LoginPage HTTPS, Tracking HTTP

Hello out there,

I tried to make Piwik working that way, that the login page is only available via HTTPS and tracking should still work via HTTP. I thought this would be straight forward, but well, it isn’t.

Piwik is running on Version 3.04 using apache2 2.4.10 on Debian 8.9.

What I’ve done:

  1. I tried the Piwik Options force_ssl = 1 and force_ssl_login = 1 . Unfortunately those had not the effect I wanted. The login page was still accessible using HTTP, but the login does not work. So people who weren’t aware that they tried to log in using HTTP asked me, why this is not working.

So I tried the following in the apache vhost:

RewriteEngine on
RewriteCond %{REQUEST_URI} !=/piwik.js$ [NC]
RewriteCond %{REQUEST_URI} !=/piwik.php$ [NC]
RewriteRule ^/$ https://url-to-piwik/index.php [L]

I imagined this to let tracking requests through and pass over everything else to HTTPS. Actually this should work:
I see the piwik.php line in the access log. The Log Importer tells me that he successfully imported those lines. After that I called

./console core:archive --force-all-websites --force-all-periods=315576000 --force-date-last-n=1 --url=http://url-to-piwik

but these entries never showed up in the webinterface.

I then tried to change the RewriteRule to ^/index.php$ https://url-to-piwik/index.php and disabled the RewriteCond lines. Unfortunately this blew up the webinterface completely due to too many redirects.

I assume that Piwik itself redirect the traffic, although I disabled force_ssl = 1 and force_ssl_login = 1 when I started using apache redirects.
In addition I’m wondering why the tracking entries are successfully imported from the access log, but never show up in Piwik.

I hope you can give me some hints.



I am not that familiar with apache configs and the log importer, so I can’t help much with that.

But I am not sure if I understand your premise. If you have configured HTTPS on your piwik instance, why do you want to still allow HTTP? You can include the HTTPS tracking code into every website and as a result don’t send your user’s data in clear over the internet.
Allowing HTTP seriously undermines the security of HTTPS as everyone who wan’t to intercept the connection only needs to block HTTPS traffic and get all data in unencrypted form.

I’d recommend you to only use HTTPS, redirect all HTTP to HTTPS and change the tracking code to only send data via HTTPS.

Hi Lukas,

I agree with you, but I’m only the sysadmin who has to keep this running. Unfortunately it’s the decision of the developers and the bosses. They dont’t see it that critical because all tracking data stay inside of our datacenter.