Administrator email suppression by django ALLOWED_HOSTS exception

Question

Administrator email suppression by django ALLOWED_HOSTS exception

Since the introduction of the ALLOWED_HOSTS installation in django 1.4.4, I get a lot of django error messages to my administrator address for exceptions caused by some kind of stupid spider looking for vulnerable phpMyAdmin installations or something like that. These emails are fully valid since the host headers in the spider requests are really erroneous, but I would prefer django to send me error messages when something is wrong. Is there an easy way to disable SuspiciousOperation mail, or do I need to go all the way and a subclass of CommonMiddleware ?

+17

django

Simon Mar 13 '13 at 11:38

source share

6 answers

Daniel Backman · Answer 1 · 2014-08-04 07:54

For completeness, you can override the parts of logging: (tested on django 1.6):

 LOGGING = { 'version': 1, 'disable_existing_loggers': False, 'handlers': { 'null': { 'level': 'DEBUG', 'class': 'logging.NullHandler', }, }, 'loggers': { 'django.security.DisallowedHost': { 'handlers': ['null'], 'propagate': False, }, }, }

Also see Django Security Documents .

Nils · Answer 2 · 2014-01-16 18:54

To suppress the administrator’s email, define a registration filter:

 def skip_suspicious_operations(record): if record.name == 'django.security.DisallowedHost': return False return True

Then in settings.py add it to the LOGGING dict as a filter:

 'filters': { 'skip_suspicious_operations': { '()': 'django.utils.log.CallbackFilter', 'callback': skip_suspicious_operations, } }

and add a filter to the mail_admins handler:

 'handlers': { 'mail_admins': { 'level': 'ERROR', 'filters': ['skip_suspicious_operations'], 'include_html' : True, } }

This works in Django 1.6 as it is. In Django-1.5, I think the RHS comparison with record.name is a bit different, but it should work otherwise.

Mark Chackerian · Answer 3 · 2013-07-01 16:12

If you use apache, you can filter traffic to different hosts from httpd.conf - this is much easier than writing any code. Something like

 WSGIPythonPath [your Python path] ServerSignature Off ServerTokens Prod <VirtualHost *:80> DocumentRoot /var/www </VirtualHost> <VirtualHost *:80> ServerName www.myrealhost.com rest of apache configuration .... </VirtualHost>

The first parameter captures everything that does not match the name of your server (for example, www.myrealhost.com)

Simon · Answer 4 · 2013-03-13 12:01

A little search robot would show that it has an error in tracking Django errors:

https://code.djangoproject.com/ticket/19866

Until there is a fix in Django 1.5.1, there is a workaround using the log filter.

s29 · Answer 5 · 2014-06-11 01:21

But wait, there is an app for that!

https://github.com/litchfield/django-safelogging

chander · Answer 6 · 2015-02-17 14:08

Therefore, I usually prefer to simply redirect all unsurpassed vhosts to one vhost. this is done with a simple addition to the apache.conf file ...

 <VirtualHost *:80> RedirectMatch ^/?(.*) http://www.example.com/$1 </VirtualHost>

The above example will cause any unsurpassed vhost to be redirected to http://www.example.com , while maintaining the correct path component.

This also has the added benefit of correcting the case where the user is executing an invalid request or some such thing.

Administrator email suppression by django ALLOWED_HOSTS exception

More articles: