Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect asset URL if reverse proxy provides forwarded URI using headers fields other than HTTP_X_FORWARDED_URI #18119

Closed
andremartin opened this issue Oct 9, 2021 · 3 comments
Closed

Incorrect asset URL if reverse proxy provides forwarded URI using headers fields other than HTTP_X_FORWARDED_URI #18119

andremartin opened this issue Oct 9, 2021 · 3 comments
Labels
Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.
Milestone
Backlog (Help wan...

Comments

@andremartin
Copy link

Expected Behavior

Correct URL generation (for assets) when running Matomo behind a reverse proxy on a sub path.

Current Behavior

Incorrect URL generation since some reverse proxies such as traefik provide the URI using HTTP_X_FORWARDED_PREFIX rather than HTTP_X_FORWARDED_URI.

Possible Solution

Extend the URL generation to also consider HTTP_X_FORWARDED_PREFIX if set in addition to HTTP_X_FORWARDED_URI as shown here:
andremartin@e1322be

Context

Your Environment

  • Matomo Version: 4.5.0
  • PHP Version: 7.3
  • Server Operating System: Ubuntu
  • Additionally installed plugins:
  • Browser: Chrome
  • Operating System: Ubuntu
@andremartin andremartin added the Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. label Oct 9, 2021
@tsteur
Copy link
Member

tsteur commented Oct 11, 2021

Thanks for reporting this @andremartin . I wonder if we should maybe support also different flags like when proxy_uri_header=1(for backwards compatibility) still use HTTP_X_FORWARDED_URI.

Then we also allow configuring HTTP_X_FORWARDED_PREFIX as a value like

proxy_uri_header="HTTP_X_FORWARDED_PREFIX"
proxy_uri_header="HTTP_X_FORWARDED_URI"
proxy_uri_header="..."

Basically, when it's non numeric then we assume a user configured the name of the header.

I'm just meaning this approach be slightly more secure in that the host header cannot be simply set by anyone. By only allowing a specific header eg the user could make sure to not allow this header to be overwritten etc.

@tsteur tsteur added Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. and removed Potential Bug Something that might be a bug, but needs validation and confirmation it can be reproduced. labels Oct 11, 2021
@tsteur tsteur added this to the Priority Backlog (Help wanted) milestone Oct 11, 2021
@tsteur
Copy link
Member

tsteur commented Oct 11, 2021

@andremartin btw feel free to create a PR for this and we'll review 👍

@andremartin
Copy link
Author

Looks like this can be solved using e.g. traefik's headers middleware to expose the HTTP_X_FORWARDED_URI field to Matomo. Hence closing as no extra action/functionality is needed anymore.

@sgiehl sgiehl added the wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it. label Jul 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
4 participants
@tsteur @mattab @sgiehl @andremartin