Add method for restricting ALLOWED_HOSTS domains in nginx config
banagale opened this issue · 5 comments
First, thank you for all of your tutorials on docker / django / letsencrypt and github actions. I've spent considerable time with your series and bit-by-bit have been able to customize my setup. Your tutorials are allowing me to leap from the stone age of having manually configured all of these by hand on a per-project basis.
This is a question / suggestion for additional information in your adding to your tutorial how to configure nginx-proxy's copy of docker-gen to only accept requests from domains you list in your ALLOWED_HOSTS of settings.py.
For example something along the lines of the conditional described in this answer.(Though perhaps there is a better way)
The reason is to avoid the dreaded [Django] ERROR (EXTERNAL IP): Invalid HTTP_HOST header error that comes from someone probing digital ocean IP addresses.
I attempted to restrict it by adding to your nginx/vhost.d/default but that ends up only applying to the final ssl server block.
if ($host !~* ^(mydomain.com|staging.mydomain.com)$ ) {
return 444;
}
As far as I can tell, it looks like what causes 503's to erupt is the nginx.tmpl's first server block, which pops a 503 on default_server.
It looks like there isn't an easy way to modify this template.
My plan would be to pass the allowed domain all the way from the main.yml--since I use this to deploy to staging or production based on whether I'm committing to master or develop. i.e. staging.mydomain.com and mydomain.com.
Anyhow, I hope this is well described enough. Some part of me just wants to ignore these errors, but knowing it can be handled properly in the config is tantalizing.
Yeah, invalid HTTP_HOST errors are really annoying.
It looks like you already know how to solve that aspect of it. If not here are a few resources:
- https://www.borfast.com/blog/2020/07/06/invalid-http_host-header-errors-in-django-and-nginx/
- https://snakeycode.wordpress.com/2015/05/31/django-error-invalid-http_host-header/
I'm not sure how you would go about fixing this in ngix-proxy/docker-gen. You could try ignoring the errors like this: https://stackoverflow.com/a/25708262/1799408
Thanks for these links. I think the trouble is getting to that first server block.
It looks like you must modify the nginx template used by docker-gen. If that's the case, and you can't modify this using external variables, I think I'd need to build out a custom image of the nginx-proxy container versus in the tutorial where it pulls it directly, does that sound right?
Yes, I would fork the project and create your own custom image with what you need hardcoded in the Nginx template. Test it out. Then, see if you can figure out a way to dynamically update the Nginx template using variables. From there, issue a PR back to the original repo so other people can take advantage of your work. Happy to take a look.
Thanks for that read through. I thought through your path and had another look at the nginx-proxy repo. There are a lot of PRs there, and it turns out I'm not the first to recognize his missing 'feature'.
#1179 appears to address this issue. PR approvals are happening, but not constantly. I added a comment hoping to shine up that one.
Presumably it will be merged, so I'll probably try doing a custom build of this PR and trying to modify the config as described. If I can get it working, I'll post the working example.
Yes, please do keep me posted. This would be a helpful thing to add to the post.