settings: Simplify setting ALLOWED_HOSTS, by handling EXTERNAL_HOST.

This means one fewer thing the admin typically needs to read, absorb, and make a decision about at install time. The one way this change could hypothetically cause trouble is if the admin wants to keep subdomains of EXTERNAL_HOST out of ALLOWED_HOSTS. But while the subdomains often won't exist as domain names, it's hard to imagine the situation in which they would exist but be under someone else's control, or be doing something other than serving Zulip realms.
2025-10-28 18:43:52 +00:00 · 2017-10-30 17:40:18 -07:00
parent 31302c3670
commit b33d981d7b
3 changed files with 22 additions and 22 deletions
--- a/docs/prod-install.md
+++ b/docs/prod-install.md
@@ -76,12 +76,10 @@ Configure the Zulip server instance by editing `/etc/zulip/settings.py` and
 providing values for the mandatory settings, which are all found under the
 heading `### MANDATORY SETTINGS`.  These settings include:

- `EXTERNAL_HOST`: the user-accessible Zulip domain name for your
+- `EXTERNAL_HOST`: the user-accessible domain name for your
  Zulip installation (i.e., what users will type in their web
  browser). This should of course match the DNS name you configured to
  point to your server and for which you configured SSL certificates.
-  If you plan to use multiple domains, add the others to
-  `ALLOWED_HOSTS`.

 - `ZULIP_ADMINISTRATOR`: the email address of the person or team
  maintaining this installation and who will get support and error
--- a/zproject/prod_settings_template.py
+++ b/zproject/prod_settings_template.py
@@ -19,22 +19,6 @@ from typing import Optional
 # EXTERNAL_HOST to e.g. zulip.example.com:1234 here.
 EXTERNAL_HOST = 'zulip.example.com'

-# A comma-separated list of strings representing the host/domain names
-# that your users will enter in their browsers to access your Zulip
-# server. This is a security measure to prevent an attacker from
-# poisoning caches and triggering password reset emails with links to
-# malicious hosts by submitting requests with a fake HTTP Host
-# header. See Django's documentation here:
-# <https://docs.djangoproject.com/en/1.9/ref/settings/#allowed-hosts>.
-# Zulip adds 'localhost' and '127.0.0.1' to the list automatically.
-#
-# The default should work unless you are using multiple hostnames or
-# connecting directly to your server's IP address.  If this is set
-# wrong, all requests will get a 400 "Bad Request" error.
-#
-# Note that these should just be hostnames, without port numbers.
-ALLOWED_HOSTS = [EXTERNAL_HOST.split(":")[0]]
-
 # The email address for the person or team who maintains the Zulip
 # installation. Note that this is a public-facing email address; it may
 # appear on 404 pages, is used as the sender's address for many automated
@@ -88,6 +72,18 @@ EMAIL_USE_TLS = True
 # The address should have no newlines.
 #PHYSICAL_ADDRESS = ''

+# A comma-separated list of strings representing the host/domain names
+# that your users can enter in their browsers to access Zulip.
+# This is a security measure; for details, see the Django documentation:
+# https://docs.djangoproject.com/en/1.11/ref/settings/#allowed-hosts
+#
+# Zulip automatically adds to this list 'localhost', '127.0.0.1', and
+# patterns representing EXTERNAL_HOST and subdomains of it.  If you are
+# accessing your server by other hostnames, list them here.
+#
+# Note that these should just be hostnames, without port numbers.
+#ALLOWED_HOSTS = ['zulip-alias.example.com']
+
 ### AUTHENTICATION SETTINGS
 #
 # Enable at least one of the following authentication backends.
--- a/zproject/settings.py
+++ b/zproject/settings.py
@@ -115,6 +115,9 @@ else:
 # prod_settings_template.py, and in the initial /etc/zulip/settings.py on a new
 # install of the Zulip server.
 DEFAULT_SETTINGS = {
+    # Extra HTTP "Host" values to allow (standard ones added below)
+    'ALLOWED_HOSTS': [],
+
    # Basic email settings
    'EMAIL_HOST': None,
    'NOREPLY_EMAIL_ADDRESS': "noreply@" + EXTERNAL_HOST.split(":")[0],
@@ -352,9 +355,6 @@ for setting_name, setting_val in DEFAULT_SETTINGS.items():
    if setting_name not in vars():
        vars()[setting_name] = setting_val

-# Extend ALLOWED_HOSTS with localhost (needed to RPC to Tornado).
-ALLOWED_HOSTS += ['127.0.0.1', 'localhost']
-
 # These are the settings that we will check that the user has filled in for
 # production deployments before starting the app.  It consists of a series
 # of pairs of (setting name, default value that it must be changed from)
@@ -409,6 +409,12 @@ DEVELOPMENT_LOG_DIRECTORY = os.path.join(DEPLOY_ROOT, 'var', 'log')
 # Make redirects work properly behind a reverse proxy
 USE_X_FORWARDED_HOST = True

+# Extend ALLOWED_HOSTS with localhost (needed to RPC to Tornado),
+ALLOWED_HOSTS += ['127.0.0.1', 'localhost']
+# and with hosts corresponding to EXTERNAL_HOST.
+ALLOWED_HOSTS += [EXTERNAL_HOST.split(":")[0],
+                  '.' + EXTERNAL_HOST.split(":")[0]]
+
 MIDDLEWARE = (
    # With the exception of it's dependencies,
    # our logging middleware should be the top middleware item.