Disallowed host for www CNAME after SSL certificate installation

Hi guys, I am working on a portfolio webpage and have the domain registered: autogen.uk. This morning, all my addresses worked correctly with Flexible SSL settings: original domain and www.

This morning I installed letsencrypt SSL certificates for both addresses combined and while original works correctly, www shows “Disallowed host; Invalid HTTP_HOST header: [www link]. You may need to add [www link] to ALLOWED_HOSTS.”

I checked all possible issues, changed SSL settings to Full (strict) - both full and full strict work for autogen.uk, but not www. Confirming certificates are valid for both addresses, nginx pointing to them correctly. When I uncheck “Always Use HTTPS” from Edge Certificates on Cloudflare, the curl to http www returns 200, but https www returns 400. Once “Always Use HTTPS” is enabled, I get instant redirect to https and page does not work.

One more clue is that if I use https://3.10.240.43/, that is directly use my IP address to AWS EC2 instance, the page loads correctly, although it says “Not secure”.

Django settings are okay too, with all the allowed hosts listed.

Is there anything I can do to help restore www functionality?

Sorry I had to use [www link], as new user I am not allowed to paste links.

Thanks!

Have you tried doing what the error suggests and added the www subdomain to your ALLOWED_HOSTS?
ALLOWED_HOSTS ['3.10.240.43', 'localhost', '127.0.0.1', 'autogen.uk.to', 'autogen.uk'].
Alternatively, you could change the Nginx proxy settings to change the hostname, but adding the subdomain to ALLOWED_HOSTS would be easier.

Apart from that, 2 things:

  1. You should only ever use the Full (strict) SSL setting in Cloudflare.
  2. You have set DEBUG = True in your Django settings. You should not ever do that for a public facing site, as that allows everyone to read your config file. It should be set to DEBUG = False for the public website.
1 Like

Yes, I see where the problem might be then. I already added the www to ALLOWED_HOSTS first thing after seeing the error and changed the DEBUG to False as I noticed it was True right then. This is definitely updated on the server now, but for some reason it looks like the buffered version of the website is still used. I checked the mark for “Development mode” to propagate the change faster, but now it is clear that these are not at all reflected for www version. I also have these settings in the current version on the server:
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

Do you think we should just wait for the latest version of the website to be updated automatically?

Thanks for a quick reply and tips as well!

Did you restart your Nginx after you made the changes to the Django settings?

Yes, I have reloaded and restarted Nginx many times today. I also checked for Nginx cache, but it does not seem to be using one.

The error response contains the current time, so it is definitely fresh and not a cached error.

You will need to make sure that you actually made the changes to the correct file.

Here is the screenshot of my current settings.py state read directly from the server:

There is only one project deployed, so it must be the correct one. I restarted Nginx for good measure just now again too.

Yes!!! I found the culprit, it was Gunicorn caching old files, I restarted the socket and everything runs smoothly now. Thank you Laudian for pointing me in the right direction! :slight_smile:

2 Likes