Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Clarify reverse_proxy vs proxy headers #2015

anonymous-piwik-user opened this Issue · 11 comments

3 participants


After noticing some of my IPs weren't right in reports, I set reverse_proxy = 1 in config.ini.php. This fixed the IP issue but I could no longer log in. After reverting back to reverse_proxy = 0 the problem was worked around. So now I can log in but the IPs are wrong again. I am running the latest re-release of 1.1.1. I read about other users' problems with logins but I can confirm my behavior changes just based on the reverse_proxy = 1 setting. This is with PHP 5.2.6.


Anthon can confirm, but looking at the code, I'm not sure if reverse_proxy=1 is really doing good in all cases. Maybe the name is misleading?

For the IP issue, check out the FAQ:
it explains how to setup so that IPs are read correctly based on your proxy headers.


reverse_proxy seems to bypass the https test, so that reverse_proxy=1 means 'connection is secure' in the code, which affects the following:

I'm wondering if maybe the secure cookie flag causes issues in this case?


matt: the reverse_proxy only has to be set if php isn't setting $_SERVER['HTTPS']. This is used for the absolute URL in the OFC data feeds. It shouldn't affect login -- if so, it's a regression. I'll take a look when I get back.

jhstatewide: For the incorrect IPs and login problem, you should be setting proxy_client_headers[and proxy_host_headers in your config.ini.php. See global.ini.php for examples. This will resolve the login issue which checks Referer and Origin headers to protect against CSRF.


Thanks Matt. I see you fixed a logic error in r3726 / r3727 / 3728. I just refactored it in r3731.


my commits didn't change anything, just style change.

but maybe the bug is:

which would set the secure flag when reverse proxy is enabled?


(In [3734]) refs #2015 - better explanation when to use reverse_proxy = 1

The current behaviour as you observe in comment:2 is correct.

The reason why jhstatewide couldn't login with reverse_proxy=1 is likely
because he's using a non-https proxy (i.e., http to http); in which case, the
browser won't send back the secure-only cookie to Piwik over an http connection.

Setting reverse_proxy=0 and configuring the proxy headers should solve both the
wrong IPs and login issue.


I'm not sure I understand exactly when users should set the reverse_proxy
so, should I update the FAQ as follows?

If you are running Piwik behind a reverse proxy, the following line should be automatically added to your config/config.ini.php file during the Piwik installation:[General]
reverse_proxy = 1

If you are running Piwik behind a reverse proxy that responds to SSL (https) queries on an http host, or your proxy doesn't set the HTTPS header correctly, You should add the following line in your config file:
reverse_proxy = 1

I feel like it's not as clear as it could be ;)


reverse_proxy isn't the right name anymore. maybe assume_https_frontend ?

If you install Piwik through a reverse proxy, the following line should be automatically added to your config/config.ini.php file during the Piwik installation:

reverse_proxy = 1

If you install Piwik from behind the reverse proxy (where Piwik can't detect https will be used), you should set the above manually.

(Separate FAQ?)

If you're not using a reverse proxy, but using https with a web server that doesn't set the HTTPS environment variable, you can either set the reverse_proxy=1 or reconfigure your web server.



matt: should I rename the setting and update the FAQ?


vipsoft , please go ahead and post here links to the update FAQ, thx

@anonymous-piwik-user anonymous-piwik-user added this to the Piwik 1.2 milestone
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.