Django rest framework backend returns data on wrong Host after initial call on ECS using ALB

I am trying to have my frontend, which is on my current domain, communicate with my backend which is on a subdomain using https.

On the initial login api call it succesfully manages to dispatch the post data to the right api endpoint located on the subdomain and it returns me the requested details using the same link as its Host. However, the subsequent calls that are triggered after the login api call all have their Host replaced with the DNS address of the ALB, which is not a Http and not the address I sent the call from. This prevents the data from being received and I get a mixed block error on it.

The first post call seems functionally fine and retrieves the bearer and access tokens fine, however the subsequent or any other calls dont work. I am able to use the API endpoints fine using postman and on the api.example.com backend site.

I don't have NGINX set up, I believe since the ALB performs the purpose already? Is this also the right judgement to take? I have seen some tutorials use it but none specifically that details the exact use of ECS and setting up Https connections.

I have tried a lot of different settings and variations of them, but I can't seem to understand what I have missed out on. I would appreciate any directions. What exactly should I be looking for to resolve this?

This is my set up:

  1. DRF backend on ECS Fargate server using a single docker container, where the deployment is achieved using GUnicorn wsgi and CI/CD using Github Actions.
  2. Application Load Balancer with listeners to port 80 and port 443, port 80 redirects to port 443, and port 443 forwards the call to the Target Group of the Backend.
  3. The Application Load Balancers have the SSL ACM certificate applied that allows for the wildcard too.
  4. The security group settings have http and https set up correctly on inbound and outbound is set to all.
  5. Route 53 has a redirect set up to the api.example.com to the ALB of the backend

These are my Django settings:

SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
SECURE_HSTS_SECONDS = 3600  # increase to 1 year eventually
SECURE_SSL_REDIRECT = True  # re enable in product
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
ALLOWED_HOSTS = ['*']


CORS_ALLOWED_ORIGINS = [
    "https://example.com",
    "https://www.example.com"
]

This is the Application Load Balancer:

enter image description here

I had turned on "Preserve host header" but this did not change the outcome.

Back to Top