Django的获得大量的SuspiciousOperation：无效HTTP_HOST头 [英] Django getting lots of SuspiciousOperation: Invalid HTTP_HOST header

问题描述

我使用Django 1.5，阿帕奇，mod_wsgi的和Python 2.7，Debian的托管的Linode。

I'm using Django 1.5, Apache, mod_wsgi and python 2.7, debian hosted on linode.

自从我的Django 1.3升级到1.5的Django，我开始收到一些错误消息，例如：ERROR（外部IP）：内部服务器错误：/饲料/。有了这个追踪：

Since I upgraded from django 1.3 to django 1.5, I started receive some error messages, for example: "ERROR (EXTERNAL IP): Internal Server Error: /feed/". With this traceback:

Traceback (most recent call last):

  File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 92, in get_response
    response = middleware_method(request)

  File "/usr/local/lib/python2.7/dist-packages/django/middleware/common.py", line 57, in process_request
    host = request.get_host()

  File "/usr/local/lib/python2.7/dist-packages/django/http/request.py", line 72, in get_host
    "Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): %s" % host)

SuspiciousOperation: Invalid HTTP_HOST header (you may need to set ALLOWED_HOSTS): tadjenanet.montadamoslim.com

不过，几天前，这个错误的数量大大增加，并进行了大量的URL的，我甚至不有我的网站。

But, a few days ago, the volume of this errors increased greatly, and for a lot of url's that I don't even have in my website.

我看到的答案在这里（<一href=\"http://stackoverflow.com/questions/15238506/djangos-suspiciousoperation-invalid-http-host-header\">Django's SuspiciousOperation无效HTTP_HOST头），我明白为什么我得到这个，但我需要知道如何避免这种增加我的服务器的安全。

I saw the answers here(Django's SuspiciousOperation Invalid HTTP_HOST header) and I understand why I'm getting this, but I need to know how to avoid this increasing my server security.

推荐答案

基本上，你不能避免攻击者发送给您那种请求。这其中大部分攻击来自自动渗透测试工具，如 Metasploit的或的 W3AF 。幸运的是，这些努力是不是在Django 1.5或以上的后顾之忧。为了避免日志泛滥，你可以配置你的Web服务器来过滤那些不与您的网站域名匹配HTTP_HOST头。对不起，我不能帮你与Apache做到这一点，如果使用Nginx的，这篇文章可以帮助的 http://www.acloudtree.com/how-to-deny-hosts-using-nginx/

Basically, you cannot avoid that an attacker send you that kind of requests. Most of this attacks came from automatic penetration test tools like metasploit or W3AF. Fortunately, those attempts are not something to worry about in Django 1.5 or above. For avoiding the log flooding, you can configure your web server to filter HTTP_HOST headers that don't match with your website domain. Sorry, I cannot help you to do it with Apache, if using Nginx, this article can helps http://www.acloudtree.com/how-to-deny-hosts-using-nginx/

干杯！

这篇关于Django的获得大量的SuspiciousOperation：无效HTTP_HOST头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！