Cannot login when behind reverse proxy (FIXED)


iis 7 to php on linux, basic rewrite rule. works fine direct to server but when going via reverse proxy i get:

Error: Form security key is invalid or has expired. Please reload the form and check that your cookies are enabled.


Hey Norgan,

I had the same issue when upgrading this morning. The only difference is that I am using Apache server on both side of the proxy.

  • There is a

reverse_proxy = 0

parameters in the configuration file but this is not what we are looking for according to the global config file :

vi config/global.ini.php
-> ; If set to 1, Piwik adds a response header to workaround the IE+Flash+HTTPS bug.
   reverse_proxy = 0

and changing it didn’t do anything.

  • By debugging the code I found out that the issue was coming from these lines :

vi piwik/core/Url.php
-> static public function getCurrentHost($default = 'unknown')
     static $hostHeaders = null;
         $config = Zend_Registry::get('config');
         if($config !== false && isset($config->General->proxy_host_headers))
           $hostHeaders = $config->General->proxy_host_headers->toArray();

as proxy_host_headers was empty. After checking in the global config file I found the following :

; List of proxy headers for client IP addresses
; CloudFlare (CF-Connecting-IP)
;proxy_client_headers[] = HTTP_CF_CONNECTING_IP
; ISP proxy (Client-IP)
;proxy_client_headers[] = HTTP_CLIENT_IP
; de facto standard (X-Forwarded-For)
;proxy_client_headers[] = HTTP_X_FORWARDED_FOR

; List of proxy headers for host IP addresses
; de facto standard (X-Forwarded-Host)
;proxy_host_headers[] = HTTP_X_FORWARDED_HOST

so adding

proxy_host_headers[] = HTTP_X_FORWARDED_HOST

to piwik/config/config.ini.php solved the issue (as Apache is using the standard HTTP_X_FORWARDED_HOST variable).

If you do not know if IIS is using the same variable you might want to try a var_dump($_SERVER) in one of your piwik file and see if what PROXY or FORWARD value you find.

Hope this help.


Thanks for that, i tried it but still no go. Did you have to relaod php or anything?


Well you should check in your apache logs or using Live HTTP headers (FF plugin) to see the content of HTTP_X_FORWARDED_HOST. Try to remove all cookies and cache at least once now that you change the config.

The solution above is only to enable the log in screen. But the stats will not be correct until you also set proxy_client_headers :

proxy_host_headers[] = HTTP_X_FORWARDED_HOST
proxy_client_headers[] = HTTP_X_FORWARDED_FOR

should do the trick.

Let me know
Hope this help


I cannot figure how to check this proxy header. are you able to assist in this?

I do not have extensive knowledge of php, just want to have stats for my sites. I have found issues in the hpast with reverse proxy like with gzip pages etc but i just cannot nail this one down.


Ok here is the fix:

reverse_proxy = 0
proxy_client_headers[] = HTTP_X_FORWARDED_FOR
proxy_host_headers[] = HTTP_X_FORWARDED_HOST

To config.ini.php

Set new server vaiable called HTTP_X_FORWARDED_HOST

Edit inboudn rule and under server variables add…

Choose HTTP_X_FORWARDED_HOST from drop down box and set value to be {HTTP_HOST}

leave ticked Replace the existing value

The login should now work, visitor ip’s are reported correctly!


norgan, Where would one set the new server variable and the inbound rule please ?



It looks like you’re using CloudFlare. Are you using Apache or Windows IIS? If Apache, you could look at installing mod_cloudflare[/url]. If Windows IIS, you can look at the information for correcting [url=]Windows IIS logs.


Hi organicspider, check out the following link that i used to work this out:

Basically you create your reverse proxy rule then edit the inbound rule and add a new server variable.