Sentry-python: Invalid HTTP_HOST header

Created on 5 Mar 2020  路  20Comments  路  Source: getsentry/sentry-python

I used raven package in Django before and it worked well so far.
Recently I replaced it with latest sentry-python and getting weird error notifications continuously.

Invalid HTTP_HOST header: 'server_ip'. You may need to add 'server_ip' to ALLOWED_HOSTS.

I added server domain, 127.0.0.1 and localhost in allowed hosts.

I think there is no direct request to server IP instead of the domain.

Any help to fix the issue is appreciated.

enhancement wontfix

Most helpful comment

Yeah this came up a few times before. I think we should just start ignoring that logger, for now you can do:

from sentry.integrations.logging import ignore_logger
ignore_logger("django.security.DisallowedHost")

All 20 comments

Where are you getting that error? In your project or when submitting events from the SDK to Sentry?

Sentry is integrated in my django project and the same event from the project pushed to sentry.
Sometimes it also produces events with example.com and 169.254.169.254 instead of server_ip.

Could you link me the sentry issue that shows this error?

Yeah this came up a few times before. I think we should just start ignoring that logger, for now you can do:

from sentry.integrations.logging import ignore_logger
ignore_logger("django.security.DisallowedHost")

Thanks.
But I cannot ignore all errors related to DisallowedHost.
I have to track some of those.
Not sure why there are example.com and other strange server ips.

Because those errors happen. Somebody is sending this as Host header. I am not sure by which criteria you want to filter.

Is it possible to ignore errors with certain host headers in project?
I don't want such invalid errors to fill my sentry event count.

Yes, you can use the before_send option to look at the event that is about to be sent and return None to throw the event away. I would recommend print(event) in development to figure out which keys to look at for DisallowedHost.

Ok, let me try. Thanks.

Another option is to use the "message filters" option in the project settings.

I'm having the same Issue.

@untitaker if i choose the "message filters" it will count at the sentry messages per month?

@camilonova no, you will not be billed for those events

@camilonova It's better to resolve it on web server such as nginx or apache instead of ignoring such issues.

This is the nginx configuration that fixes the issue:

server {
    listen                      80 default_server;
    listen                      [::]:80 default_server;

    return                      444;
}

@discover59 This seems to me related to services hosted on aws.. i also wasted a couple of hours understanding waht the hell is going on.. for some reason the 444 drop didn't work for me yet, maybe due to the complex config

Below are logs from nginx:
"GET /latest/dynamic/instance-identity/document HTTP/1.1" 400 255 "-" "AWS Security Scanner" "-"

"GET http://example.com/ HTTP/1.1" 301 169 "-" "AWS Security Scanner" "-"

馃う

"AWS Security Scanner", sounds like AWS employs a bot that is used to figure out if you're accepting random host headers. You're not, because you're using Django.

I wasn't aware of those types of scanners. The initial thought of reporting those types of messages to Sentry was that you'd catch broken configuration that way (requests from your own services with invalid host headers). I guess as long as it's easy enough to filter those events using either before_send or server-side message filters it's alright though.

Let me know your opinions.

One thing we could do is to add AWS Security Scanners to our list of web crawlers that we offer a filter for: https://docs.sentry.io/accounts/quotas/#inbound-data-filters

We decided not to swallow those errors but rather filter out false positive errors like AWS Security Scanner. see also https://github.com/getsentry/relay/pull/577

@untitaker im not the original issue creator, but thanks for this :)

Was this page helpful?
0 / 5 - 0 ratings