Bug Report: Umami's Nginx Configuration Sets An Incorrect X-Forwarded-For Header, Preventing Proper Operation with Proxied Analytic Events
-
Umami uses the default nginx configuration for cloudron apps. Within the default configuration, the following proxy headers are added:
... proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-Ssl on; ...
This works fine out of the box, but unfortunately the
proxy_set_header X-Forwarded-For $remote_addr;
header breaks Umami's support for proxied tracker scripts (see link to Umami docs).In a proxied tracker script setup, a user would setup Nginx or Cloudflare workers to proxy the Umami analytic javascript file and it's POST endpoint, so that the script and any tracker events are loaded from (or sent) to the website. In such a setup, the user would typically configure something like the following in the Nginx file of their website (i.e. the site that uses Umami for analytics):
set $umami_script_url https://umami.example.com/script.js; # Here set $umami_event_url https://umami.example.com/api/send; # Here location = /js/script.js { proxy_pass $umami_script_url; proxy_set_header Host umami.example.com; # Here proxy_buffering on; add_header X-Cache $upstream_cache_status; } location = /js/api/send { proxy_pass $umami_event_url; proxy_set_header Host umami.example.com; # Here proxy_buffering on; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; }
Unfortunately, because the nginx config file of the Umami cloudron app overwrites the
X-Forwarded-For
header, all web visits and analytic events appear to come from the server running the website.In order to fix this, a simple change is needed. Use
$proxy_add_x_forwarded_for
instead of$remote_addr
in order to properly preserve the origin IP information.proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
This bug is a relatively minor one, and should be an easy fix.
-
In general, I wonder if Cloudron should be using
$proxy_add_x_forwarded_for
instead of$remote_addr
for all applications in the default cloudron configuration.$proxy_add_x_forwarded_for
preserves the entireX-Forwarded-For
chain, instead of overwriting theX-Forwarded-For
header with the the final forwarder. It's a neater solution, and should not affect the vast majority of existing apps.Right now, I imagine the only applications where this is an issue are analytics apps. Perhaps this bug would affect matamo as well.