使用apache+mod_wsgi方式部署完成後，訪問網站時400(Bad Request)

時間 2019-11-29

標籤使用 apache+mod apache mod wsgi 方式部署完成訪問網站 bad request 欄目 Apache 简体版

原文原文鏈接

這是個血淋淋的教訓，浪費青春的舉動。python

這幾天使用linux+apache部署了一個生產環境用的網站環境，用到了django框架，在django的官網和其餘網站上找到了不少部署的方法，其中wsgi方式其中比較方便和快速入手的一種。linux

在全部工做部署工做完成後，經過域名訪問網站，發現提示：400（Bad Request）。web

網上搜了n多文章，浪費了幾個小時的時間去查找錯誤，未果。
apache

無奈。。。。，繼續奮鬥。。。。search、search、google
django

苦盡甘來，通過一番折騰，終於發現了一篇文章，http://stackoverflow.com/questions/20321673/debugging-apache-django-wsgi-bad-request-400-error （這是謝謝這哥們了，心情無以附加，無以言表）app

其實，緣由很簡單，就是在將django投入生產環境後：settings.py裏的配置要作相應的修改框架

#一下幾項需更改
DEBUG = False      # 由True到False，這個我也作對了

# 下面這個，忘記了，高了半天，廢了老大勁才知道是這的問題
ALLOWED_HOSTS = [
    '.example.com', # Allow domain and subdomains
    'localhost', # Also allow FQDN and subdomains]

問題解決，檢討。。。
dom

到這裏我才恍悟，記得在django的官方文檔中是有的啊，
ide

附上官網的說明，
網站

首先：

Host header validation

Django uses the Host header provided by the client to construct URLs in certain cases. While these values are sanitized to prevent Cross Site Scripting attacks, a fake Host value can be used for Cross-Site Request Forgery, cache poisoning attacks, and poisoning links in emails.

Because even seemingly-secure web server configurations are susceptible to fake Host headers, Django validates Hostheaders against the ALLOWED_HOSTS setting in the django.http.HttpRequest.get_host() method.

This validation only applies via get_host(); if your code accesses the Host header directly from request.META you are bypassing this security protection.

For more details see the full ALLOWED_HOSTS documentation.

Warning

Previous versions of this document recommended configuring your web server to ensure it validates incoming HTTP Host headers. While this is still recommended, in many common web servers a configuration that seems to validate the Host header may not in fact do so. For instance, even if Apache is configured such that your Django site is served from a non-default virtual host with the ServerName set, it is still possible for an HTTP request to match this virtual host and supply a fake Host header. Thus, Django now requires that you set ALLOWED_HOSTSexplicitly rather than relying on web server configuration.

Additionally, as of 1.3.1, Django requires you to explicitly enable support for the X-Forwarded-Host header (via theUSE_X_FORWARDED_HOST setting) if your configuration requires it.

url：https://docs.djangoproject.com/en/1.6/topics/security/

其次：

ALLOWED_HOSTS

Default: [] (Empty list)

A list of strings representing the host/domain names that this Django site can serve. This is a security measure to prevent an attacker from poisoning caches and password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header, which is possible even under many seemingly-safe web server configurations.

Values in this list can be fully qualified names (e.g. 'www.example.com'), in which case they will be matched against the request’sHost header exactly (case-insensitive, not including port). A value beginning with a period can be used as a subdomain wildcard: '.example.com' will match example.com, www.example.com, and any other subdomain of example.com. A value of '*' will match anything; in this case you are responsible to provide your own validation of the Host header (perhaps in a middleware; if so this middleware must be listed first in MIDDLEWARE_CLASSES).

Note

If you want to also allow the fully qualified domain name (FQDN), which some browsers can send in the Host header, you must explicitly add another ALLOWED_HOSTS entry that includes a trailing period. This entry can also be a subdomain wildcard:

ALLOWED_HOSTS = [
    '.example.com', # Allow domain and subdomains
    '.example.com.', # Also allow FQDN and subdomains]

If the Host header (or X-Forwarded-Host if USE_X_FORWARDED_HOST is enabled) does not match any value in this list, thedjango.http.HttpRequest.get_host() method will raise SuspiciousOperation.

When DEBUG is True or when running tests, host validation is disabled; any host will be accepted. Thus it’s usually only necessary to set it in production.

This validation only applies via get_host(); if your code accesses the Host header directly from request.META you are bypassing this security protection.

url：https://docs.djangoproject.com/en/1.6/ref/settings/#std:setting-ALLOWED_HOSTS

最後，生命很寶貴，請不要浪費。

謹記：每每出錯的地方就是在她最根本的地方，迴歸本源，才能看清事物的原貌。