I have installed Piwik 2.0.3 as an https virtual host [with its own IP address, I’m not quite ready to assume that a sufficient proportion of commonly-used browsers/OSes (you know which one I’m pointing at) support SNI quite just yet] on our Apache 2.2 test webserver. The aim is for Piwik to be used by our handful of websites (some of which are https, some http).
I have never previously set up a website that needs to be simultaneously accessible via both https and http (for our previous https-only sites, I have created a separate stub Apache config file for the corresponding http version of the virtual host that basically just Redirects all requests to the https site.
Can anybody offer any advice about what I need to do to make my Piwik installation accessible via both https and http? (ie, editing/extending my ‘port 443’ config file to include port 80 traffic as well, or duplicating the relevant parts into the port 80 file if that’s what I need to do.)
There’s then the question about force_ssl, but it’s not exactly clear from the documentation what that does? Does it mean that requests to the Piwik tracker from sites will use https to call Piwik (which would nicely solve my problem about needing to configure the Piwik site for http access as well (or would it?!) - or is using https in all cases going to give me ‘mixed content’ browser warnings on http client sites?)
After that, I need to set up my Piwik site so that only the necessary tracker files can be accessed by anonymous browsers, and access to the rest of the site is restricted to only permitted users (using Apache user authentication restrictions as a further fail-safe, just in case any vulnerabilities in the Piwik code are discovered.)
Thanks for any advice…