@Starker3 opened this Issue on September 14th 2022 Contributor

We have a Matomo user that has configured their servers to block outbound requests that are sent over port 80 because they want to completely prevent insecure connections from being made.

When this port is blocked, several issues occur:

  1. The Matomo application in certain places in the UI are effectively blocking the UI from loading or responding while Matomo attempts to make a connection to the outbound server.
  2. The connection to the external hostname eventually fails which results in plugin update checks for example to fail.

I found one example of where the HTTP hostname is defined instead of the HTTPS hostname:

Potential solutions:

  • I guess the simplest would be to just change the hostnames for outbound connections to HTTPS, but this might break things for some servers that have outdated certificate bundles.
  • It would be great if we could use the HTTPS hostname by default and if that fails maybe try the HTTP hostname

But in either case, the timeout seems quite high for a failed connection at 60 seconds, which means that each time that page or a page that checks an external hostname is accessed, the Matomo UI would take a minimum of 1 minute to load. It would be good if this timeout was reduced to at least not block the page from loading for such a long time.

@justinvelluppillai commented on September 15th 2022 Member

We have completed https://github.com/matomo-org/matomo/issues/19081 recently, and will soon make these requests use https by default.

@Starker3 commented on September 16th 2022 Contributor

Thanks for the update @justinvelluppillai
Is there an existing issue for changing the URLs/hostnames to use HTTPS? If so we can close this one and rather track it there?

@justinvelluppillai commented on September 19th 2022 Member

We don't have a public facing issue for this yet so this one can remain open 👍🏽

@codegain commented on October 7th 2022

Hi, just wanting to throw in that the change here (https://github.com/matomo-org/matomo/blob/4.x-dev/plugins/Marketplace/config/config.php#L9) did in fact break my installation so that every request took more than 1 minute because of the long timeout defined in the marketplace plugin.

The server is only allowed to make outbound connections for https (TCP 443) and not http (TCP 80). I had to shut down the internet features via enable_internet_features=0 to see what's going on after what appeared to be a minor update (4.10.1 -> 4.12.0.

I would've liked to see that change in the changelog of 4.11 instead of only "a new config setting force_matomo_http_request" which is irrelevant to me. I now have to edit the plugins/Marketplace/config/config.php file to rewrite the URL to https because there seems to be no config option to override it (like api_service_url).

I only found out that the marketplace is not using https after dumping the URL in its service, maybe this could somehow be marked in the system diagnostics check with the curl-error if http://plugins.matomo.org is not reachable if the marketplace plugin is active.

Powered by GitHub Issue Mirror