Block Invalid Http Hosts With Haproxy And Django

06 Jul 2016

In Django >= 1.5, an error is logged every time a request comes in where the HTTP host header isn’t present in your ALLOWED_HOSTS setting. You’ll see error messages (and probably emails) with stuff like:

Invalid HTTP_HOST header: ‘’. You may need to add u'' to ALLOWED_HOSTS.

Search engine crawlers and vulnerability scanners often set this header, so these error messages get annoying fast. As described here, one good way of dealing with this problem is to kill these requests before they even hit your Django app. There’s an example of how to do this with nginx here.

If you’re using haproxy you can achieve a similar result with an acl and a backend:

frontend whatever
    mode http
    acl is_example_com hdr_end(host) -i
    use_backend bogus if !is_example_com

backend bogus
    errorfile 400 /etc/haproxy/errors/400.http

blog comments powered by Disqus