John,
You could set the logger to send all DisallowedHost errors to a log file,
then just check it ever so often for the bad domains you are looking for.
Or better yet have a daily script email them to you (you can exclude your
IPs then)
Dylan
On Tue, Dec 19, 2017 at 5:37 AM, Daniel Hepper <daniel.hep...@gmail.com>
wrote:
> From my understanding, deciding which certificate to use and actually
> serving the request are two separate step in Nginx.
>
> I assume you only have one valid domain name you want to serve. Every
> other HTTPS request will result in a certificate warning and should be
> rejected. You could try a configuration like this:
>
> server {
> listen 80;
> listen 443 ssl;
> server_name my.django.site.com;
> ssl_certificate /path/to/my.django.site.com.cert;
>
> ssl_certificate_key /path/to/my.django.site.com.key;
>
>
> ... # serve the request with your Django app
>
> }
>
>
>
> server {
> listen 80 default_server;
> listen 443 default_server ssl;
> server_name _;
> ssl_certificate /path/to/my.django.site.com.cert;
>
> ssl_certificate_key /path/to/my.django.site.com.key;
>
>
> return 444; # reject the request
>
> }
>
>
> This should ensure that only requests with valid Host headers reach your
> application while still supporting Non-SNI clients. You can test it with
> "open_ssl client" or "gnutls-cli":
>
> $ gnutls-cli --disable-sni my.django.site.com
> ...
> - Simple Client Mode:
>
> GET / HTTP/1.0
> Host: my.django.site.com
>
> ...your site...
>
> $ gnutls-cli --disable-sni my.django.site.com
> ...
> - Simple Client Mode:
>
> GET / HTTP/1.0
> Host: foobar.com
>
> - Peer has closed the GnuTLS connection
>
>
> Note that you won't receive any emails for unknown hosts anymore, as those
> requests never reach your Django app, as it should be. If you still want to
> keep an eye on those requests, you could configure logging in the default
> server block.
>
> Hope that helps,
> Daniel
>
>
> On Tuesday, December 19, 2017 at 1:18:36 PM UTC+1, Jon Ribbens wrote:
>>
>> On Tuesday, 19 December 2017 07:24:23 UTC, Antonis Christofides wrote:
>>>
>>> I may be wrong of course, but I don't recall SNI having anything to do
>>> with it. Just using something like
>>>
>>> server {
>>> listen 80;
>>> listen 443 ssl;
>>> server_name my.django.site.com;
>>> ...
>>> }
>>>
>>> will only send requests for my.django.site.com to the django project. I
>>> really don't know about SNI, but I recall having used SSL on Apache before
>>> SNI existed and I don't remember any difference with respect to that. Why
>>> does SNI affect this?
>>>
>>
>> Because unless I'm misremembering something, if you *don't* add
>> default_server to the listen directive then requests without SNI will
>> not end up being served the desired SSL certificate, but if you *do* add
>> default_server then requests with the wrong/missing/IP-literal Host:
>> header will end up going to Django, which is what we wanted to avoid.
>>
>> I guess I'll just have to decide which of lack-of-SNI support and
>> alerting-on-wrong-Host I want to lose.
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/django-users/88236646-9f3c-4984-a6d6-970d024b235b%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/88236646-9f3c-4984-a6d6-970d024b235b%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CAHtg44BkAFK0Hi4E_67wGzxFf0Re-tUnyeWs3f%2BWj5yQVxsnHQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
