Nginx + varnish + memcached = Can't login to piwik



I moved my piwik installation from an apache server to nginx using varnish and memcached. I’m not sure when, but at some point it stopped allowing me to login, giving the error:

Error: Form security failed. Please reload the form and check that your cookies are enabled. If you use a proxy server, you must configure Piwik to accept the proxy header that forwards the Host header. Also, check that your Referrer header is sent correctly.

I’m not sure what the problem is here, because it was working for a while until I logged out. I’m not sure at what point it stopped, but I installed memcached later, I believe.

I tried putting:

proxy_client_headers[] = HTTP_X_FORWARDED_FOR
proxy_host_headers[] = HTTP_X_FORWARDED_HOST

In the piwik config, it didn’t help.

In varnish config I put under vcl_recv:

if (req.url ~ “piwik”) {
set req.http.X-Forwarded-For = client.ip;
return (pass);

This didn’t help either.

I’m at my wit’s end here. Does anyone have any idea what might be wrong in my configuration, or how I could find out? I tried putting “return (pass)” at the top of the vcl_recv (assuming this will basically disable all varnish caching) and it didn’t help. Is there a way to debug piwik to get any idea of what the problem might be? Thanks!

(Matthieu Aubry) #2

Maybe the NGinx Piwik config project would help you? GitHub - perusio/piwik-nginx: Nginx configuration for running Piwik

(Matthieu Napoli) #3

I’m copy-pasting my answer from StackOverflow so that others can bounce on it:

I’m not so sure about that but “Form security failed” would suggest to me that maybe Varnish cached the login page. And I think that there is a CSRF token (a unique ID) in the login form that changes everytime.

So maybe because of the cache, the CSRF token is always the same and thus invalid when you try to login. Could you configure Varnish so that the login form is not cached?


Yeah, that was my main thought too, but as far as I can tell, my varnish config should be handling piwik properly.

This is such a pain. Is there any way to debug what might be going on here?

(Matthieu Napoli) #5

If I were you I would try by disabling Varnish first, see if it has anything to do with it?


I tried every possible way I could figure out to make varnish not cache piwik and nothing seemed to work. I decided to bite the bullet and switch everything back to straight up nginx and no varnish, and low and behold, it all worked again.

My solution: I made varnish listen on port 80, but piwik listens on port 85 with nginx instead, completely bypassing varnish. Everything works 100% again! This is obviously not the most ideal of solutions, but it works and it’s saving me hours of frustration that should be spent elsewhere. Thanks for the help, everyone.