Error 403 with Drupal when I enter Matomo (Piwik) server URL

Hello,

When I enter my Matomo (Piwik) server URL : http://piwik.mysite.com/piwik.php and https://piwik.mysite.com/piwik.php, in drupal piwik module settings, I get this error :

The validation of "http://piwik.mysite.com/piwik.php" failed with an exception "Client error: `GET http://piwik.mysite.com/piwik.php` resulted in a `403 Forbidden` response: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden (truncated...) " (HTTP code 403).
The validation of "https://piwik.mysite.com/piwik.php" failed with an exception "Client error: `GET https://piwik.mysite.com/piwik.php` resulted in a `403 Forbidden` response: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden (truncated...) " (HTTP code 403).

I understand that there is a permission problem but I don’t find which one…
Note that iframe to opt-out, which is linked with https://piwik.mysite.com, works well and I can manage Matomo (Piwik) in https://piwik.mysite.com

Thanks for your help

I specify that Matomo is in matomo folder out of www folder with no .htaccess

We are talking about Piwik Web Analytics | Drupal.org.

You need to enter the URL to the base directory, as stated under the input field. So please enter the URL without any PHP file (e.g http://piwik.mysite.com/) and it will work.

Thanks for your answer.
I made a mistake copying what I enter on field “Matomo (Piwik) server URL”, I entered correctly: http://piwik.mysite.com/ and https://piwik.mysite.com/ and the error message is which one with php file, I don’t know why…

Do you have shell access to the WP Server? If so, please run curl -vvv https://piwik.mysite.com/piwik.php and post the output. Also run curl -vvv https://piwik.mysite.com/piwik.php from a client you can connect to the matomo backend. If this fails, show your apache/nginx config of matomo.

Just to be sure: You don’t use the whitelist feature of matomo or you have whitelisted the ip of your WP server?

I access to Shell of my server and for curl -vvv https://piwik.mysite.com/piwik.php I get :

  • Hostname was NOT found in DNS cache
  • Trying xxx.xxx.xx.xx…
  • connect to xxx.xxx.xx.xx port 443 failed: Connection refused
  • Failed to connect to piwik.mysite.com port 443: Connection refused
  • Closing connection 0
    curl: (7) Failed to connect to piwik.mysite.com port 443: Connection refused

I don’t know how to run curl -vvv https://piwik.mysite.com/piwik.php from a client I can connect to the matomo backend. What does it mean ?

Where can I found my apache/nginx config of matomo ?

About IPs, I had IP of my home in “Global list of exclued IP”. I had piwik.mysite.com and www.mysite.com in the trusted hosts.

Thanks for your help !

e.g. your local PC

Well, on the host for matomo in your sites-enabled folder. For apache2 this is most likely /etc/apache2/sites-enabled/matomo.conf.

Ok, results of my preview comments is from PuTTY connected to the host server… :slight_smile:

I juste have a Sharehost server and I can’t have apache config. I just have matomo config displays on Matomo UI…

Ok, what happens if you open https://piwik.mysite.com/piwik.php in you browser?

When I open https://piwik.mysite.com/piwik.php in my browser I get this message :

This resource is part of Matomo. Keep full control of your data with the leading free and open source digital analytics platform for web and mobile.

I move piwik folder from the outside of www to inside of www folder but nothing better…
Maybe I made mistake in the settings

Ok, it does not help any more, you need to tell someone the real url of your matomo instance. Please provide it via PM if you dont want to post it here.

Where is nothing in matomo what will block access to piwik.php (as far as I know). So it needs to be a blockade on webserver level, maybe a useragent blocker for curl or so.

As I already thought, there is a useragent blocker in place:

[13:38 dellwing@dellwing Downloads] > curl https://piwik.mysite.com/piwik.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
</body></html>
[13:38 dellwing@dellwing Downloads] > curl -H "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0" https://piwik.mysite.com/piwik.php
This resource is part of Matomo. Keep full control of your data with the leading free and open source <a href='https://matomo.org' target='_blank'>digital analytics platform</a> for web and mobile.

So you have two options:

  1. Modify the piwik Drupal-plugin to fake the user agent.
  2. Ask your shared hosting provider to remove this blockade.
1 Like

Ok, but to be precise on my request to the host provider, what is the blocking? the name of the file piwik.php?

No, everything that is not a “known” Browser (Firefox, Chrome, …). You can’t even curl on https://piwik.mysite.com. This is most likely in place to block bots and other automatic scans. And should be no problem for the drupal plugin once it accepted the url as valid, because the tracking code will be loaded by the user with a real browser.

My tip would be to use option 1 if you have some clue of what you are doing. There are 3 places (once in piwik.module and twice in piwik.admin.inc) where drupal_http_request is called and on all places there have to be a second parameter added:

array(
'header' => array(
'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0'
)
)

So it would look like:

$result = drupal_http_request($url, array(
'header' => array(
'User-Agent' => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0'
)
));

See https://api.drupal.org/api/drupal/includes!common.inc/function/drupal_http_request/7.x for more information.

Thank you @fdellwing for your help.
I contacted my host who suggested that I disable the firewall (I did not know there was one).
Now everything is working :grinning:

1 Like

I never heard of a firewall like that. Glad it worked out!