nginx、flower、Django、proxy_pass和拒绝无效主机

Question

我在AWS上有一个运行nginx/uWSGI/Django的服务器，里面有RabbitMQ、flower和芹菜。

问题:在不打开新端口的情况下，使用nginx代理for，并拒绝可能导致Django中无效的HTTP_HOST头错误的格式错误的请求。

我可以做任何一个，但不能两个都做，因为我对nginx不是特别有经验。

我运行的是Flow0.9.4，因为我知道0.9.5中的bug。

在下面的配置文件中，如果我注释掉"reject_hosts.conf“行，flower可以工作，但我会像应该的那样停止拒绝主机。如果我把它留在里面，web浏览器就会超时，请求/flower地址。

下面是相关的配置文件：

nginx-app.conf

# the upstream component nginx needs to connect to
upstream django {
    server unix:/home/app.sock; # uwsgi socket
}

include redirect_ssl.conf; #301 SSL redirects

# actual webserver. Note that https is handled by AWS so no listen on 443
server {
    # default_server indicates that this server block is the block to use if no others match server_name
    listen      8080 default_server;
    listen      [::]:8080 default_server;
    charset     utf-8;

    # max upload size
    client_max_body_size 3M;   # adjust to taste
    include django_aliases.conf; # media and static directories

    include reject_hosts.conf; # return 444 if wrong HOSTs header
    include flower.conf; # proxy flower

    include django_root.conf; # django upstream
}

redirect_ssl.conf

## 301 redirect for HTTPS
server {
     listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

flower.conf -如果不包含reject_hosts one，则此选项可用。我尝试了大约一千个这样的变体，以获得一个可以与Flower中的所有文件正常工作的版本。

location /flower/ {
    rewrite ^/flower/(.*)$ /$1 break;
    proxy_pass http://localhost:5555;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_http_version 1.1;
}

reject_hosts.conf

if ($host !~* ^(127.0.0.1|localhost|mydomain.com|myotherdomain.com|my.subdomain.com)$ ) {
    return 444;
}

django_aliases.conf

# Django media
location /media  {
    alias media;  # Media files, actual location removed for paranoia
}

location /static {
    alias static; # Static files, actual location removed for paranoia
}

django_root.conf

location / {
    uwsgi_pass  django;
    include     uwsgi_params; # location removed for paranoia
    uwsgi_read_timeout 600;
    uwsgi_send_timeout 600;
    uwsgi_connect_timeout 60;
    uwsgi_ignore_client_abort on;
}

最后，Flower由supervisord启动，如下所示：

command = python3 -m celery -A myproj flower --url_prefix=flower --port=5555

Answer 1

您可以尝试通过服务器块过滤HTTP请求(如nginx教程中的suggested )：

server {
    listen 80;
    listen [::]:80;
    server_name 127.0.0.1 localhost mydomain.com myotherdomain.com my.subdomain.com;
    return 301 https://$host$request_uri;
}
server {
    # handle invalid requests with his one
    listen 80 default_server;
    listen [::]:80 default_server;
    return 444;
}
server {
    listen      8080;
    listen      [::]:8080;
    server_name 127.0.0.1 localhost mydomain.com myotherdomain.com my.subdomain.com;
    ... # rest of the configuration
}
server {
    # handle invalid requests with his one
    listen      8080 default_server;
    listen      [::]:8080 default_server;
    return 444;
}

这样，您就完全不需要reject_hosts.conf文件了。

Answer 2

我不知道你是否注意到了。您只处理有效的请求，而不会侦听无效的请求。

只需在nginx的服务器上下文中添加此属性：

server_name example.com mysite.example.com

同样，您必须在django的settings.py文件中输入这些主机。我通常用'*'输入这个条目，这样我就不需要担心proxy_pass在nginx中设置了什么主机名，或者我的celery请求在什么主机上，等等。所以只需在settings.py代码行下面添加一行

ALLOWED_HOSTS=['*']