Ask Django - Nginx Invalid HTTP_HOST header: 'attacker.web'. You may need to add 'attacker.web' to ALLOWED_HOSTS
recently i had this error message in my sentry
Invalid HTTP_HOST header: 'attacker.web'. You may need to add 'attacker.web' to ALLOWED_HOSTS.
and i saw the request like this
curl \
-H "Accept: */*" \
-H "Content-Length: " \
-H "Content-Type: " \
-H "Forwarded: for=\"attacker.web:8888\";by=\"attacker.web:9999\"" \
-H "Host: attacker.web" \
-H "User-Agent: Report Runner" \
-H "X-Forwarded-For: " \
-H "X-Forwarded-Host: mysite.com" \
-H "X-Forwarded-Proto: https" \
-H "X-Real-Ip: " \
"https://attacker.web/subpage/"
how do i prevent this kind of request ? and what's the name of the attack ?
i've been config my nginx to
- drop curl request
- return 444 when the host name doesn't the same with server_name
how to deal with this kind of request ?