According to an FAQ article the
trusted_hosts setting is a security measure against host injection attacks.
I am using Matomo inside a Docker container behind an NGINX reverse proxy. According to this FAQ I configured the
X-Forwarded-Host header in NGINX and the Matomo config.
Let's assume my domain is
example.org and the internal container name of Matomo is
matomo-app. Then I would add
example.org to the list of trusted hosts because that will be the correct domain in
X-Forwarded-Host. But when I do that I won't be able to login and just see a warning that the host is unknown. If I confgure
matomo-app as trusted host however, everything works smoothly.
As far as I understood host injection attacks, Matomo behind an NGINX reverse proxy is not vulnerable as long as the domain is not configured the
default_server in NGINX. In this case the Reverse Proxy FAQ should be updated to explain, that the internal hostname of the backend server has to be added to
trusted_hosts and that the reverse proxy is responsible for preventing host injection.
Maybe the better solution would be to let Matomo evaluate the
X-Forwarded-Host header if configured instead of the
Host header to determine whether a host is trusted or not. Administrators who want to be more flexible in terms of different domains could still disable the host check.
HI @daniel-lerch, thanks for drawing attention to this. In the short term we can update the reverse proxy FAQ to explain how to use
trusted_hosts setting in this scenario.
Adding an option to check the
X-Forwarded-Host header for trusted hosts behind a reverse proxy does sound like a better approach that could be scheduled for a future release.