I have a Django Rest Framework server running with Gunicorn with this command :
gunicorn --bind 0.0.0.0 --forwarded-allow-ips="*" partyapp.wsgi:application --access-logfile - --error-logfile - --log-level debug
I have Nginx as a reverse proxy with the following configuration:
server {
listen 80;
server_name 162.19.70.85;
location /static/ {
root /var/www;
}
location = /favicon.ico { access_log off; log_not_found off; }
location / {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
It is working well: I can access the service with http://{IP} but also with http://{IP}:8000 which hits Django server directly.
I don't think it is a good behavior and I want people to be "forced" to go through the reverse proxy. How can I do that?
After few research, I found a solution. The problem here is in Gunicorn :
gunicorn --bind 0.0.0.0 --forwarded-allow-ips="*" partyapp.wsgi:application --access-logfile - --error-logfile - --log-level debug
The --bind 0.0.0.0 will open a port to the wild world, so it is a normal behavior.
--bind localhost or any other internal IP works well. The Nginx configuration needs to be updated accordingly.