djangosentryspamspam-prevention

Django project: Spam bots spam all over my Sentry.io Account (Invalid HTTP_HOST header)


I have a django project running in production with gunicorn. It is connected to sentry.io for comfortable error logging.

There are a lot of spambots causing Invalid HTTP_HOST header, because they try to access it by ip, which is not allowed by django`s ALLOWED_HOSTS setting. Those Spam Bots fill up my sentry plan limits, and after a while other errors are not logged anymore.

What would be a simple and elegant solution to this? I already thought about some, but they all have caveats:

  1. Filter out requests with wrong hosts in an earlier stage, e.g. the nginx - Good idea, but I would like to be able to configure allowed hosts in django settings
  2. Catch Invalid HTTP_HOST header error in django and not send to sentry: Good idea, but then I do not have invalid http host header error handling at all in sentry
  3. I would like to log one error per host and url per day or something like that - But then I have to code a custom ratelimiter, which persists infos. Seems like a complex solution

What are your thought on this. Do you have other ideas? What would be the most elegant and less comlicated solution?


Solution

  • You can configure Nginx to block any request that has an Invalid HTTP_HOST header

    server {
        listen 80;
        server_name example.com;
    
        if ($http_host !~* ^(example.com|www.example.com)$ ) {
            return 444;
        }
    
        # rest of your Nginx configuration goes here
    }
    

    This way, you can still configure your allowed hosts in Django settings, while filtering out requests with invalid host headers at the proxy server.