I am getting an Invalid Host header error from my server and I am unsure how to address it.
The errors request URL is https://127.0.0.1:8000 and the obvious suggestion is to add localhost to my (using django) ALLOWED hosts. However I have read that keeping localhost in the allowed hosts in production is bad practice and a potential security flaw. At the moment my allowed hosts in prod is limited to my registered domain.
I have done some digging at it seems that these requests are coming from IP port scanners. In the email report I can sometimes see GitHub links in HTTP_USER_AGENT to such scanner repos. And the HTTP_X_FORWARDED_FOR is almost always either some VPN provider or located in Moscow or Beijing.
Here is my current nginx config. I have implement a few suggestions from other posts like the custom if regex filtering but it doesn't seem to have had an effect.
Apart from this issue, everything else seems to be functioning as intended. Any help would be greatly appreciated. First time setting something like this up so please point out any obvious errors.
# File: /etc/nginx/sites-available/app
server_tokens off;
access_log /var/log/nginx/app.access.log;
error_log /var/log/nginx/app.error.log;
server {
listen 80 default_server;
return 444;
}
server {
server_name app.example.com;
listen 80;
return 301 https://$host$request_uri;
}
server {
# Custom regex if statement to 444 any unexpected host header
if ( $host !~* ^(app.example.com|example.com)$ ) {
return 444;
}
location /static {
autoindex on;
alias /path/to/django/staticfiles;
}
# Pass on requests to guinicorn listening on http://localhost:8000
location / {
proxy_pass http://localhost:8000;
include /etc/nginx/proxy_params;
proxy_redirect off;
}
listen 443 ssl;
server_name app.example.com;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers CIPHER;
}
