4

I have a Django app, using Apache and mod_wsgi running on an EC2 instance behind an AWS ELB balancer. The balancer maps SSL traffic (port 443) to port 8080 on the EC2 instance. Apache has a VirtualHost configured on port 8080 to serve the Django app, with ServerName set to the domain name for the website. Django runs in production mode (DEBUG=False) and exposes, among other things, a healtcheck endpoint (at /healtcheck). The ALLOWED_HOSTS setting is set to the domain name for the website, plus the private IP address of the EC2 instance, in order to allow the Load Balancer to hit the healthcheck endpoint.

Everything works fine with this set-up. The problem is that I keep receiving occasional bursts of e-mails from Django with error messages similar to this: ERROR (EXTERNAL IP): Invalid HTTP_HOST header: '52.51.147.134'. You may need to add u'52.51.147.134' to ALLOWED_HOSTS. The headers also contain HTTP_X_FORWARDED_FOR = '139.162.13.205'

I get various IP addresses (and sometimes hostnames), belonging to script kiddies, I presume.

How can I block this traffic from ever reaching the Django app, while still allowing valid traffic (where HTTP_HOST is my domain name) and the ELB healthcheck traffic (where HTTP_HOST is my EC2 private IP address)?

Improve this question
1
  • If I understand correctly, this is just annoying, you don't experience any other ill effects? Anyway, you should be able to simply filter this in Apache but it wold be useful if you could provide Apache version and current VirtualHost .conf Commented Aug 8, 2016 at 21:47

1 Answer 1

Reset to default
1

I would suggest you only allow traffic on your EC2 instance from the load balancer using a security group AND the IP address of your office/home if you SSH'ing into the EC2 instance.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-groups.html#elb-vpc-instance-security-groups

This will stop the script kiddies from hitting the EC2 instance directly which appears is what is happening here.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I have already done this. Port 8080 traffic is limited only to the Load Balancer's security group. Port 22 (SSH) traffic is open to the world, but that's not the problem. The unwanted traffic is coming THROUGH the Load Balancer.
It looks like you are at the mercy of this bug code.djangoproject.com/ticket/19866 but it was fixed a long time ago. What version of django are you using? Someone must be spoofing the HTTP_HOST and that should now return a 400 to them and not send an email to you due to a 500 error
I'm using Django 1.10. The behaviour does seem related to this bug. It looks like the bug has indeed been fixed, and the response code returned is 400, but a security exception is still logged, so I (as an admin) get an e-mail. Now, I can certainly play around with the logging config to disable this, but it would be nice if I could filter this traffic out before it even hits Django. Thanks anyway, this was useful.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.