Apache https and http config for Piwik?


I have installed Piwik 2.0.3 as an https virtual host [with its own IP address, I’m not quite ready to assume that a sufficient proportion of commonly-used browsers/OSes (you know which one I’m pointing at) support SNI quite just yet] on our Apache 2.2 test webserver. The aim is for Piwik to be used by our handful of websites (some of which are https, some http).

The first site that I have tried to monitor with Piwik uses only http, and it looks to me that the Piwik JavaScript snippet decides to connect to the Piwik installation via https or http, depending on the protocol of the site that the snippet is running on? (It also looks as though the noscript img line is hardcoded to http…?)

I have never previously set up a website that needs to be simultaneously accessible via both https and http (for our previous https-only sites, I have created a separate stub Apache config file for the corresponding http version of the virtual host that basically just Redirects all requests to the https site.

Can anybody offer any advice about what I need to do to make my Piwik installation accessible via both https and http? (ie, editing/extending my ‘port 443’ config file to include port 80 traffic as well, or duplicating the relevant parts into the port 80 file if that’s what I need to do.)

There’s then the question about force_ssl, but it’s not exactly clear from the documentation what that does? Does it mean that requests to the Piwik tracker from sites will use https to call Piwik (which would nicely solve my problem about needing to configure the Piwik site for http access as well (or would it?!) - or is using https in all cases going to give me ‘mixed content’ browser warnings on http client sites?)

After that, I need to set up my Piwik site so that only the necessary tracker files can be accessed by anonymous browsers, and access to the rest of the site is restricted to only permitted users (using Apache user authentication restrictions as a further fail-safe, just in case any vulnerabilities in the Piwik code are discovered.)

Thanks for any advice…

You need to view it more simply: setup https:// on your piwik so that tracking works without browser warning to your customers when they are using ssl. Then simply enable force_ssl options because that’s just better. that’s it, enjoy

Thanks, Matt.

Are you saying that I don’t need to worry about setting up my Piwik website to respond to plain http requests at all?

At present, my Apache config has a proper VirtualHost for my https Piwik installation (eg, https://webstats.example.org), and a ‘stub’ http VirtualHost (http://webstats.example.org), which has a different DocumentRoot which contains only a test ‘home page’ for now. Am I able to (and should I?) change the DocumentRoot for the http version of my Piwik installation to be the same as for the https version, or should I just ignore it?

I don’t want to allow access to the Piwik admin area via http (for obvious reasons), and if you are saying that I can include https calls to Piwik even from http sites, then maybe I don’t need plain http access at all?

Do I need to change my Piwik code on tracked websites?

The default code contains:

var u=(("https:" == document.location.protocol) ? "https" : "http") + "://webstats.example.org/";

Can I then just change this to the following on each tracked site (regardless of whether the tracked site is http or https)?

var u="https://webstats.example.org/";

And similarly for the noscript image (change the http to https in all cases)?

<noscript><p><img src="http://webstats.example.org/piwik.php?idsite=1" style="border:0;" alt="" /></p></noscript>

[Edit: corrected typo]

Your piwik should reply to both http and https