Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot login to matomo admin behind reverse proxy #83

Open
edgexyz opened this issue Oct 18, 2021 · 0 comments
Open

Cannot login to matomo admin behind reverse proxy #83

edgexyz opened this issue Oct 18, 2021 · 0 comments

Comments

@edgexyz
Copy link

edgexyz commented Oct 18, 2021
edited

Behaviour

Continuously notifying error message of Login_InvalidNonceOrHeadersOrReferer while login.

Steps to reproduce this issue

  1. set up nginx and matomo in docker
  2. nginx transfer data through bridged network created by docker-compose

Expected behaviour

Tell me what should happen

login to the admin portal

Actual behaviour

Tell me what happens instead

Login_InvalidNonceOrHeadersOrReferer

Configuration

  • Docker version (type docker --version) : 20.10.9, build c2ea9bc
  • Docker compose version if applicable (type docker-compose --version) : 2.4
  • Platform (Debian 9, Ubuntu 18.04, ...) : Ubuntu 20.04
  • System info (type uname -a) : Linux instance-20210920-2330 5.11.0-1019-oracle Connection Refused #20~20.04.1-Ubuntu SMP Tue Sep 21 14:18:09 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
  • Include all necessary configuration files : docker-compose.yml, .env, ...

docker-compose.yml

version: "2.4"

services:
  nginx:
    image: nginx
    restart: always
    ports:
      - 80:80
      - 443:443
    volumes:
#      - ./nginx:/etc/nginx
      - ./nginx/nginx-analytic.conf:/etc/nginx/conf.d/default.conf:ro
#      - ./nginx/sites:/etc/nginx/sites-enabled:ro
      - ./ssl/private/ssl.crt:/etc/letsencrypt/live/certificate.crt:ro
      - ./ssl/private/ssl.key:/etc/letsencrypt/live/private.key:ro
      - ./log/nginx:/var/log/nginx

  db:
    image: mariadb:10.5
    restart: always
    command:
      - "--character-set-server=utf8mb4"
      - "--collation-server=utf8mb4_unicode_ci"
      - "--max_allowed_packet=256M"
    ports:
      - 127.0.0.1:3306:3306
      - "[::1]:3306:3306"
    volumes:
      - ./mysql:/var/lib/mysql
    environment:
      - TZ
      - MYSQL_ALLOW_EMPTY_PASSWORD=yes
      - MYSQL_DATABASE=matomo
      - MYSQL_USER=matomo
      - MYSQL_PASSWORD=
  
  redis:
    image: redis:4.0-alpine
    restart: always

  geoip-updater:
    image: crazymax/geoip-updater:latest
    volumes:
      - ./geoip-updater:/data
    env_file:
      - ./geoip-updater.env
    environment:
      - TZ
    restart: always

  matomo:
    image: crazymax/matomo:latest
    depends_on:
      - redis
    restart: always
    ports:
      - 127.0.0.1:8000:8000
      - "[::1]:8000:8000"
    volumes:
      - ./matomo/data:/data
      - ./geoip-updater:/data/geoip
    environment:
      - TZ
    env_file:
      - ./matomo.env
  
  cron:
    image: crazymax/matomo:latest
    depends_on:
      - matomo
    volumes:
      - ./matomo/data:/data
      - ./geoip-updater:/data/geoip
    env_file:
      - "./matomo.env"
    environment:
      - TZ
      - SIDECAR_CRON=1
      - "CRON_ARCHIVE=0 * * * *"
      - ARCHIVE_OPTIONS=--concurrent-requests-per-website=3
    healthcheck:
      disable: true
    restart: always

default.conf

tcp_nodelay on;

server {
    listen 80 reuseport default_server;
    listen [::]:80 reuseport default_server;

    location / {
        return 301 https://$host$request_uri;
    }
}

ssl_certificate /etc/letsencrypt/live/certificate.crt;
ssl_certificate_key /etc/letsencrypt/live/private.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
# ssl_dhparam /path/to/dhparam;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

# verify chain of trust of OCSP response using Root CA and Intermediate certs
# ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

