@daniel-lerch opened this Issue on January 22nd 2022

According to an FAQ article the trusted_hosts setting is a security measure against host injection attacks.

I am using Matomo inside a Docker container behind an NGINX reverse proxy. According to this FAQ I configured the X-Forwarded-Host header in NGINX and the Matomo config.

Let's assume my domain is example.org and the internal container name of Matomo is matomo-app. Then I would add example.org to the list of trusted hosts because that will be the correct domain in X-Forwarded-Host. But when I do that I won't be able to login and just see a warning that the host is unknown. If I confgure matomo-app as trusted host however, everything works smoothly.

As far as I understood host injection attacks, Matomo behind an NGINX reverse proxy is not vulnerable as long as the domain is not configured the default_server in NGINX. In this case the Reverse Proxy FAQ should be updated to explain, that the internal hostname of the backend server has to be added to trusted_hosts and that the reverse proxy is responsible for preventing host injection.

Maybe the better solution would be to let Matomo evaluate the X-Forwarded-Host header if configured instead of the Host header to determine whether a host is trusted or not. Administrators who want to be more flexible in terms of different domains could still disable the host check.

@bx80 commented on January 30th 2022 Contributor

HI @daniel-lerch, thanks for drawing attention to this. In the short term we can update the reverse proxy FAQ to explain how to use trusted_hosts setting in this scenario.

Adding an option to check the X-Forwarded-Host header for trusted hosts behind a reverse proxy does sound like a better approach that could be scheduled for a future release.

Powered by GitHub Issue Mirror