Hi! Didn’t want to hijack someone else’s thread, so I started one here.
I downloaded and installed the latest.zip from today for piwik.
I installed it at analytics.mydomain.com
During the install everything installed correctly, except I got an error saying it couldn’t access piwik.php and that I should either change it to a post setup or disable and whitelist mod_security.
On my host we are allowed to use .htaccess files and create our own local php.ini files. So whenever I needed previously to turn off mod_security for previous other software I just dropped in a .htaccess file and that turned it off.
So I did the same thing here.
Here’s the code in the .htaccess file:SecFilterEngine Off SecFilterScanPOST Off
Theoretically the above code should turn off mod_security and has worked and is working in other directories for me for other software.
Everything looks correct, mod_security has been turned off, piwik settings are correct and yet still no tracking data. And no data showing up in my database for piwik.
I did notice that for the latest version of latest.zip, there were actually two piwik.js files showing up in the latest piwik zip. One located in the js directory that was 61kb and one located right in the root directory that was 16kb, both named piwik.js
Couple quick questions.
Is that supposed to be?
And which domain needs mod_security turned off? The subdomain where I put the piwik code or the domain that’s being tracked? Or both?
And what can I do now that I have disabled mod_security and have access to both the use of a .htaccess file and a local php.ini file if I need it.
Any help is much appreciated. In talking to my host provider turning off mod_security in both the subdomain and the domain being tracked should have removed any mod_security issues and whitelisted the domains.
For us people who can use htaccess file to turn stuff off on our own, what’s your best suggestion? Thanks!
Want to like this, can’t though if it doesn’t cooperate. =)
Thanks for your help,
Question: isn’t turning off mod_security and letting people send urls back inside the query string to your software kind of dangerous? ie…if I was a hacker I would just call that file, piwik.php with an engineered url… to gain control of stuff on the server side. At least I think I could. Any reason you need to send a full url? couldn’t you break it up into pieces and solve the problem and the need to send an entire url?