Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#2015 closed Bug (fixed)

Clarify reverse_proxy vs proxy headers

Reported by: jhstatewide Owned by: vipsoft
Priority: major Milestone: Piwik 1.2
Component: Core Keywords:
Cc: Sensitive: no

Description

After noticing some of my IPs weren't right in reports, I set reverse_proxy = 1 in config.ini.php. This fixed the IP issue but I could no longer log in. After reverting back to reverse_proxy = 0 the problem was worked around. So now I can log in but the IPs are wrong again. I am running the latest re-release of 1.1.1. I read about other users' problems with logins but I can confirm my behavior changes just based on the reverse_proxy = 1 setting. This is with PHP 5.2.6.

Change History (12)

comment:1 Changed 3 years ago by matt (mattab)

Anthon can confirm, but looking at the code, I'm not sure if reverse_proxy=1 is really doing good in all cases. Maybe the name is misleading?

For the IP issue, check out the FAQ: http://piwik.org/faq/how-to-install/#faq_98
it explains how to setup so that IPs are read correctly based on your proxy headers.

comment:2 Changed 3 years ago by matt (mattab)

reverse_proxy seems to bypass the https test, so that reverse_proxy=1 means 'connection is secure' in the code, which affects the following:

I'm wondering if maybe the secure cookie flag causes issues in this case?

comment:3 Changed 3 years ago by vipsoft (robocoder)

  • Keywords login reverse_proxy removed
  • Milestone changed from 1.x - Piwik 1.x to 1.2 Piwik 1.2
  • Owner set to vipsoft

matt: the reverse_proxy only has to be set if php isn't setting $_SERVERHTTPS?. This is used for the absolute URL in the OFC data feeds. It shouldn't affect login -- if so, it's a regression. I'll take a look when I get back.

jhstatewide: For the incorrect IPs and login problem, you should be setting proxy_client_headers[] and proxy_host_headers[] in your config.ini.php. See global.ini.php for examples. This will resolve the login issue which checks Referer and Origin headers to protect against CSRF.

comment:4 Changed 3 years ago by vipsoft (robocoder)

  • Resolution set to answered
  • Status changed from new to closed

Thanks Matt. I see you fixed a logic error in r3726 / r3727 / 3728. I just refactored it in r3731.

comment:5 Changed 3 years ago by matt (mattab)

  • Resolution answered deleted
  • Status changed from closed to reopened

my commits didn't change anything, just style change.

but maybe the bug is:

$cookie->setSecure(Piwik::isHttps());

which would set the secure flag when reverse proxy is enabled?

comment:6 Changed 3 years ago by vipsoft (robocoder)

(In [3734]) refs #2015 - better explanation when to use reverse_proxy = 1

The current behaviour as you observe in comment:2 is correct.

The reason why jhstatewide couldn't login with reverse_proxy=1 is likely
because he's using a non-https proxy (i.e., http to http); in which case, the
browser won't send back the secure-only cookie to Piwik over an http connection.

Setting reverse_proxy=0 and configuring the proxy headers should solve both the
wrong IPs and login issue.

comment:7 Changed 3 years ago by matt (mattab)

I'm not sure I understand exactly when users should set the reverse_proxy
so, should I update the FAQ as follows?

From: {{{ If you are running Piwik behind a reverse proxy, the following line should be automatically added to your config/config.ini.php file during the Piwik installation:[General]
reverse_proxy = 1 }}}

To {{{ If you are running Piwik behind a reverse proxy that responds to SSL (https) queries on an http host, or your proxy doesn't set the HTTPS header correctly, You should add the following line in your config file:
[General]
reverse_proxy = 1 }}}

I feel like it's not as clear as it could be ;)

comment:8 Changed 3 years ago by vipsoft (robocoder)

reverse_proxy isn't the right name anymore. maybe assume_https_frontend ?

If you install Piwik through a reverse proxy, the following line should be automatically added to your config/config.ini.php file during the Piwik installation:

[General]
reverse_proxy = 1

If you install Piwik from behind the reverse proxy (where Piwik can't detect https will be used), you should set the above manually.

(Separate FAQ?)

If you're not using a reverse proxy, but using https with a web server that doesn't set the HTTPS environment variable, you can either set the reverse_proxy=1 or reconfigure your web server.

Example: http://redmine.lighttpd.net/wiki/1/Docs:SSL#HTTPS-detection-in-PHP

comment:9 Changed 3 years ago by vipsoft (robocoder)

matt: should I rename the setting and update the FAQ?

comment:10 Changed 3 years ago by matt (mattab)

vipsoft , please go ahead and post here links to the update FAQ, thx

comment:11 Changed 3 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from reopened to closed

comment:12 Changed 3 years ago by vipsoft (robocoder)

  • Summary changed from Can't login with reverse_proxy == 1 to Clarify reverse_proxy vs proxy headers
Note: See TracTickets for help on using tickets.