当使用unix套接字时,Django应该怎么做？

发布时间：2020-12-15 21:00:31 所属栏目：安全来源：网络整理

导读：我正在使用unix socket而不是TCP端口用于gunicorn来为我的Django应用程序提供服务.但是,当调试关闭时,我得到400响应,除非我设置ALLOWED_HOSTS = [‘*’].在这种情况下,什么是比’*’更安全的选项？这是我的Gunicorn启动脚本(/opt/example.com/bin/gunicorn_

我正在使用unix socket而不是TCP端口用于gunicorn来为我的Django应用程序提供服务.但是,当调试关闭时,我得到400响应,除非我设置ALLOWED_HOSTS = [‘*’].在这种情况下,什么是比’*’更安全的选项？

这是我的Gunicorn启动脚本(/opt/example.com/bin/gunicorn_start)：

#!/bin/bash

NAME="myapp"                                      # Name of the application
DJANGODIR=/opt/example.com/myapp                  # Django project directory
SOCKFILE=/opt/example.com/run/gunicorn.sock       # we will communicate using this unix socket
USER= myuser                                      # the user to run as
GROUP=mygroup                                     # the group to run as
NUM_WORKERS=3                                     # how many worker processes should Gunicorn spawn
DJANGO_SETTINGS_MODULE=myapp.settings             # which settings file should Django use
DJANGO_WSGI_MODULE=myapp.wsgi                     # WSGI module name

echo "Starting $NAME as `whoami`"

# Activate the virtual environment
cd $DJANGODIR
source ../bin/activate
export DJANGO_SETTINGS_MODULE=$DJANGO_SETTINGS_MODULE
export PYTHONPATH=$DJANGODIR:$PYTHONPATH

# Create the run directory if it doesn't exist
RUNDIR=$(dirname $SOCKFILE)
test -d $RUNDIR || mkdir -p $RUNDIR

# Start your Django Unicorn
# Programs meant to be run under supervisor should not daemonize themselves (do not use --daemon)
exec ../bin/gunicorn ${DJANGO_WSGI_MODULE}:application 
  --name $NAME 
  --workers $NUM_WORKERS 
  --user=$USER --group=$GROUP 
  --log-level=debug 
  --bind=unix:$SOCKFILE

解决方法

结果我只需要添加我的服务器的主机名.我一直在使用[‘localhost’,’127.0.0.1′],但由于我也添加了以下nginx配置,应用程序需要允许网站的URL.

upstream blog_app_server {
  # fail_timeout=0 means we always retry an upstream even if it failed
  # to return a good HTTP response (in case the Unicorn master nukes a
  # single worker for timing out).

  server unix:/opt/example.com/run/gunicorn.sock fail_timeout=0;
}

server {
    listen       80;
    server_name  www.example.com example.com;
    server_tokens off;
    access_log /opt/example.com/logs/nginx-access.log;
    error_log /opt/example.com/logs/nginx-error.log;

    location /static/ {
        alias /opt/example.com/static/;
    }

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        if (!-f $request_filename) {
            proxy_pass http://blog_app_server;
            break;
        }
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

具体来说,我认为这是行proxy_set_header Host $http_host;这意味着我需要将网站的名称添加到ALLOWED_HOSTS.

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!