0

Django apps rely on the host header for certain links etc. In my setup I have a django app running behind nginx as reverse proxy (with a non-default server_name)

According to:

https://docs.djangoproject.com/en/3.1/topics/security/#host-header-validation

For instance, even if Apache is configured such that your Django site is served from a non-default virtual host with the ServerName set, it is still possible for an HTTP request to match this virtual host and supply a fake Host header

I could not find any information on if or how it can be done in nginx.

Is it really unsafe to allow blindly in the webapp relying on the header coming from nginx?

ProfHase85
  • 501
  • 3
  • 6
  • 15

1 Answers1

3

To pass through the Host: header to the reverse proxied app, add the following to your server / location block:

proxy_set_header Host $host;

It depends on the nginx virtual host configuration what are the possible values for $host eventually.

If your server block is a default_server block, it means the server block will process any requests sent to any virtual host. In that case the value of Host header propagates to upstream server.

To prevent that in the default_server scenario, use this version:

proxy_set_header Host example.com;

where example.com is your domain name.

Even better is to configure nginx properly so that default_server block always returns 404 for example, and a proper virtualhost with correct name is used.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • I have done that, maybe my question was unclear: According to the quote (see question) a potential attacker might call the app behind the reverse proxy with a different Host header. I just could not find any information of how this could be done. – ProfHase85 Dec 30 '20 at 14:18
  • I amended my answer, hope it now answers your question. – Tero Kilkanen Dec 30 '20 at 15:53
  • @ProfHase85 Your app should not be directly accessible to the global Internet. Use a bind address and/or firewall rules to ensure that only your web server can talk to it. – Michael Hampton Dec 30 '20 at 16:48