Django HTTP_HOST errors on AWS EC2 behind Load Balancer

Question

I have a Django app, using Apache and mod_wsgi running on an EC2 instance behind an AWS ELB balancer. The balancer maps SSL traffic (port 443) to port 8080 on the EC2 instance. Apache has a VirtualHost configured on port 8080 to serve the Django app, with ServerName set to the domain name for the website. Django runs in production mode (DEBUG=False) and exposes, among other things, a healtcheck endpoint (at /healtcheck). The ALLOWED_HOSTS setting is set to the domain name for the website, plus the private IP address of the EC2 instance, in order to allow the Load Balancer to hit the healthcheck endpoint.

Everything works fine with this set-up. The problem is that I keep receiving occasional bursts of e-mails from Django with error messages similar to this: ERROR (EXTERNAL IP): Invalid HTTP_HOST header: '52.51.147.134'. You may need to add u'52.51.147.134' to ALLOWED_HOSTS. The headers also contain HTTP_X_FORWARDED_FOR = '139.162.13.205'

I get various IP addresses (and sometimes hostnames), belonging to script kiddies, I presume.

How can I block this traffic from ever reaching the Django app, while still allowing valid traffic (where HTTP_HOST is my domain name) and the ELB healthcheck traffic (where HTTP_HOST is my EC2 private IP address)?

Answer 1

I would suggest you only allow traffic on your EC2 instance from the load balancer using a security group AND the IP address of your office/home if you SSH'ing into the EC2 instance.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-groups.html#elb-vpc-instance-security-groups

This will stop the script kiddies from hitting the EC2 instance directly which appears is what is happening here.