Piwik & mod_security Inquiry


#1

Hello,

We have installed Piwik on our dedicated server which is managed by a third-party server
management company. The server has mod_security set up. After reading the FAQ, we
found the following documentation and followed it’s indication, whitelisting our domains:

http://piwik.org/faq/troubleshooting/#faq_100

However, we did not disable mod_security for security purposes. In addition, we were not
able to apply the Piwik tracker changes because Piwik is installed on a different domain
than the domains we are tracking.

If it helps, we have the following customized Piwik tracker added to all of our pages:


     <script type="text/javascript">
          var pkBaseURL = (("https:" == document.location.protocol) ? "https://analytics.piwik-installed-domain.com/" : "http://analytics.piwik-installed-domain.com/");
          document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E"));
     </script>
     <script type="text/javascript">
          try {
          var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", 1);
          piwikTracker.setDocumentTitle(document.title);
          tracker.setCookieDomain('*.piwik-tracked-domain.com');
          tracker.setDomains('*.piwik-tracked-domain.com');
          piwikTracker.trackPageView();
          piwikTracker.enableLinkTracking();
          } catch( err ) {}
     </script>
     <noscript>
          <p><img src="http://analytics.piwik-installed-domain.com/piwik.php?idsite=1" style="border: 0;" alt=""/></p>
     </noscript>

Finally, this is what we use on our 404 error page:


     <script type="text/javascript">
          var pkBaseURL = (("https:" == document.location.protocol) ? "https://analytics.piwik-installed-domain.com/" : "http://analytics.piwik-installed-domain.com/");
          document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E"));
     </script>
     <script type="text/javascript">
          try {
          var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", 1);
          piwikTracker.setDocumentTitle(document.title);
          tracker.setCookieDomain('*.piwik-tracked-domain.com');
          tracker.setDomains('*.piwik-tracked-domain.com');
          piwikTracker.setDocumentTitle('404/URL = '+String(document.location.pathname+document.location.search).replace(/\//g,"%2f") + '/From = ' + String(document.referrer).replace(/\//g,"%2f"));
          piwikTracker.trackPageView();
          piwikTracker.enableLinkTracking();
          } catch( err ) {}
     </script>
     <noscript>
          <p><img src="http://analytics.piwik-installed-domain.com/piwik.php?idsite=1" style="border: 0;" alt=""/></p>
     </noscript>

We would appreciate any help we may receive. Thank you in advance.

Kind Regards,
Angelillennium


#2

Hello,

We have disabled mod_security and let one day go by but Piwik is still not tracking visitors. We would appreciate any help we may receive or any directions to look at to get Piwik running. Thank you in advance.

Kind Regards,
Angelillennium


(vipsoft) #3

Change tracker to piwikTracker.

That should fix the JavaScript error.


#4

[quote=vipsoft]
Change tracker to piwikTracker.

That should fix the JavaScript error.[/quote]

Hello vipsoft,

We have replaced tracker to piwikTracker and it is working now.

We would like to suggest that the following documentation be updated to reflect the correct code as we customized our tracker according to it.

http://piwik.org/docs/javascript-tracking/#toc-cookies-configuration-for-domains-and-sub-domains

Finally, we would like to ask if Piwik would work if mod_security is enabled but our domains whitelisted. The FAQ documentation suggests to whitelist domains and disable mod_security at the same time which is confusing.

Thank you for your time & assistance.

Kind Regards,
Angelillennium


(vipsoft) #5

We recommend disabling mod_security to generally avoid false positives due to its rules.

“Whitelisting the domain” is specific to Hostgator’s custom mod_security rules.


#6

[quote=vipsoft]
We recommend disabling mod_security to generally avoid false positives due to its rules.

“Whitelisting the domain” is specific to Hostgator’s custom mod_security rules.[/quote]

Hello vipsoft,

We understand better the documentation now. We appreciate your reply as it clears any confusions we had.

Thank you again for your time & assistance.

Kind Regards,
Angelillennium


#7

I know this is bit late to the party, but hopefully this will help those who have issues with mod_security. For dedicated hosting (maybe possible on shared hosting as well, depending on what the hosting company allows you to do), create custom ruleset, e.g. “modsecurity_crs_15_custom_rules.conf” (make sure it is numbered so that it comes right after main configuration file in numeric order (main is usually named “modsecurity_crs_10_config.conf”)

In the custom rule file, add following lines:


# Allow Piwik queries
  SecRule REQUEST_FILENAME "^/path_to_your_piwik_dir/piwik\.php$" id:99998,log,phase:2,chain,allow
  SecRule ARGS_NAMES "^action_name$"

  SecRule REQUEST_FILENAME "^/path_to_your_piwik_dir/index\.php$" id:99999,log,phase:2,chain,allow
  SecRule ARGS_NAMES "^module$"


Remeber to replace “path_to_your_piwik_dir” with correct path to your Piwik installation directory. You can also use different id numbers as long as they are higher than exisiting rules.

What this will do is it allows all query values to be passed on to Piwik as long as the file referred is “piwik.php” or “index.php” and query parameter is either “action_name” (for piwik.php that is used for visitor tracking) or “module” (for index.php) that is used by the backend.

If you want, you can tighten the ruleset to exlude login attempts from allowed values.

After you have applied above, your server is still protected by mod_security but you are handing the validation of passed tracking data to Piwik (in other words: you place your trust in Piwik development team :slight_smile: )


(Matthieu Aubry) #8

@scomdev, thank you for the report here. at this stage Piwik is not compatible with mod_security. this is discussed with links in this ticket: New system check to warn that Piwik is not compatible with mod_security · Issue #3371 · matomo-org/matomo · GitHub

we will add a system check to warn about mod_security.

Maybe we could put in the FAQ your solution, if it still works with latest mod_security ruleset and latest Piwik version?