3.6.1: Suggestion how to secure index.php from outside no longer working (inline js moved to file)

Anoia · October 24, 2018, 7:36pm

Dear community,

since the beginning we used the suggestion below how to protect index.php and created an insec.php which is accessible from outside and used in the OptOut Frame instead of index.php.:

github.com/matomo-org/matomo

Security improvment: put the optout function in another file

opened 08:06AM - 19 Dec 16 UTC

closed 03:29PM - 20 Feb 17 UTC

bohnelang

wontfix

Piwik should strictly differ between (tracking) requests from users and admin re…quests from staff. At the moment the optout function is done by index.php that normally handle admin/staff requests. Thus it is hard to make the login-page safe. (Every web admin knows, that login pages have daily brute force attacks by scripts from Internet :-/) ------- At the moment I am using a work-around: We have this situation `#Internet <--|--> [head www server: www.mydomain.de] <-----> [piwik webserver: piwik.mydomain.de] ` Staff can directly access Piwik by http://piwik.mydomain.de/piwik/ Users call Piwik (files) by http://www.mydomain.de/piwik/ I add some Apache Rewrite rules on the head webserver to avoid login attacks from Internet: ``` #Do not allow anyone from outside (!) to access /piwik/index.php RewriteRule ^/piwik/index.php(.*)$ - [F,L] RewriteRule ^/piwik/$ - [F,L] #Define a virtual file optout.php that calles index.php with predefined parameter RewriteCond %{REQUEST_URI} ^/piwik/optout.php$ RewriteCond %{QUERY_STRING} ^(.*)idsite=(\d+)(.*)$ RewriteRule ^(.*)$ http://piwik.mydomain.de/piwik/index.php?module=CoreAdminHome&action=optOut&language=de&idsite=%2 [P,NE,L] #All other requests are send ot the piwik server ProxyPass /piwik/ http://piwik.mydomain.de/piwik/ ProxyPassReverse /piwik/ http://piwik.mydomain.de/piwik/ ``` Greetings - Andreas

In 3.6.x some inline javascript in CoreAdminHome was moved to a separate file (optout.js) due to CORS issues.
While I can completely understand the reason for the separation, unfortunately this prevents the above solution and the OptOut from working. The optout.js blocked.

Any suggestions how to handle this now? I’m reluctant to open up the WAF config for this single file.

Many thanks in advance!

fdellwing · October 25, 2018, 7:19am

Just use the index.php for the optout and open the access to it with:

<Files "*">
 Require ip 192.168.1.0/24
</Files>
 
# Allow external access to piwik.php and piwik.js and robots.txt
<FilesMatch "(^(piwik|matomo)\.(php|js)|robots\.txt)">
 Require all granted
</FilesMatch>

# Allow Opt-Out
<Files "index.php">
 <If "(%{QUERY_STRING} =~ /^module\=CoreAdminHome\&action\=optOut(?!.*module\=)(?!.*action\=)/)">
   Require all granted
 </If>
</Files>

This allows access to the index.php if optout is called and blocks all other access to it except from the subnet 192.168.1.0/24.