Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Clarify reverse_proxy vs proxy headers #2015

Closed
anonymous-piwik-user opened this Issue · 11 comments

3 participants

@anonymous-piwik-user

After noticing some of my IPs weren't right in reports, I set reverse_proxy = 1 in config.ini.php. This fixed the IP issue but I could no longer log in. After reverting back to reverse_proxy = 0 the problem was worked around. So now I can log in but the IPs are wrong again. I am running the latest re-release of 1.1.1. I read about other users' problems with logins but I can confirm my behavior changes just based on the reverse_proxy = 1 setting. This is with PHP 5.2.6.

@mattab
Owner

Anthon can confirm, but looking at the code, I'm not sure if reverse_proxy=1 is really doing good in all cases. Maybe the name is misleading?

For the IP issue, check out the FAQ: http://piwik.org/faq/how-to-install/#faq_98
it explains how to setup so that IPs are read correctly based on your proxy headers.

@mattab
Owner

reverse_proxy seems to bypass the https test, so that reverse_proxy=1 means 'connection is secure' in the code, which affects the following:

I'm wondering if maybe the secure cookie flag causes issues in this case?

@robocoder
Collaborator

matt: the reverse_proxy only has to be set if php isn't setting $_SERVER['HTTPS']. This is used for the absolute URL in the OFC data feeds. It shouldn't affect login -- if so, it's a regression. I'll take a look when I get back.

jhstatewide: For the incorrect IPs and login problem, you should be setting proxy_client_headers[and proxy_host_headers in your config.ini.php. See global.ini.php for examples. This will resolve the login issue which checks Referer and Origin headers to protect against CSRF.

@robocoder
Collaborator

Thanks Matt. I see you fixed a logic error in r3726 / r3727 / 3728. I just refactored it in r3731.

@mattab
Owner

my commits didn't change anything, just style change.

but maybe the bug is:
$cookie->setSecure(Piwik::isHttps());

which would set the secure flag when reverse proxy is enabled?

@robocoder
Collaborator

(In [3734]) refs #2015 - better explanation when to use reverse_proxy = 1

The current behaviour as you observe in comment:2 is correct.

The reason why jhstatewide couldn't login with reverse_proxy=1 is likely
because he's using a non-https proxy (i.e., http to http); in which case, the
browser won't send back the secure-only cookie to Piwik over an http connection.

Setting reverse_proxy=0 and configuring the proxy headers should solve both the
wrong IPs and login issue.

@mattab
Owner

I'm not sure I understand exactly when users should set the reverse_proxy
so, should I update the FAQ as follows?

From:
If you are running Piwik behind a reverse proxy, the following line should be automatically added to your config/config.ini.php file during the Piwik installation:[General]
reverse_proxy = 1

To
If you are running Piwik behind a reverse proxy that responds to SSL (https) queries on an http host, or your proxy doesn't set the HTTPS header correctly, You should add the following line in your config file:
[General]
reverse_proxy = 1

I feel like it's not as clear as it could be ;)

@robocoder
Collaborator

reverse_proxy isn't the right name anymore. maybe assume_https_frontend ?

If you install Piwik through a reverse proxy, the following line should be automatically added to your config/config.ini.php file during the Piwik installation:

[General]
reverse_proxy = 1

If you install Piwik from behind the reverse proxy (where Piwik can't detect https will be used), you should set the above manually.

(Separate FAQ?)

If you're not using a reverse proxy, but using https with a web server that doesn't set the HTTPS environment variable, you can either set the reverse_proxy=1 or reconfigure your web server.

Example: http://redmine.lighttpd.net/wiki/1/Docs:SSL#HTTPS-detection-in-PHP

@robocoder
Collaborator

matt: should I rename the setting and update the FAQ?

@mattab
Owner

vipsoft , please go ahead and post here links to the update FAQ, thx

@anonymous-piwik-user anonymous-piwik-user added this to the Piwik 1.2 milestone
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.