Hi all, This is a bit of an interesting situation I have found myself in.I have been using Teleport for a while, mainly as an ssh jump host. I have now been starting to learn/use docker compose and traefik. This means if I try to access a docker app, I am using Teleport and traefik as 2 proxy servers.
This didn't seem to be an issue with a few simple docker apps until I tried to setup Matomo. Matomo tells me there is an invalid Referer header. If i remove traefik and expose a port for Matomo directly it works fine.
I really haven't done much with HTTP headers and I am still trying to learn docker and traefik.
Is there some way I can force traefik to just pass all the headers given from teleport without any modification?
Any help and guidance would be greatly appreciated.
Without a config it’s hard to say what you do. But I would think that Traefik does not interfere with the referer header.
Hi, Thanks for that.
This is the Traefik config
traefik:
image: traefik:v2.10
restart: unless-stopped
command:
#- "--log.level=DEBUG"
- "--api.insecure=true"
- "--api.dashboard=true"
- "--providers.docker"
- "--entryPoints.internal.address=:80"
ports:
- "8080:8080"
- "9922:80"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
labels:
- "traefik.http.routers.dashboard.rule=Host(`traefik.localhost`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.service=api@internal"
matomo:
image: matomo:latest
restart: unless-stopped
environment:
- MATOMO_DATABASE_HOST=matomo-mariadb
labels:
- "traefik.http.routers.matomo.entrypoints=internal"
- "traefik.http.routers.matomo.rule=Host(`matomo.localhost`)"
This is the Matomo error if that sheds any light:
Error: The form security failed because of an invalid "Referer" header. If you are using a proxy server, you must configure Matomo to accept the proxy header that forwards the host header. Also, check that your "Referer" header is sent correctly. If you previously connected using HTTPS, please ensure you are connecting over a secure (SSL/TLS) connection and try again.
I noticed the SVG for matomo doesn't load either when behind teleport and traefik (it did when just behind teleport).
I have been trying to work out a fix, but I still can't understand what the issue is.
I added a setting in matomo that disabled trusted host checking.
Still can't login but I now get an error of invalid origin.
How would that relate to the referer header? and what would be causing this to not work when using traefik?
Did you check the related FAQ?
Seems matomo is extra cautious and you need to adapt all the security related settings manually.
Traefik will automatically provide all the standard headers for forwarded requests.
Hi,
Yeah I've been going through the faq. Still not having any success.
Thanks though, at least i can eliminate traefik as doing something strange with the headers.