Handling dynamic IP in Django ALLOWED_HOSTS with nginx

Question

I'm having issues with what i believe is my nginx.conf which is causing the instance to be restarted again and again, as the health-checks fail on my managed container service.

I'm running my setup in AWS Lightsail Containers, where I have three containers running:

• nginx
• django
• nextjs

When publishing a new release on my AWS Lightsail instance it runs fine for a few minutes, then I hit a 503 error, which causes the instance to reboot - run a few minutes then reboot again.

Looking at the logs I can see that the health-check failed, and django throws and error saying that I should add the request IP to the allowed hosts:

[28/Aug/2021:13:56:23] Invalid HTTP_HOST header: 'x.x.x.x'. You may need to add 'x.x.x.x' to ALLOWED_HOSTS.
[28/Aug/2021:13:56:23] Bad Request: /health.txt

The problem is that my lightsail container service does not have a static IP (nor do I believe I can get a static IP).

My current nginx.conf is below (feedback is appreciated). My question here is how should I deal with this issue? I feel like setting ALLOWED_HOSTS = ['*'] is not a great approach. Can I hardcode the host for the healthcheck or similar?

nginx.conf:

upstream backend {
    server ${BACKEND_HOST}:${BACKEND_PORT};
}
upstream frontend {
    server ${FRONTEND_HOST}:${FRONTEND_PORT};
}

server {
    listen 80 default_server;
    server_name example.com;
    server_tokens off;

    gzip on;
    gzip_proxied any;
    gzip_comp_level 4;
    gzip_types text/css application/javascript image/svg+xml;

    location /robots.txt {
        include proxy_params;
        proxy_pass http://backend;
    }

    location /health.txt {
        include proxy_params;
        proxy_pass http://backend;
    }

    location /api {
        include proxy_params;
        proxy_pass http://backend;
    }

    location /admin {
        include proxy_params;
        proxy_pass http://backend;
    }
    
    location / {
        proxy_pass http://frontend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

}

Answer 1

I use AWS EC2, to pass the health check I get the ip of the instance dynamically and then I insert it into ALLOWED_HOSTS (I think it should work also for Lightsail Containers):

import requests

def get_instance_ip():
    try:
        ip = requests.get('http://169.254.169.254/latest/meta-data/local-ipv4').text
    except requests.exceptions.ConnectionError:
        return None
    return ip

AWS_IP = get_ec2_instance_ip()

if AWS_IP is not None:
    ALLOWED_HOSTS += [AWS_IP]

You can also create a middleware that always returns a 200 status code for the path used by health check (insert the custom middleware before django.middleware.security.SecurityMiddleware in MIDDLEWARE to avoid Invalid HTTP_HOST header error).