October 3, 2014
Posted by Eddie
Django, ALLOWED_HOSTS, Host header, Proxying, and more!
Django tries to avoid CSRF, and thus requires a HTTP Host header be sent. Host is optional in HTTP1.0, so it therefore basically requires HTTP1.1. That Host header has to conform with RFC 1034 or RFC 1035.
A proxy sitting in front of Django will pretty much do whatever you tell it to do, so it basically needs to convert HTTP1.0 requests into HTTP1.1 requests. To do this in Nginx, you need to know the difference between $host and $http_host, and have set $server_name.
A HTTP1.0 request, as rare as it sounds, is possible, as tools like HAProxy send HTTP1.0 requests without Host headers. This implies that Amazon ELB or OpenStack Neutron health checks are all HTTP1.0 requests.