How to fix Django error: DisallowedHost at / Invalid HTTP_HOST header: ... You may need to add ... to ALLOWED_HOSTS

Asked 14/11, 2016 at 5:33 Answered 5/11, 2023 at 17:51

181

I am trying to develop a website using Django framework and launched using DigitalOcean.com and deployed the necessary files into django-project.

I had to include static files into Django-project and After collecting static files, I tried to refresh my ip

I am including the tutorials which I have used to create the website. https://www.pythonprogramming.net/django-web-server-publish-tutorial/

I am getting the following error :

DisallowedHost at / Invalid HTTP_HOST header: '198.211.99.20'. You may need to add u'198.211.99.20' to ALLOWED_HOSTS.

Can somebody help me to fix this ? This is my first website using Django framework.

Adige answered 14/11, 2016 at 5:33 Comment(2)

That may also be your Floating IP address on DigitalOcean. – Conch 10/10, 2018 at 17:4

Can I use my external IP for starting the server? – Drinking 17/9, 2020 at 8:36

292

The error log is straightforward. As it suggested,You need to add 198.211.99.20 to your ALLOWED_HOSTS setting.

In your project settings.py file,set ALLOWED_HOSTS like this :

ALLOWED_HOSTS = ['198.211.99.20', 'localhost', '127.0.0.1']

For further reading read from here.

Burnsides answered 14/11, 2016 at 5:41 Comment(14)

Now getting the following error Request URL: 198.211.99.20 Exception Type:TemplateDoesNotExist Exception Value: personal/home.html Exception Location: /usr/local/lib/python2.7/dist-packages/django/temp‌late/loader.py in get_template, line 25 I have my templates in the following folder /home/django/django_project/personal/templates/personal – Adige 14/11, 2016 at 6:49

@Kathir There are many examples of that error.Just google it and if the problem still continues,then please ask it as a separate question,comments are not very descriptive. – Burnsides 14/11, 2016 at 6:52

This definitely works but is bad practice as you should always use a .env file – Shushan 7/3, 2017 at 17:38

@AbhishekJebaraj could you please explain a little more or share a link with more explanation? – Maris 31/10, 2017 at 6:22

@JesusAlmaral Here you go docs.djangoproject.com/en/1.11/topics/settings/… :) – Burnsides 31/10, 2017 at 10:10

@JesusAlmaral A .env file is a local file containing passwords and other sensitive information. If you put all this sensitive information inside your code itself then it could get compromised. Thus we use this local file .env and everyone stores with their own passwords etc locally – Shushan 1/11, 2017 at 4:57

The problem is that I suspect these events induced by various bots I think. I don't want to pollute my settings.py with all kind of bot's IPs, especially they can vary. I rather want to suppress this message all together – Fabe 2/1, 2018 at 21:2

@CsabaToth If you go to the provided link, you can see that you can suppress the warning by adding ALLOWED_HOSTS = [] so, please read the whole answer before downvoting. – Burnsides 3/1, 2018 at 8:40

I don't want to empty the ALLOWED_HOSTS either, but I'll remove the downvote – Fabe 3/1, 2018 at 18:15

I run my project using AWS Elastic Beanstalk and have multiple server instances. I get these errors as well. I can't just add the IPs to fix the problem because they change constantly. I would be updating it everyday. – Stranglehold 11/4, 2019 at 13:44

I used dotenv to store the values locally, and then also include them as environment variables on production: npmjs.com/package/dotenv Like this: ALLOWED_HOSTS = [ 'localhost', 'app.mysite.com', os.environ.get('SERVER_IP') ] – Explication 3/8, 2021 at 1:1

FWIW, in our case, all accesses by the naked IP address are dubious. Our solution was to configure the web server to reject all Host headers not matching the ones Django accepts. – Fishman 1/6, 2022 at 6:30

If I add the ip address 198.211.99.20 to ALLOWED_HOSTS after the error message: “Invalid HTTP_HOST header: '198.211.99.20' that would solve the DISALLOWED HOST problem. But wouldn't that cause problems in the future since I'm using auto scaling? Since that could lead to new instances being created with new IP addresses if there is enough trafic. So i'm gonna have to hard code the new IP addresses into ALLOWED_HOSTS every time that happens? – Wivina 28/1 at 19:12

ALLOWED_HOSTS = ['*'] worked for me. – Endive 31/1 at 5:38

settings.py

ALLOWED_HOSTS = ['*'] # if you are in dev or docker

Don't do this in production if you are not using docker, just put the IP address.

