What is the range of IP addresses from which I can expect to receive health checks?

Justin@Donaldson 26 Reputation points
2024-11-26T17:24:40.3566667+00:00

We have a django application running on a Linux container with Python 3.11.

I have recently enabled a mail service for my application and have suddenly become deluged with emails sent from my system informing me "ERROR (EXTERNAL IP): Invalid HTTP_HOST header: '169.254.133.4:8000' (the ip address changes) and in the content I see "DisallowedHost at /robots933456.txt" According the documentation brought to light from web browsing, "You can safely ignore this message. /robots933456.txt is a dummy URL path that App Service uses to check if the container is capable of serving requests". Ugh. I would like to follow the advice and ignore these checks but I need to know the range of IP addresses from which I can expect them to come so i can add them to the ALLOWED_HOSTS setting in my Django project configuration.

Context

Django has a setting called ALLOWED_HOSTS which is "a list of strings representing the host/domain names that this Django site can serve. This is a security measure to prevent HTTP Host header attacks"

If the Host header (or X-Forwarded-Host if USE_X_FORWARDED_HOST is enabled) does not match any value in this list, the django.http.HttpRequest.get_host() method will raise SuspiciousOperation. ... Django will email the users listed in the ADMINS setting whenever your code raises an unhandled exception and results in an internal server error (strictly speaking, for any response with an HTTP status code of 500 or greater). ... If a SuspiciousOperation exception reaches the ASGI/WSGI handler level it is logged at the Error level and results in a HttpResponseBadRequest.

https://docs.djangoproject.com/en/4.2/howto/error-reporting/#server-errors

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,020 questions
0 comments No comments
{count} vote

Accepted answer
  1. hossein jalilian 8,840 Reputation points
    2024-11-26T18:14:30.8466667+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    To address this problem and stop receiving error emails for these health checks, you should update your Django ALLOWED_HOSTS setting to include the IP addresses used by Azure App Service. Here's how you can modify your configuration:

    Update ALLOWED_HOSTS in your Django settings:

    ALLOWED_HOSTS = [
        'your-app-domain.azurewebsites.net',
        'localhost',
        '127.0.0.1',
        '[::1]',
        '169.254.0.0/16',  # Add this line to cover all Azure internal IPs
    ]
    
    

    If you're using environment-specific settings, ensure this change is applied to your production configuration, After making these changes, redeploy your application to Azure App Service.

    The /robots933456.txt path is indeed a dummy URL used by App Service for health checks. You don't need to create this file or handle it explicitly in your application. If you're using a custom domain, make sure to include it in the ALLOWED_HOSTS list as well.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful


1 additional answer

Sort by: Most helpful
  1. Justin@Donaldson 26 Reputation points
    2024-11-27T16:58:43.4166667+00:00

    The Django ALLOWED_HOSTS setting does not support CIDR ranges. I could probably find a way around this by converting it to a Python range or installing middleware but I am not convinced this range is anything more than a guess.

    The approach I took was to implement a logging filter as described in the Django forum. This is working for me.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.