I have a Django Rest Framework server running with Gunicorn with this command :
gunicorn --bind 0.0.0.0 --forwarded-allow-ips="*" partyapp.wsgi:application --access-logfile - --error-logfile - --log-level debug
I have Nginx as a reverse proxy with the following configuration:
server {
listen 80;
server_name 162.19.70.85;
location /static/ {
root /var/www;
}
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
It is working well: I can access the service with http://{IP} but also with http://{IP}:8000 which hits Django server directly.
I don’t think it is a good behavior and I want people to be "forced" to go through the reverse proxy. How can I do that?
3
Answers
After few research, I found a solution. The problem here is in Gunicorn :
gunicorn --bind 0.0.0.0 --forwarded-allow-ips="*" partyapp.wsgi:application --access-logfile - --error-logfile - --log-level debug
The
--bind 0.0.0.0
will open a port to the wild world, so it is a normal behavior.--bind localhost
or any other internal IP works well. The Nginx configuration needs to be updated accordingly.EDIT: I did some test and finally I get it worked. Here’s my solution:
I asked the same question yesterday ((Nginx) Redirect to correct location when someone try to access to https://example.com:port) and it seems that it’s a normal behavior. The only advice I got is to block the port.
Just to be more specific, you can try to block port 8000 outside your LAN network using ufw:
The easiest and the best way in my opinion to deal with such a problem would be to docerize your application, so that Django app would communicate with nginx internally and expose only ports 80 and 443 for your Nginx container.