Talton answered 23/5, 2018 at 17:1 Comment(7)

As pydanny said "...don't leave it as such once you get this figured out. The reason is that makes Django potentially vulnerable to HTTP_HOST header attacks. And automated scripts scour the internet to check if sites have this vulnerability." github.com/pydanny/cookiecutter-django/issues/… – Highlands 24/5, 2018 at 1:21

Lol, that is for development env. in production only need set DEBUG=False. – Talton 30/5, 2018 at 15:10

You do not want to use '*' for production. This completely bypasses the reason and security of the allowed hosts. – Passivism 8/6, 2018 at 15:17

@AndyPoquette generally you're right, but using docker (and not exposing the backend's port, but using a reverse proxy like nginx) it's OK to use '*' even for production. – Wagers 3/11, 2021 at 20:38

Never, NEVER do this! Allowed * is a primary security error. Only do this in development mode! – Unhallow 1/12, 2021 at 19:30

@Wagers is this correct? I'm using Django with docker in production and I'm receiving some emails with that error. Do you think it's a good idea anyway? You have an article talking about that? – Orphaorphan 30/1 at 14:7

Depending on how you expose your docker container this can still be a security issue. Its best to actually connfigure the correct IP addresses / domain names instead. – Hasheem 23/3 at 7:50

In your project settings.py file,set ALLOWED_HOSTS like this :

ALLOWED_HOSTS = ['62.63.141.41', 'namjoosadr.com']

and then restart your apache. in ubuntu:

/etc/init.d/apache2 restart

Siclari answered 28/10, 2020 at 9:14 Comment(0)

You can add ALLOWED_HOSTS to your settings file or env file:

ALLOWED_HOSTS = [".localhost", "127.0.0.1", "[::1]"]

Triangulation answered 11/8, 2023 at 21:15 Comment(0)

if no other answer work you can try modifying manage.py and add this three lines

from django.utils.regex_helper import _lazy_re_compile
import django.http.request
django.http.request.host_validation_re = _lazy_re_compile(r"[a-zA-z0-9.:]*")

to end up having something like this:

import os
import sys

from django.utils.regex_helper import _lazy_re_compile
import django.http.request    
django.http.request.host_validation_re = _lazy_re_compile(r"[a-zA-z0-9.:]*")

def main():
    """Run administrative tasks."""
    os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'project01.settings')
    try:
        from django.core.management import execute_from_command_line
    except ImportError as exc:
        raise ImportError(
            "Couldn't import Django. Are you sure it's installed and "
            "available on your PYTHONPATH environment variable? Did you "
            "forget to activate a virtual environment?"
        ) from exc
    execute_from_command_line(sys.argv)


if __name__ == '__main__':
    main()

as it is explained in this post: How to Solve "The domain name provided is not valid according to RFC 1034/1035" in Django during Development

Contrive answered 3/2, 2023 at 21:2 Comment(0)

I was testing my Django app on minikube and because of the probes, it was failing with the following error:

Invalid HTTP_HOST header: '10.244.0.8:8080'. You may need to add '10.244.0.8' to ALLOWED_HOSTS.
Bad Request: /

I added the httpHeaders in my probes and it worked after that.

Before:

livenessProbe:
  httpGet:
    path: / # Replace with an endpoint that returns a 200 status code if the app is healthy
    port: 8080
  initialDelaySeconds: 10 # Delay before the first probe is executed
  periodSeconds: 10 # How often to perform the probe
readinessProbe:
  httpGet:
    path: / # Replace with an endpoint that indicates readiness
    port: 8080
  initialDelaySeconds: 5 # Delay before the first probe is executed
  periodSeconds: 5 # How often to perform the probe

After:

livenessProbe:
  httpGet:
    path: / # Replace with an endpoint that returns a 200 status code if the app is healthy
    port: 8080
    httpHeaders:
    - name: Host
      value: localhost
  initialDelaySeconds: 10 # Delay before the first probe is executed
  periodSeconds: 10 # How often to perform the probe
readinessProbe:
  httpGet:
    path: / # Replace with an endpoint that indicates readiness
    port: 8080
    httpHeaders:
    - name: Host
      value: localhost
  initialDelaySeconds: 5 # Delay before the first probe is executed
  periodSeconds: 5 # How often to perform the probe

Weiss answered 5/11, 2023 at 17:51 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags