Heroku需要ALLOWED_HOSTS吗? [英] Is ALLOWED_HOSTS needed on Heroku?
本文介绍了Heroku需要ALLOWED_HOSTS吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
据我所知,当 DEBUG = False
时, ALLOWED_HOSTS
会进行检查以防止攻击者指向他们自己域名到您的网站。
它看起来像Heroku的自定义域名做同样的事情。
因此,不要在您的帐户中添加必需的 ALLOWED_HOSTS
变量 app.json
用于 Heroku Button (因为它感觉多余并且在你急着时很容易出错),你可以设置 ALLOWED_HOSTS = ['*']
并允许Heroku验证请求它们应该到达他们应该去的地方吗? //devcenter.heroku.com/articles/getting-started-with-django#django-settingsrel =noreferrer>在Heroku上开始使用Django : settings.py
#从$ DATABASE_URL解析数据库配置
import dj_database_url
DATABASES ['default'] = dj_database_url.config()
#为request.is_secure()赋予'X-Forwarded-Proto'标题
SECURE_PROXY_SSL_HEADER =('HTTP_X_FORWARDED_PROTO','https')
#允许所有主机头文件
ALLOWED_HOSTS = ['*']
#静态资产配置
import os
BASE_DIR = os.path.dirname(os.path.abspath(__ file__))
STATIC_ROOT ='staticfiles'
STATIC_URL ='/ static /'
STATICFILES_DIRS =(
os.path.join(BASE_DIR,'static'),
)
From what I understand, ALLOWED_HOSTS
does a check when DEBUG=False
to prevent an attacker from pointing their own domain to your site.
It looks like Heroku's Custom Domains do the same thing.
So instead of adding a required ALLOWED_HOSTS
variable in your app.json
for the Heroku Button (since it feels redundant and is error-prone when you're in a hurry), can you set ALLOWED_HOSTS = ['*']
and allow Heroku to verify the requests are coming where they should instead?
解决方案
This is exactly what you are supposed to do, per Getting Started with Django on Heroku:
settings.py
# Parse database configuration from $DATABASE_URL
import dj_database_url
DATABASES['default'] = dj_database_url.config()
# Honor the 'X-Forwarded-Proto' header for request.is_secure()
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
# Allow all host headers
ALLOWED_HOSTS = ['*']
# Static asset configuration
import os
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
STATIC_ROOT = 'staticfiles'
STATIC_URL = '/static/'
STATICFILES_DIRS = (
os.path.join(BASE_DIR, 'static'),
)
这篇关于Heroku需要ALLOWED_HOSTS吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文