Hi,
I have just updated Matomo from 4.2.1 to 4.5.0 and noticed following critical errors at system check:
Required Private Directories
/config/config.ini.php
/tmp/cache/tracker/matomocache_general.phpWe found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.
We also found that Matomo’s config directory is publicly accessible. While attackers can’t read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.
Recommended Private Directories
/tmp/
/lang/en.jsonWe found that the above URLs are accessible via the browser, but we recommend they should not be. If possible, please restrict access to them.
I have already done .\console core:create-security-files with success, but those errors wont go away. I thought that console command creates .htaccess files, but by my knowledge IIS wont handle .htaccess files.
/config.ini.php returns remotely blank page with “;”.
/tmp/ folder returns “nothing to see here”
/tmp/cache/tracker/matomocache_general.php returns blank page
/lang/en.json returns somekind of english json file…
How can I get rid of those error messages? Where is these security-files located based on IIS?
System info
Windows Server 2016
IIS 10
Matomo 4.5.0
PHP 8.0.12
MySQL 8.0.19