@Findus23 opened this Issue on August 31st 2018 Member

followup to #13193 and reported on the forum:
https://forum.matomo.org/t/matomo-behind-reverse-proxy-and-force-ssl-setting/29672

When assume_secure_protocol=1 is already set, Matomo shouldn't complain to setup SSL.

@cpoetter commented on April 11th 2019

I am seeing the same bug. Is there a timeline for a fix?

@Findus23 commented on May 23rd 2020 Member

Two years later I was again thinking about this and I'm not 100% sure if the current status isn't correct. If I am not mistaken force_ssl=1 tells Matomo that it is set up via HTTPS and it therefore should use only HTTPS URLs, secure cookies, etc.

assume_secure_protocol=1 alone does not force that, which means that if you use Matomo behind a reverse proxy that adds SSL, you still need to add force_ssl=1 to get secure cookies (as the system check reminds)

There is even a function in Matomo that checks this case:

https://github.com/matomo-org/matomo/blob/115527353a9e75e01aa4d263408956ae45403bea/core/Url.php#L711-L723

Of course one could argue that assume_secure_protocol=1 should always automatically set force_ssl=1, but I am also not sure about that as that would make the meaning of force_ssl confusing.

In case I am wrong, changing the check is simply a matter of modifying this:

https://github.com/matomo-org/matomo/blob/b16a791aa3650d85af829156129c2bd44c7cb075/plugins/Diagnostics/Diagnostic/ForceSSLCheck.php#L48-L52

Powered by GitHub Issue Mirror