skip to Main Content

I have a Django Rest Framework server running with Gunicorn with this command :
gunicorn --bind 0.0.0.0 --forwarded-allow-ips="*" partyapp.wsgi:application --access-logfile - --error-logfile - --log-level debug

I have Nginx as a reverse proxy with the following configuration:

server {
listen 80;
server_name 162.19.70.85;

location /static/ {
    root /var/www;
}

location = /favicon.ico { access_log off; log_not_found off; }

location / {
    proxy_pass http://localhost:8000;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $server_name;
}

}

It is working well: I can access the service with http://{IP} but also with http://{IP}:8000 which hits Django server directly.

I don’t think it is a good behavior and I want people to be "forced" to go through the reverse proxy. How can I do that?

3

Answers


  1. Chosen as BEST ANSWER

    After few research, I found a solution. The problem here is in Gunicorn : gunicorn --bind 0.0.0.0 --forwarded-allow-ips="*" partyapp.wsgi:application --access-logfile - --error-logfile - --log-level debug

    The --bind 0.0.0.0 will open a port to the wild world, so it is a normal behavior. --bind localhost or any other internal IP works well. The Nginx configuration needs to be updated accordingly.


  2. EDIT: I did some test and finally I get it worked. Here’s my solution:

    server {
        listen 192.168.178.100:8000 ssl;
        ssl_certificate /etc/ssl/cert.pem;
        ssl_certificate_key /etc/ssl/key.key;
    
        return 301 https://example.com/location;
    }
    

    I asked the same question yesterday ((Nginx) Redirect to correct location when someone try to access to https://example.com:port) and it seems that it’s a normal behavior. The only advice I got is to block the port.

    Just to be more specific, you can try to block port 8000 outside your LAN network using ufw:

    sudo ufw allow from 192.168.1.0/24 to any port 8000
    
    Login or Signup to reply.
  3. The easiest and the best way in my opinion to deal with such a problem would be to docerize your application, so that Django app would communicate with nginx internally and expose only ports 80 and 443 for your Nginx container.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search