When a CDN is placed in front of an app, the app needs to understand there is a CDN in front of it. The app has to be specifically coded and have configuration options to support a CDN.

I think all these things you've listed apply to your nginx in the same way they apply to any reverse proxy you put in front of it (including CloudFront). And you've already solved them, otherwise Matomo and other apps would respond with localhost:8080 in the HTML and break all the time.

Finally, the Origin header is only needed for CORS i.e when a tracked website is making a call into matomo. It doesn't come into picture when loading matomo's login screen. It might appear to come into picture, but this is only because we have a separate domain when using a CDN and this goes back to figuring out if matomo supports a CDN based setup (this, I don't know and I cannot find any information in their docs or the forum).

No and yes. As I've assumed earlier I'm running in Origin based CSRF protection and the Matomo source confirms that https://github.com/matomo-org/matomo/blob/e4a7b579622da9f585a9e662efc114b08b6fe08d/core/Nonce.php#L132-L139

Thanks for all the information regarding how nginx and Matomo interact. I've been able to successfully access Matomo through CloudFront by including Origin: https://matomo.cloudron.example.com in the origin request. However, login redirects me from foo.cloudfront.net to matomo.cloudron.example.com, which is not surprising, since that's the Host header Matomo sees.

From all the information I have I think all I need is the following: a way to associate a domain with an app without all the DNS/TLS setup that Cloudron otherwise needs. The only downside would be that it wouldn't be full SSL and traffic between EC2 and CloudFront would be unencrypted inside the AWS network.

So instead of

https://matomo.cloudron.example.com -> nginx -> docker

it would be

https://foo.cloudfront.net -> CloudFront -> http://foo.cloudfront.net -> nginx -> docker

what I have right now is

https://foo.cloudfront.net -> CloudFront -> https://matomo.cloudron.example.com -> nginx -> docker

I can configure CloudFront to forward the Host header. So there just needs to be an additional nginx config to forward my arbitrary host to the Matomo container. Matomo itself doesn't know about this, but would see the CloudFront Host + Origin header and be happy. Right now it doesn't know about foo.cloudfront.net, because CloudFront looks to nginx like any user accessing Matomo at matomo.cloudron.example.com. With this new setup there cannot be a leak of matomo.cloudron.example.com, because it isn't part of the request or response at all and Matomo is not aware of its existence. As you said enable_trusted_host_check is disabled and I just need a second trusted host (trusted by nginx) that nginx forwards to the container.

Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

Cloudron Forum

Prinzhorn