Django project: Spam bots spam all over my Sentry.io Account (Invalid HTTP_HOST header)

Question

I have a django project running in production with gunicorn. It is connected to sentry.io for comfortable error logging.

There are a lot of spambots causing Invalid HTTP_HOST header, because they try to access it by ip, which is not allowed by django`s ALLOWED_HOSTS setting. Those Spam Bots fill up my sentry plan limits, and after a while other errors are not logged anymore.

What would be a simple and elegant solution to this? I already thought about some, but they all have caveats:

1. Filter out requests with wrong hosts in an earlier stage, e.g. the nginx - Good idea, but I would like to be able to configure allowed hosts in django settings
2. Catch Invalid HTTP_HOST header error in django and not send to sentry: Good idea, but then I do not have invalid http host header error handling at all in sentry
3. I would like to log one error per host and url per day or something like that - But then I have to code a custom ratelimiter, which persists infos. Seems like a complex solution

What are your thought on this. Do you have other ideas? What would be the most elegant and less comlicated solution?

Answer 1

You can configure Nginx to block any request that has an Invalid HTTP_HOST header

server {
    listen 80;
    server_name example.com;

    if ($http_host !~* ^(example.com|www.example.com)$ ) {
        return 444;
    }

    # rest of your Nginx configuration goes here
}

This way, you can still configure your allowed hosts in Django settings, while filtering out requests with invalid host headers at the proxy server.