@Starker3
We have a Matomo user that has configured their servers to block outbound requests that are sent over port 80 because they want to completely prevent insecure connections from being made.
When this port is blocked, several issues occur:
- The Matomo application in certain places in the UI are effectively blocking the UI from loading or responding while Matomo attempts to make a connection to the outbound server.
- The connection to the external hostname eventually fails which results in plugin update checks for example to fail.
I found one example of where the HTTP hostname is defined instead of the HTTPS hostname:
https://github.com/matomo-org/matomo/blob/4.x-dev/plugins/Marketplace/config/config.php#L9
Potential solutions:
- I guess the simplest would be to just change the hostnames for outbound connections to HTTPS, but this might break things for some servers that have outdated certificate bundles.
- It would be great if we could use the HTTPS hostname by default and if that fails maybe try the HTTP hostname
But in either case, the timeout seems quite high for a failed connection at 60 seconds, which means that each time that page or a page that checks an external hostname is accessed, the Matomo UI would take a minimum of 1 minute to load. It would be good if this timeout was reduced to at least not block the page from loading for such a long time.
@justinvelluppillai
We have completed https://github.com/matomo-org/matomo/issues/19081 recently, and will soon make these requests use https by default.
Thanks for the update @justinvelluppillai
Is there an existing issue for changing the URLs/hostnames to use HTTPS? If so we can close this one and rather track it there?
We don't have a public facing issue for this yet so this one can remain open 👍🏽
@codegain
Hi, just wanting to throw in that the change here (https://github.com/matomo-org/matomo/blob/4.x-dev/plugins/Marketplace/config/config.php#L9) did in fact break my installation so that every request took more than 1 minute because of the long timeout defined in the marketplace plugin.
The server is only allowed to make outbound connections for https (TCP 443) and not http (TCP 80). I had to shut down the internet features via enable_internet_features=0 to see what's going on after what appeared to be a minor update (4.10.1 -> 4.12.0.
I would've liked to see that change in the changelog of 4.11 instead of only "a new config setting force_matomo_http_request" which is irrelevant to me. I now have to edit the plugins/Marketplace/config/config.php file to rewrite the URL to https because there seems to be no config option to override it (like api_service_url).
I only found out that the marketplace is not using https after dumping the URL in its service, maybe this could somehow be marked in the system diagnostics check with the curl-error if http://plugins.matomo.org is not reachable if the marketplace plugin is active.