Matomo does not respect X-Forwarded-Host for trusted_hosts setting #18675
Labels
c: Documentation
For issues related to in-app product help messages, or to the Matomo knowledge base.
Task
Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
According to an FAQ article the
trusted_hosts
setting is a security measure against host injection attacks.I am using Matomo inside a Docker container behind an NGINX reverse proxy. According to this FAQ I configured the
X-Forwarded-Host
header in NGINX and the Matomo config.Let's assume my domain is
example.org
and the internal container name of Matomo ismatomo-app
. Then I would addexample.org
to the list of trusted hosts because that will be the correct domain inX-Forwarded-Host
. But when I do that I won't be able to login and just see a warning that the host is unknown. If I confgurematomo-app
as trusted host however, everything works smoothly.As far as I understood host injection attacks, Matomo behind an NGINX reverse proxy is not vulnerable as long as the domain is not configured the
default_server
in NGINX. In this case the Reverse Proxy FAQ should be updated to explain, that the internal hostname of the backend server has to be added totrusted_hosts
and that the reverse proxy is responsible for preventing host injection.Maybe the better solution would be to let Matomo evaluate the
X-Forwarded-Host
header if configured instead of theHost
header to determine whether a host is trusted or not. Administrators who want to be more flexible in terms of different domains could still disable the host check.The text was updated successfully, but these errors were encountered: