Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Matomo does not respect X-Forwarded-Host for trusted_hosts setting #18675

Open
daniel-lerch opened this issue Jan 22, 2022 · 1 comment
Open
Labels
c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.

Comments

@daniel-lerch
Copy link

According to an FAQ article the trusted_hosts setting is a security measure against host injection attacks.

I am using Matomo inside a Docker container behind an NGINX reverse proxy. According to this FAQ I configured the X-Forwarded-Host header in NGINX and the Matomo config.

Let's assume my domain is example.org and the internal container name of Matomo is matomo-app. Then I would add example.org to the list of trusted hosts because that will be the correct domain in X-Forwarded-Host. But when I do that I won't be able to login and just see a warning that the host is unknown. If I confgure matomo-app as trusted host however, everything works smoothly.

As far as I understood host injection attacks, Matomo behind an NGINX reverse proxy is not vulnerable as long as the domain is not configured the default_server in NGINX. In this case the Reverse Proxy FAQ should be updated to explain, that the internal hostname of the backend server has to be added to trusted_hosts and that the reverse proxy is responsible for preventing host injection.

Maybe the better solution would be to let Matomo evaluate the X-Forwarded-Host header if configured instead of the Host header to determine whether a host is trusted or not. Administrators who want to be more flexible in terms of different domains could still disable the host check.

@bx80
Copy link
Contributor

bx80 commented Jan 30, 2022

HI @daniel-lerch, thanks for drawing attention to this. In the short term we can update the reverse proxy FAQ to explain how to use trusted_hosts setting in this scenario.

Adding an option to check the X-Forwarded-Host header for trusted hosts behind a reverse proxy does sound like a better approach that could be scheduled for a future release.

@bx80 bx80 added c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change. labels Jan 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Documentation For issues related to in-app product help messages, or to the Matomo knowledge base. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Development

No branches or pull requests

3 participants