Anoia
October 24, 2018, 7:36pm
1
Dear community,
since the beginning we used the suggestion below how to protect index.php and created an insec.php which is accessible from outside and used in the OptOut Frame instead of index.php.:
opened 08:06AM - 19 Dec 16 UTC
closed 03:29PM - 20 Feb 17 UTC
wontfix
Piwik should strictly differ between (tracking) requests from users and admin re… quests from staff.
At the moment the optout function is done by index.php that normally handle admin/staff requests. Thus it is hard to make the login-page safe. (Every web admin knows, that login pages have daily brute force attacks by scripts from Internet :-/)
-------
At the moment I am using a work-around: We have this situation
`#Internet <--|--> [head www server: www.mydomain.de] <-----> [piwik webserver: piwik.mydomain.de] `
Staff can directly access Piwik by http://piwik.mydomain.de/piwik/
Users call Piwik (files) by http://www.mydomain.de/piwik/
I add some Apache Rewrite rules on the head webserver to avoid login attacks from Internet:
```
#Do not allow anyone from outside (!) to access /piwik/index.php
RewriteRule ^/piwik/index.php(.*)$ - [F,L]
RewriteRule ^/piwik/$ - [F,L]
#Define a virtual file optout.php that calles index.php with predefined parameter
RewriteCond %{REQUEST_URI} ^/piwik/optout.php$
RewriteCond %{QUERY_STRING} ^(.*)idsite=(\d+)(.*)$
RewriteRule ^(.*)$ http://piwik.mydomain.de/piwik/index.php?module=CoreAdminHome&action=optOut&language=de&idsite=%2 [P,NE,L]
#All other requests are send ot the piwik server
ProxyPass /piwik/ http://piwik.mydomain.de/piwik/
ProxyPassReverse /piwik/ http://piwik.mydomain.de/piwik/
```
Greetings - Andreas
In 3.6.x some inline javascript in CoreAdminHome was moved to a separate file (optout.js) due to CORS issues.
While I can completely understand the reason for the separation, unfortunately this prevents the above solution and the OptOut from working. The optout.js blocked.
Any suggestions how to handle this now? I’m reluctant to open up the WAF config for this single file.
Many thanks in advance!
fdellwing
(Fabian Dellwing)
October 25, 2018, 7:19am
2
Just use the index.php for the optout and open the access to it with:
<Files "*">
Require ip 192.168.1.0/24
</Files>
# Allow external access to piwik.php and piwik.js and robots.txt
<FilesMatch "(^(piwik|matomo)\.(php|js)|robots\.txt)">
Require all granted
</FilesMatch>
# Allow Opt-Out
<Files "index.php">
<If "(%{QUERY_STRING} =~ /^module\=CoreAdminHome\&action\=optOut(?!.*module\=)(?!.*action\=)/)">
Require all granted
</If>
</Files>
This allows access to the index.php if optout is called and blocks all other access to it except from the subnet 192.168.1.0/24.