I'm running a Django-powered site, and I'm seeing errors like these in my Django application's error logs:
django.core.exceptions.DisallowedHost: Invalid HTTP_HOST header: 'badhost.com'. You may need to add 'badhost.com' to ALLOWED_HOSTS.
I was under the impression that my nginx configuration, shown below (and trimmed for brevity), would prevent these requests from ever making it to the Django app; specifically, the last server block in the config. What do I have wrong?
My end-goal is for nginx to reject requests that have an invalid Host header. Maybe there's a way to filter out these error messages in my application error log?
server {
server_name mysite.com www.mysite.com;
listen 80;
return 302 https://$host$request_uri;
}
server {
server_name mysite.com www.mysite.com;
root /home/myuser/mysite.com/public/;
location / {
try_files $uri @proxy_to_app;
}
location @proxy_to_app {
proxy_pass http://localhost:8001;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
}
server {
listen 80 default_server;
listen 443 ssl default_server;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem; # managed by Certbot
return 444;
}