issue. Perhaps this is an issue with how I have my domain names set up on Digital Ocean?
This isn't really a pervasive issue for me anymore as I'm just going with the setup in Scenario Two, but I figured I'd make a post here before filing an issue on GitHub in case someone can tell me if this is an issue with my setup.
I think the work that @EduaroRivas (not sure if this will tag him in this post?) has done on the fabric deployment is amazing, and I'm very grateful for it. Figured he might have some insight into this, but if anyone has any ideas, I'm all game.
I think the work that @EduaroRivas (not sure if this will tag him in this post?) has done on the fabric deployment is amazing, and I'm very grateful for it. Figured he might have some insight into this, but if anyone has any ideas, I'm all game.
Eduardo Rivas
Oct 31, 2016, 12:44:35 PM10/31/16
to mezzani...@googlegroups.com
Hi Geoffrey.
I think your diagnoses is correct: Django supports the wildcard domain
syntax, but nginx doesn't. My recommendation would be to be explicit in
your ALLOWED_HOSTS (specifying a fully qualified domain name on each
entry). It my be worth adding a note stating that in the Deployment
section of the docs.
I think your diagnoses is correct: Django supports the wildcard domain
syntax, but nginx doesn't. My recommendation would be to be explicit in
your ALLOWED_HOSTS (specifying a fully qualified domain name on each
entry). It my be worth adding a note stating that in the Deployment
section of the docs.
Geoffrey Eisenbarth
Oct 31, 2016, 12:50:45 PM10/31/16
to Mezzanine Users
Eduardo,
I'll try to look more into it when I get a chance; I agree it seems to be an nginx issue, but it seems confusing as their (https://nginx.org/en/docs/http/server_names.html#wildcard_names) say they support the dot wildcard:
I'll try to look more into it when I get a chance; I agree it seems to be an nginx issue, but it seems confusing as their (https://nginx.org/en/docs/http/server_names.html#wildcard_names) say they support the dot wildcard:
A special wildcard name in the form “.example.org” can be used to match both the exact name “example.org” and the wildcard name “*.example.org”.
Eduardo Rivas
Oct 31, 2016, 1:03:11 PM10/31/16
to mezzani...@googlegroups.com
Yeah, the server name is working, the problem is that nginx is returning
a 444 (a proprietary error code that means "drop this request
altogether" https://httpstatuses.com/444). Whether or not a 444 is
returned depends on a simple match against an ALLOWED_HOSTS regex, and
that will not work with the dot notation
https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/project_template/deploy/nginx.conf.template#L23-L26
Maybe just comment-out that block and see how it goes? That should
disable the checks for illegal hosts on nginx and let everything reach
Django.
a 444 (a proprietary error code that means "drop this request
altogether" https://httpstatuses.com/444). Whether or not a 444 is
returned depends on a simple match against an ALLOWED_HOSTS regex, and
that will not work with the dot notation
https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/project_template/deploy/nginx.conf.template#L23-L26
Maybe just comment-out that block and see how it goes? That should
disable the checks for illegal hosts on nginx and let everything reach
Django.
Geoffrey Eisenbarth
Oct 31, 2016, 1:10:40 PM10/31/16
to mezzani...@googlegroups.com
Yeah, that fixes the issue. I think I'm more likely to use fully qualified entries in ALLOWED_HOSTS in most cases so that the illegal hosts check is left intact, but it's good to know.
Thanks for your help!
On Mon, Oct 31, 2016 at 12:03 PM, Eduardo Rivas <jeriva...@gmail.com> wrote:
Yeah, the server name is working, the problem is that nginx is returning a 444 (a proprietary error code that means "drop this request altogether" https://httpstatuses.com/444). Whether or not a 444 is returned depends on a simple match against an ALLOWED_HOSTS regex, and that will not work with the dot notation https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/project_template/deploy/nginx.conf.template#L23-L26
Maybe just comment-out that block and see how it goes? That should disable the checks for illegal hosts on nginx and let everything reach Django.
--
You received this message because you are subscribed to a topic in the Google Groups "Mezzanine Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mezzanine-users/ElpLcvVVg8w/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mezzanine-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Eduardo Rivas
Oct 31, 2016, 1:14:51 PM10/31/16
to mezzani...@googlegroups.com
You're welcome :)
Reply all
Reply to author
Forward
0 new messages