# replace with the IP address of your resolver
resolver 127.0.0.11;

server {
    listen 443 ssl http2 reuseport;
    listen [::]:443 ssl http2 reuseport;

    server_name stats.;

    location / {
        proxy_pass http://matomo:8000$request_uri;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header Host $host;
        proxy_set_header Referer "stats.";
        gzip on;
    }
}

config.php.ini

[General]
enable_browser_archiving_triggering = "0"
minimum_memory_limit = -1
force_ssl = 1
assume_secure_protocol = 1
proxy_client_headers[] = "HTTP_X_FORWARDED_FOR"
proxy_client_headers[] = "HTTP_CF_CONNECTING_IP"
proxy_host_headers[] = "HTTP_X_FORWARDED_HOST"
salt = ""
trusted_hosts[] = "stats."
trusted_hosts[] = ""

Docker info

> Output of command `docker info`

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.6.3-docker)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 7
  Running: 6
  Paused: 0
  Stopped: 1
 Images: 6
 Server Version: 20.10.9
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: false
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 5b46e404f6b9f661a205e28d59c982d3634148f8
 runc version: v1.0.2-0-g52b36a2
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 5.11.0-1019-oracle
 Operating System: Ubuntu 20.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 2
 Total Memory: 972.1MiB
 Name: instance-20210920-2330
 ID: TLRE:AU3K:YLGD:OUDI:I7QW:V2N7:A54A:KOV5:JUXK:D6P5:CW6U:XLHC
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Logs

> Container logs (set LOG_LEVEL to debug if applicable)

> sudo docker logs analytic-docker_matomo_1

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-fix-logs.sh: executing...
[cont-init.d] 00-fix-logs.sh: exited 0.
[cont-init.d] 01-fix-uidgid.sh: executing...
[cont-init.d] 01-fix-uidgid.sh: exited 0.
[cont-init.d] 02-fix-perms.sh: executing...
Fixing perms...
[cont-init.d] 02-fix-perms.sh: exited 0.
[cont-init.d] 03-config.sh: executing...
Setting timezone to Asia/Taipei...
Setting PHP-FPM configuration...
Setting PHP INI configuration...
Setting OpCache configuration...
Setting Nginx configuration...
Symlink GeoLite2-ASN.mmdb to Matomo
Symlink GeoLite2-City.mmdb to Matomo
Symlink GeoLite2-Country.mmdb to Matomo
Checking Matomo config...
Checking Matomo plugins folder...
Checking Matomo js folder...
Checking Matomo user-misc folder...
Checking Matomo tmp folder...
[cont-init.d] 03-config.sh: exited 0.
[cont-init.d] 04-svc-main.sh: executing...
Setting Matomo log level to WARN...
Setting [log] log_level = "WARN"... done.
Upgrading and setting Matomo configuration...

Everything is already up to date.

Setting [General] minimum_memory_limit = "-1"... done.
[cont-init.d] 04-svc-main.sh: exited 0.
[cont-init.d] 05-svc-cron.sh: executing...
[cont-init.d] 05-svc-cron.sh: exited 0.
[cont-init.d] ~-socklog: executing...
[cont-init.d] ~-socklog: exited 0.
[cont-init.d] done.
[services.d] starting services
2021/10/18 20:25:08 [notice] 523#523: using the "epoll" event method
2021/10/18 20:25:08 [notice] 523#523: nginx/1.20.1
2021/10/18 20:25:08 [notice] 523#523: OS: Linux 5.11.0-1019-oracle
2021/10/18 20:25:08 [notice] 523#523: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2021/10/18 20:25:08 [notice] 523#523: start worker processes
2021/10/18 20:25:08 [notice] 523#523: start worker process 541
2021/10/18 20:25:08 [notice] 523#523: start worker process 542
[services.d] done.
[18-Oct-2021 20:25:08] NOTICE: fpm is running, pid 527
[18-Oct-2021 20:25:08] NOTICE: ready to handle connections
172.27.0.2 - - [18/Oct/2021:20:25:18 +0800] "POST /?module=Login HTTP/1.0" 403 78856 "stats." "Mozilla/5.0"
172.27.0.2 - - [18/Oct/2021:20:25:22 +0800] "POST /?module=Login HTTP/1.0" 403 78856 "stats." "Mozilla/5.0"
172.27.0.2 - - [18/Oct/2021:20:25:50 +0800] "POST /?module=Login HTTP/1.0" 403 78856 "stats." "Mozilla/5.0"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@edgexyz