Django Invalid HTTP_HOST header

May 27, 2015

After upgrading to Django 1.7, I was getting error emails similar to the following:

Invalid HTTP_HOST header: 'XXX.XXX.XXX.XXX'. You may need to add u'XXX.XXX.XXX.XXX' to ALLOWED_HOSTS.

Request repr(): 
<WSGIRequest
path:/login.action,
GET:<QueryDict: {}>,
POST:<QueryDict:     {u'redirect:${#res=#context.get(\'com.opensymphony.xwork2.dispatcher.HttpServletResponse\'),#res.setCharacterEncoding("UTF-8"),#req=#context.get(\'com.opensymphony.xwork2.dispatcher.HttpServletRequest\'),#res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getServletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().close()}': [u'']}>,
COOKIES:{},
META:{'CONTENT_LENGTH': '395',
 'CONTENT_TYPE': 'application/x-www-form-urlencoded',
 'HTTP_ACCEPT': '*/*',
 'HTTP_CONNECTION': 'close',
 'HTTP_HOST': 'XXX.XXX.XXX.XXX',
 'HTTP_USER_AGENT': 'Mozilla/5.0',
 'HTTP_X_FORWARDED_FOR': '61.160.247.65',
 'HTTP_X_REAL_IP': '61.160.247.65',
 'PATH_INFO': u'/login.action',
 'QUERY_STRING': '',
 'RAW_URI': '/login.action',
 'REMOTE_ADDR': '127.0.0.1',
 'REMOTE_PORT': '42629',
 'REQUEST_METHOD': 'POST',
 'SCRIPT_NAME': u'',
 'SERVER_NAME': '127.0.0.1',
 'SERVER_PORT': '8888',
 'SERVER_PROTOCOL': 'HTTP/1.0',
 'SERVER_SOFTWARE': 'gunicorn/X.X.X',
 'gunicorn.socket': <socket._socketobject object at 0x3097050>,
 'wsgi.errors': <gunicorn.http.wsgi.WSGIErrorsWrapper object at 0x3d14910>,
 'wsgi.file_wrapper': <class 'gunicorn.http.wsgi.FileWrapper'>,
 'wsgi.input': <gunicorn.http.body.Body object at 0x3d146d0>,
 'wsgi.multiprocess': True,
 'wsgi.multithread': False,
 'wsgi.run_once': False,
 'wsgi.url_scheme': 'http',
 'wsgi.version': (1, 0)}>

These look like spiders looking for security problems.

I fixed this by adding configuration to nginx to return a HTTP 444 if the request didn't come from the correct domain:

if ($host !~* ^(host.co.uk|host.com)$ ) {
    return 444;
}