3.6.1: Suggestion how to secure index.php from outside no longer working (inline js moved to file)


Dear community,

since the beginning we used the suggestion below how to protect index.php and created an insec.php which is accessible from outside and used in the OptOut Frame instead of index.php.:

In 3.6.x some inline javascript in CoreAdminHome was moved to a separate file (optout.js) due to CORS issues.
While I can completely understand the reason for the separation, unfortunately this prevents the above solution and the OptOut from working. The optout.js blocked.

Any suggestions how to handle this now? I’m reluctant to open up the WAF config for this single file.

Many thanks in advance!

(Fabian Dellwing) #2

Just use the index.php for the optout and open the access to it with:

<Files "*">
 Require ip
# Allow external access to piwik.php and piwik.js and robots.txt
<FilesMatch "(^(piwik|matomo)\.(php|js)|robots\.txt)">
 Require all granted

# Allow Opt-Out
<Files "index.php">
 <If "(%{QUERY_STRING} =~ /^module\=CoreAdminHome\&action\=optOut(?!.*module\=)(?!.*action\=)/)">
   Require all granted

This allows access to the index.php if optout is called and blocks all other access to it except from the subnet