Block admin panel from the internet on proxy


We are experiencing more complicated problem, than we though it will be. We want to block administrative pages from the internet on our proxy and allow only VPN IP’s to it. It can be done in config.ini.php by adding serveral

login_allowlist_ip[] = ip.ip.ip.*

lines. It still triggers a little of PHP code and we would prefer to have this blocked by a dedicated proxy, which can deal with most of basic attacks, including DDoS.

We would want to block all incoming traffic matching “matomo.php” on proxy, but it turns out we can not. Klaro cookie agreement form is hitting

matomo.php?action_name=[name of the site]&idsite=2&rec=1&r=668716&h=8&m=22&s=45&url={}

to accept cookies and it has to be exposed to the internet. Is still could be used for attacks, simply by spamming those requests over and over. We can deal with that. Our concern is, that it passes trough “matomo.php” code.

Is there any way to block any URL’s matching “matomo.php” (and access to the admin panel) from the internet without breaking cookie consent forms? Something like blocking “/wp-admin”
on a proxy. We could limit access to it to 10000 per minute or something like that, or set alerts when it increases above some high threshold. Those are still valid choices and we are working on that. I wonder if any of You got better solution.

Thank You.

Hi @lpcezgovpl
I don’t understand… You wish block the access of admin panel, but try to block matomo.php, whereas this path is used only for tracking. The admin (+login) should be index.php.
Why don’t you configure just the proxy? It should be its job filtering a set of IPs (through the VPN ) to access only index.php, and other IPs to access only matomo.php…

This might be it. I will check it again if no traffic goes trough “index.php”. Thanks.

It can be done in Apache with:

 <Location />
   RedirectMatch ^/$ /index.php

Poking index.php from outside can be easily detected and blocked. It may be even better to set this redirect on proxy itself, but it is out first step.

1 Like