Should server IP address be in ALLOWED_HOSTS django setting?
NO, IT SHOULDN'T.
Usually it's not a secure way to configure your Django server. Sometimes, e.g., when testing your application, you may access it via direct IP address, but in there's no reason to disable log warnings.
My old answer was wrong, thanks to Max Malysh for pointing that out.
Old answer (INSECURE):
Short answer is: YES (according to provided headers).
Long answer: According to documentation:
If the Host header (or X-Forwarded-Host if USE_X_FORWARDED_HOST is enabled) does not match any value in this list, the django.http.HttpRequest.get_host() method will raise SuspiciousOperation.
In other words: if your requests pass your server ip address as Host header (and apparently they do), and you think it's okay, then YES, you should add server ip to ALLOWED_HOSTS.
Also, ip address could be in HTTP_HOST for many reasons, also someone could directly ask for ip address.
No, it shouldn't
By default, there are no reasons why IP address should be accepted as a valid HOST header. This message is a sign of a misconfigured production environment: such requests shouldn't reach the back-end.
Here's a post on security.stackexchange.com on Host header poisoning & ALLOWED_HOSTS.
What to do
Filter out all requests with an invalid HOST header before they reach django back-end.
How to
Most likely you're using nginx
as a reverse proxy in front of django. If you don't use any reverse proxy at all (or you're using runserver
), you have to (otherwise you're risking your security).
Add a default server block returning 444
at the top of your configuration. It should be the first server block in the configuration:
# File: /etc/nginx/sites-available/domain.com
upstream django_server {
server 127.0.0.1:8000;
}
# Catch all requests with an invalid HOST header
server {
server_name "";
listen 80;
return 444;
}
# Your config goes there
server {
server_name domain.com;
listen 80;
location / {
proxy_pass http://django_server;
}
}