-
-
Save dryan/8271687 to your computer and use it in GitHub Desktop.
| # Hosts/domain names that are valid for this site; required if DEBUG is False | |
| # See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts | |
| ALLOWED_HOSTS = [ | |
| 'yourdomain.tld', | |
| '.compute-1.amazonaws.com', # allows viewing of instances directly | |
| ] | |
| import requests | |
| EC2_PRIVATE_IP = None | |
| try: | |
| EC2_PRIVATE_IP = requests.get('http://169.254.169.254/latest/meta-data/local-ipv4', timeout = 0.01).text | |
| except requests.exceptions.RequestException: | |
| pass | |
| if EC2_PRIVATE_IP: | |
| ALLOWED_HOSTS.append(EC2_PRIVATE_IP) |
I'm getting bad request(400) when I'm trying requests.get. What could be the possible issue?
Don't you need the IP of the ELB? This looks like it's going to get me the IP of my instance.
thanx for the meta-data hint! this just solved my issue :)
To answer @jameserrico above:
The Elastic Load Balancer HTTP health check will use the instance's internal IP [for the host header].
(From https://forums.aws.amazon.com/thread.jspa?messageID=423533)
Works great! thanks!
Still works!
put your ec2 instance's private ip in allowed hosts if using single instance
you do not need line 5 '.compute-1.amazonaws.com'. Works fine also without it.
Also the public-hostheader (@JoarLeth) is not required.
Right on, good looks bud 👍
This is a great solution, congrats
how about v6 addresses?
Another option is to implement a middleware that returns a health check before Django's SecurityMiddleware (that checks the request against ALLOWED_HOSTS): https://gist.github.com/mgax/cf771b1991e68ca454693d5f3597ff04
Hi, I am stuck with this we have an ELB which uses the Round-Robin technique and we have 3-10 servers, and I couldn't get any single of them working. Which IP shall I put into the below line 11
EC2_PRIVATE_IP = requests.get('http://169.254.169.254/latest/meta-data/local-ipv4', timeout = 0.01).text
Please someone help me here
This Works for me
import requests
ALLOWED_HOSTS = [
'yourdomain.tld',
'.compute-1.amazonaws.com', # allows viewing of instances directly
]
EC2_PRIVATE_IP = None
try:
token = requests.put("http://169.254.169.254/latest/api/token",
headers={"X-aws-ec2-metadata-token-ttl-seconds": "21600"}).text
EC2_PRIVATE_IP = requests.get("http://169.254.169.254/latest/meta-data/local-ipv4",
headers={"X-aws-ec2-metadata-token": token}, timeout=0.01).text
except requests.exceptions.RequestException:
pass
if EC2_PRIVATE_IP:
ALLOWED_HOSTS.append(EC2_PRIVATE_IP)
Great,
I also have somewhat similar try/except block.
Doesn't adding '.compute-1.amazonaws.com' to ALLOWED_HOSTS make it just as vulnerable as long as the attacker uses an EC2 instance? Requesting the hostname the same way as the IP would solve this if I'm not misstaken;
requests.get('http://169.254.169.254/latest/meta-data/public-hostname', timeout = 0.01).text