Mautic Community Forums

Segment mail does not use site_url for link replacing and tracking

Your software
My Mautic version is: 3.2.4
My PHP version is: docker base image php:7.3-apache
My Database type and version is: MariaDB

Your problem
Hello, because I did not get any reply on github I would like to ask about possible solution here. Here is github issue link:

I described everything in the issue above. This problem makes Mautic Segment Mail completely unusable and dangerous from a business point of view(sending broken links) when logging to Mautic from internal network when logging from public side is disabled for security reasons.

These errors are showing in the log:
None

Steps I have tried to fix the problem:
I tried to run the localhost proxy to check if segment mail will contain localhost in links but they didn’t. I wonder if there is an option to set some headers just before request gets to Mautic to go around this issue.

I would be glad even for pointing where is the code that incorrectly replaces these links so I can think of workaround.

Hello!
SO if I understand right:
Your mautic is installed on localhost:80. This is your Mautic URL.
When you ENABLE TRACKING (which is optional) your links in emails will be overwritten by Mautic. By redirecting the links, clicks can be registered. If you are sending from localhost, then you cannot receive incoming information (localhost is not a working domain outside of your network).
Solution:

  1. install Mautic on a qualified domain name
  2. remove tracking
    BTW - how would your unsubscribe work?
    Joey

I think I understand why you didn’t get an answer on github. Even after reading it several times it’s still difficult to understand what you are trying to achieve.

Is security the reason why you are trying to make it so complicated? Sorry for the question, but I am also trying to learn.

Mautic is made to run on an accessible address. All the functionality is connected with that. I think the developers didn’t predict that anyone could make a setup like yours.

Mautic is run on docker and localhost:80 is not my Mautic URL.

Let say that my X address is https://internal.mautic.com and my Y address is https://public.mautic.com. I will also make things simpler.

So, Mautic is being run on Kubernetes. There are two Kubernetes ingresses, one which expose mautic on https://internal.mautic.com and other that exposes mautic on https://public.mautic.com.

https://public.mautic.com is made in a way that it only allows tracking links to be accepted. If you go to https://public.mautic.com/s/login you will be denied.

Now, site_url is set to https://public.mautic.com. I am logging to Mautic via https://internal.mautic.com which is address accessible in my internal network. I create campaign and “Send Mail” in it. Mautic replaces links. I check the result email on my inbox and I see that all tracking links, tracking pixel etc. begin with “https://public.mautic.com/…”. Everything works correctly and because https://public.mautic.com is a public domain, everyone else can be tracked.

Now I am logging to Mautic via https://internal.mautic.com again and create Segment Mail instead of campaign with “Send Mail” in it. I click “Send” on Segment Mail to begin sending and then I check my inbox, I see that all tracking links, tracking pixel etc. begin with “https://internal.mautic.com/…” and this is incorrect because my site_url is still https://public.mautic.com so all links should begin with “https://public.mautic.com/…” but they aren’t. If I logging in to Mautic via https://public.mautic.com(which won’t be possible after blocking admin URLs publicly) and I create Segment Mail and Send it, I will see that all tracking links, tracking pixel etc. begin with “https://public.mautic.com/…”.

My point is that Segment Mail shouldn’t use unknown browser data like it is now when replacing links but it should use site_url, always.

I understand. I hope I explained it more clearly above in my reply to Joeyk. I am sorry if the issue is not clear, I hope it’s now better.

Mautic is a PHP application that can contain sensitive data. I want to separate network traffic between publicly available and internal network and allow everything in internal network but only allow tracking URLs on the public internet so the world can’t see any API urls or login pages of Mautic to avoid any kind of bruteforce attack on my login page from the internet.

Also, Mautic is not GDPR compilant with cookies(lack of tracking cookie consent management) and also because I do not use Mautic tracking outside of emails and specific landing pages, I don’t really need them so I disable Set-Cookie headers on public instance so I don’t need to bother with getting cookie consent for cookies I don’t need in the first place. Email Clicks work correctly as well as Open Pages(they still need tracking pixel however for that) and that’s all I need. Lack of Set-Cookie means that also /s/login does not work properly but I do not want anyone to log to Mautic via publicly available address, so for me it is acceptable.
At the same time, there’s internal address with everything allowed and only available inside my network where administrators can log in.

Hey,
Yeah, Consent management comes up from time to time… I think is not the scope of Mautic, there are 10 free solutions for that on Github.

The funny thing is, that Mautic supposed to use site_url saved in local.php when overwriting tracking links. This is how it works on all my instances. It has nothing to do with your browser URL.
I’m really confused why this is not the case for you.

Joey

Could you tell me which file on github handles link replacing? I would like to look at it closer and find where the issue is.

Sorry, no idea. Maybe you want to create a github issue, that coders can give you a hand instead of me (simple user) giving ideas?

I think a found a partial reason and an easier way to make the issue visible.

Wrong address is returned by router->generate method in mautic/AbstractCommonModel.php at a16eb83f6cff0d3c5ea39bc172a5eb262ce2616b · mautic/mautic · GitHub

Unfortunately I can’t find any code where that router is created and I do not know what parameter it is using.

Easy way to reproduce:

  • Install Mautic on localhost. Note the port. I am using port 8100 in this example.
  • Install nginx and put following configuration:
server {
        listen 8877;

        location / {
                proxy_pass http://localhost:8100; #Assuming that your Mautic instance is on port 8100
     proxy_redirect off;

                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
       }
}
  • Set site_url in Mautic to localhost:8877, it’s the address of nginx proxy
  • Run Mailhog docker or any other application to get a “dummy” SMTP server: docker run --network host -it mailhog/mailhog. Mailhog UI for checking emails will be accessible at http://localhost:8025/.
  • Configure Mautic to use MailHog. Other SMTP server, address localhost, port 1025.
  • Log in to Mautic via original port, in my case it’s localhost:8100. This is extremely important.
  • Create any contact with any email(it does not matter because MailHog accepts everything), create a segment that contains that contact.
  • Create a campaign to the segment above with just Send Email step. Email needs to contain any link. Trigger it, check content in MailHog. All links in email should begin with localhost:8877/...
  • Go to Channels and duplicate the email your created for the campaign but create it as Segment Email. Set target as the same you used in previous Campaign.
  • Sent that Segment Email by clicking Send in UI.
  • Check that segment email in mailhog. All urls in email will begin with localhost:8100/... which is incorrect because site_url is localhost:8877.

My original issue was closed. Do you think I could open another issue with the content I wrote in this comment?

EDIT: I added few things and made a new issue on github.