Django ALLOWED_HOST setting for Elastic beanstalk instance behind Elastic Load Balancer

8
votes

Q. How do I set django ALLOW_HOSTS on elastic beanstalk instance to allow Elastic Load Balancer IP?

Background

I deployed django website on elastic beanstalk. Website domain is added to ALLOW_HOSTS so normal requests are accepted by django correctly.

ALLOWED_HOSTS = ['.mydomain.com']

Elastic Load balancer visit Elastic beanstalk instances directly with IP address for health check, so next line allow the health check:

# add elastic beanstalk instance local ip
aws_ip = requests.get('http://169.254.169.254/latest/meta-data/local-ipv4', timeout=0.1).text
ALLOWED_HOSTS.append(aws_ip)

But I still got invalid HOST IP errors that seems elastic beanstalk instances are visited with elastic load balancer public IP. There are solutions online for EC2 deployments as you can set HTTPD softwares to set http HOST header when it's visited by IP directly. But we cannot config apache on elastic beanstalk. So how do I add elastic load balancer IP to the ALLOW_HOSTS?

5
pythondjangoamazon-web-servicesamazon-elastic-beanstalkdjango-settings

5 Answers

18
votes

There is no good reason to accept traffic that is directed to your ELB's IP. For the health check, my preferred method:

import requests
try:
    internal_ip = requests.get('http://instance-data/latest/meta-data/local-ipv4').text
except requests.exceptions.ConnectionError:
    pass
else:
    ALLOWED_HOSTS.append(internal_ip)
del requests
  • No complicated apache configuration, which depend on your domain
  • Fails quickly on dns, no need to rely on timeout
4
votes

I believe the best approach would be to configure Apache to handle request host validation. Even with beanstalk you should be able to configure Apache using .ebextensions.

The general idea is to check incoming requests for the 'ELB-HealthChecker/1.0' User-Agent and the health check URL you set as the request's REQUEST_URI. Those requests can have their host header changed to an allowed host with the RequestHeader set Host command.

If really don't want to configure Apache, you could implement a custom middleware to override Django's CommonMiddleware to allow the health checker requests to bypass Django's ALLOWED_HOST validation.

I went into greater detail in this answer if you need more on implementing one of these solutions.

0
votes

In settings.py this is the configuration I use and it works well for me (for DEV at least) :

# AWS config for ElasticBeanstalk
ALLOWED_HOSTS = [
    '127.0.0.1',
    'localhost',
    '.compute-1.amazonaws.com', # allows viewing of instances directly
    '.elasticbeanstalk.com' 
]

I hope it helps.

0
votes

Adding the local IP of the EC2 instance to the allowed hosts worked for me.

settings.py:

import socket

hostname = socket.gethostname()
local_ip = socket.gethostbyname(hostname)

ALLOWED_HOSTS = ['...', local_ip]
-1
votes

You add list of IPs assigned to that host. Only the IP address no http:// or /latest/media...