Matomo behind load balancer


(Joe) #1

Hello,
Does anyone know how to configure login_whitelist_ip to work behind a load balancer?
The IP address hitting Matomo is the load balancer’s, so my understanding is there should be some way to tell Matomo to look at the X-Forwarded headers, instead of the actual IP address?
Thank you,
Joe


(Florian Kaufmann) #2

Hi Joe,

we use the following addition in the “location” tag of our nginx load balancer / reverse proxy configuration to forward the real ip to the matomo instance:

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

Then we set the realip to the forwarded one in the nginx configuration of the matomo tracking instance:

    set_real_ip_from  <load_balancer_ip>;
    real_ip_header    X-Forwarded-For;
    real_ip_recursive on;

login_whitelist_ip works just fine then and it also makes GeoIp work.

Another solution i just found out could be this: How do I configure Piwik when the server is installed behind a proxy? - Analytics Platform - Matomo


(Joe) #3

Thank you Florian!

I really appreciate your help with that, it certainly points me in the right direction.
We’re using a Bitnami image on EC2, which seems to use an older version of apache, rather than nginx - unfortunately I don’t think I can use either your solution or the one in the link (at least not without learning a lot more and maybe changing/upgrading the web-server software!)
Thanks again, now I know to look for something at the web-server level that tricks Matomo into believing the forwarded IP is the real IP.

Joe