@daniel-lerch
According to an FAQ article the trusted_hosts setting is a security measure against host injection attacks.
I am using Matomo inside a Docker container behind an NGINX reverse proxy. According to this FAQ I configured the X-Forwarded-Host header in NGINX and the Matomo config.
Let's assume my domain is example.org and the internal container name of Matomo is matomo-app. Then I would add example.org to the list of trusted hosts because that will be the correct domain in X-Forwarded-Host. But when I do that I won't be able to login and just see a warning that the host is unknown. If I confgure matomo-app as trusted host however, everything works smoothly.
As far as I understood host injection attacks, Matomo behind an NGINX reverse proxy is not vulnerable as long as the domain is not configured the default_server in NGINX. In this case the Reverse Proxy FAQ should be updated to explain, that the internal hostname of the backend server has to be added to trusted_hosts and that the reverse proxy is responsible for preventing host injection.
Maybe the better solution would be to let Matomo evaluate the X-Forwarded-Host header if configured instead of the Host header to determine whether a host is trusted or not. Administrators who want to be more flexible in terms of different domains could still disable the host check.
@bx80
HI @daniel-lerch, thanks for drawing attention to this. In the short term we can update the reverse proxy FAQ to explain how to use trusted_hosts setting in this scenario.
Adding an option to check the X-Forwarded-Host header for trusted hosts behind a reverse proxy does sound like a better approach that could be scheduled for a future release.