django.request:禁止访问(Referer 检查失败 - 没有 Referer。)
django.request: Forbidden (Referer checking failed - no Referer.)
我正在使用 AWS 和 Django Rest Framework 开发 Web 应用程序。(Django:v1.8, DRF:v3)
对于 POST 多部分表单请求,我一直收到 django.request: Forbidden (Referer checking failed - no Referer.)。
我在我的 ec2(在自动缩放组中)和 Gunicorn 上使用 AWS ELB(弹性负载均衡器)、NGINX。
AWS ELB 侦听器设置如下(仅限 HTTPS):
elb https only listener setting
NGINX 设置如下:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/conf.d/*.conf;
index index.html index.htm;
upstream my_server {
server localhost:8000;
}
server {
listen 80;
server_name <server name>;
access_log /etc/nginx/log/local-wc.access.log;
error_log /etc/nginx/log/local-wc.error.log;
root /usr/share/nginx/html;
location /api/v1 {
proxy_pass http://my_server/api/v1;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
}
}
}
<server name> 是指向 elb DNS 名称的 CNAME。
换句话说,<server name> => xxxx-123456789.us-west-2.elb.amazonaws.com (A Record)。
每个 API 调用都是由 https://<server name>/api/v1/*
Gunicorn 最后 运行 由:
gunicorn my_django_app.wsgi:application -w 1 -b 127.0.0.1:8000 -t 300 --max-requests=100
Django 设置为:
ALLOWED_HOSTS = ['*']
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.security.SecurityMiddleware',
)
查看功能如下(CSRF豁免):
class UserViewSet(CsrfExemptMixin, mixins.CreateModelMixin,
mixins.ListModelMixin,
mixins.RetrieveModelMixin,
mixins.UpdateModelMixin,
viewsets.GenericViewSet):
# already tried @csrf_exempt
def create(self, request, *args, **kwargs):
self.parser_classes = (FormParser, MultiPartParser, )
.........
又出问题了:
当我发送
curl -i -k -X POST -H "Accept: application/json" \
-F "email=myemail@email.com" \
-F "profile_img=@profile.jpg" \
https://<server name>/api/v1/users/
在我的 Django 日志中:
[WARNING] django.request: Forbidden (Referer checking failed - no Referer.): /api/v1/users/
它在 HTTP 上使用 POST 或在 HTTPS 上使用 GET 方法。
请问是ELB配置错误还是Nginx配置referer错误...
如果有人帮助我解决这个问题,我将不胜感激..
我认为 DRF 忽略了 csrf_exempt 装饰器,我不确定 CsrfExemptMixin 的定义位置。您可以做的最简单的事情是将 Referrer: yourhost 添加到您的 curl headers.
我正在使用 AWS 和 Django Rest Framework 开发 Web 应用程序。(Django:v1.8, DRF:v3)
对于 POST 多部分表单请求,我一直收到 django.request: Forbidden (Referer checking failed - no Referer.)。
我在我的 ec2(在自动缩放组中)和 Gunicorn 上使用 AWS ELB(弹性负载均衡器)、NGINX。
AWS ELB 侦听器设置如下(仅限 HTTPS):
elb https only listener setting
NGINX 设置如下:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/conf.d/*.conf;
index index.html index.htm;
upstream my_server {
server localhost:8000;
}
server {
listen 80;
server_name <server name>;
access_log /etc/nginx/log/local-wc.access.log;
error_log /etc/nginx/log/local-wc.error.log;
root /usr/share/nginx/html;
location /api/v1 {
proxy_pass http://my_server/api/v1;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
}
}
}
<server name> 是指向 elb DNS 名称的 CNAME。
换句话说,<server name> => xxxx-123456789.us-west-2.elb.amazonaws.com (A Record)。
每个 API 调用都是由 https://<server name>/api/v1/*
Gunicorn 最后 运行 由:
gunicorn my_django_app.wsgi:application -w 1 -b 127.0.0.1:8000 -t 300 --max-requests=100
Django 设置为:
ALLOWED_HOSTS = ['*']
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.security.SecurityMiddleware',
)
查看功能如下(CSRF豁免):
class UserViewSet(CsrfExemptMixin, mixins.CreateModelMixin,
mixins.ListModelMixin,
mixins.RetrieveModelMixin,
mixins.UpdateModelMixin,
viewsets.GenericViewSet):
# already tried @csrf_exempt
def create(self, request, *args, **kwargs):
self.parser_classes = (FormParser, MultiPartParser, )
.........
又出问题了:
当我发送
curl -i -k -X POST -H "Accept: application/json" \
-F "email=myemail@email.com" \
-F "profile_img=@profile.jpg" \
https://<server name>/api/v1/users/
在我的 Django 日志中:
[WARNING] django.request: Forbidden (Referer checking failed - no Referer.): /api/v1/users/
它在 HTTP 上使用 POST 或在 HTTPS 上使用 GET 方法。
请问是ELB配置错误还是Nginx配置referer错误... 如果有人帮助我解决这个问题,我将不胜感激..
我认为 DRF 忽略了 csrf_exempt 装饰器,我不确定 CsrfExemptMixin 的定义位置。您可以做的最简单的事情是将 Referrer: yourhost 添加到您的 curl headers.