"无效的HTTP_HOST标头"来自未知领域

时间:2018-01-25 23:31:27

标签: django nginx https gunicorn

我正在使用Nginx和Gunicorn来主持一个Django项目。我需要保护这个站点,作为测试,我设置了加密到我未使用的域。在拖尾Django访问日志时,我不时注意到以下条目:

无效的HTTP_HOST标题:' aydinfatih.com'。您可能需要添加u' aydinfatih.com'至ALLOWED_HOSTS。

这对我来说是一个未知的域,在尝试访问域时(它有400个响应),我可以在我的服务器上查看更多这些日志条目。这是什么?它与我的SSL设置有关,并表明它不安全吗?

server {
    server_name example.com example.com;

    location /static/ {
        root /home/user/project/django-project;
    }

    location /media/ {
        root /home/user/project/django-project;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/user/project/project.sock;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

}

server {
    listen 80;
    server_name my.server.ip.here example.com;
    return 301 https://example.com;
}

我在服务器块中添加了以下内容:

if ($host !~* ^(example.com|www.example.com)$ ) {
    return 444;
}

未知域名现在显示520.这是处理此问题的正确方法吗?我还错过了其他什么?

2 个答案:

答案 0 :(得分:0)

我误解了你的问题。这是一个新的答案。

有人将其DNS记录配置为将其域名指向您的服务器IP。添加主机名检查肯定有帮助,但通常我们使用默认的“catch all”服务器块来处理所有不需要的请求:

# "Catch all" server
server {
    server_name _;
    return 444;
}

# Your site settings
server {
    server_name example.com example.com;

    location /static/ {
        root /home/user/project/django-project;
    }

    location /media/ {
        root /home/user/project/django-project;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/user/project/project.sock;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

}

server {
    listen 80;
    server_name my.server.ip.here example.com;
    return 301 https://example.com;
}

答案 1 :(得分:0)

我认为不,这与您的SSL配置无关,您是否将'aydinfatih.com'添加到settings.py中的ALLOWED_HOSTS

ALLOWED_HOSTS = ['aydinfatih.com']

ps:确保您的settings.py文件中有一个ALLOWED_HOSTS变量。

要保护您的应用程序安全,您需要做的不只是添加此内容,还要添加网站排名observatory mozilla来了解您的SSL和标头配置。 例如,您需要将以下代码添加到settings.py:

## X-XSS-Protection
SECURE_BROWSER_XSS_FILTER = True
## X-Frame-Options
X_FRAME_OPTIONS = 'DENY'
#X-Content-Type-Options
SECURE_CONTENT_TYPE_NOSNIFF = True
## Strict-Transport-Security
SECURE_HSTS_SECONDS = 15768000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True

## that requests over HTTP are redirected to HTTPS. 
SECURE_SSL_REDIRECT = True 

# for more security
CSRF_COOKIE_SECURE = True
CSRF_USE_SESSIONS = True
CSRF_COOKIE_HTTPONLY = True
SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SAMESITE = 'Strict'

或者,您可以将这些标头和更多标头添加到您的Nginx配置中(这是示例文件):

    #https://mozilla.github.io/server-side-tls/ssl-config-generator/
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;

    ##### START Secure Headers #####
    # ngx_http_headers_module is required

    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "no-referrer";
    add_header Content-Security-Policy "script-src 'self'; object-src 'self'";
    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
    add_header Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'";
    # uncomment if you want to use Clear-Site-Data header
    #add_header Clear-Site-Data "cache";
    ##### END Secure Headers #####

}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;


    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    resolver <IP DNS resolver>;

    ....
}

read this repo for more information