I’m currently working on a Django project that allows our users to create their own websites. One of the main features I’ve been working with is setting up custom domain capabilities.
Here’s what I did:
I initially set the ALLOW_HOST setting to [*], then I’ve since devised a middleware to manage domain routing:
First, it checks whether the host (using request.get_host()) corresponds to www.domain.com. If so, the middleware directs the request to the homepage application using the request.urlconf attribute.
Next stop is checking if the host matches dash.domain.com. If it does, voila! The request gets routed to the dash app.
And here’s where it gets interesting. If neither of the above conditions is met, the middleware dives into the database to see if the host matches any of the registered site domains. If it finds a match, it redirects to the sites app with all the site-specific info. If not, it gracefully returns a 404 error.
I’ve been thinking about the safety aspects of this configuration since ALLOW_HOST setting is [*], and I’d like your opinion. Do you think this approach is safe enough?