Required Private Directories | Recommended Private Directories

Naser_Aslam · March 11, 2023, 6:34am

Hi there,
We are using Matomo on-primes on Ubuntu-22.04 LTS with apache2 as webserver. We are getting following warnings on admin side of the Matomo.

Please help me to fix the issue. Thank you so much in advance!
<VirtualHost *:80>
ServerAdmin web@mydomain.com
ServerName mydomain.com
ServerAlias www.mydomain.com
DocumentRoot /var/www/html/matomo
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule !mod_php7.c>

ProxyPass /config !
<FilesMatch “^/(config|tmp|core|lang)$”>
Require all denied

<Directory /var/www/html/matomo>
DirectoryIndex index.php
Options FollowSymLinks
AllowOverride All
Require all granted

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.my-domain.com [OR]
RewriteCond %{SERVER_NAME} =my-domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

heurteph-ei · March 24, 2023, 2:30pm

Hi @Naser_Aslam
Can you manage this problem with .htaccess files?
Also have a look at:

And:

github.com/matomo-org/matomo

Allow moving all files apart from assets out of web root

opened 11:30AM - 10 Jul 22 UTC

Findus23

Enhancement c: Security

this is a bit of a continuation of #8120 At the moment, Matomo can only be us…ed by settings the web root to the directory all Matomo files are in. This means additional web server configuration and precisely crafted rules are required so that security-relevant files (especially tmp/ and config/) are not publicly accessible. But as web server configurations vary widely and as the recent "private directories" system check shows, there are a lot of people for who these configurations don't work (most commonly because `AllowOverride` is disabled (#17819) and therefore the .htaccess files created by Matomo do nothing). And the system check that tries to access the URLs that should be private makes some people aware of this, but often confuses people (#18693) or creates new issues (#18182, #17589, #18967, #19149) either because the failing requests trigger things like fail2ban or because it exposes broken cacert-setups. And that is completely ignoring the question of people who don't use apache and then have to find out themselves that they need to block some file requests or their Matomo setup is insecure. To get to the point: I feel like offering a Matomo install which works similar to this (and how most modern PHP/laravel applications work) would solve a lot of complexity which gaining a lot of security: - Matomo would have a public/ directory - People could use Matomo by setting their webroot to this directory - public/index.php would be a simple script that imports the main index.php and probably fixes some path - and probably a config.ini.php option that would enable this mode (as otherwise "default" users would have duplicate URLs) - JS/CSS assets would work out of the box as they use index.php - other assets would need to be copied to a corresponding subpath in public/ either implicitly ("copy some directory in every plugin") or explicitly ("allow specifying a list of files that need to be public in the plugin description") - While I don't think large changes are needed, these changes still feel breaking enough for me that this would need to be part of Matomo 5 Also this would be an optional feature as there are still people who don't know what a web root is (even though a lot of PHP FOSS applications don't offer any other way to be used). In summary, I think this would make it a lot harder for people to accidentally shoot themselves into the foot in regard to security (it's not like I haven't noticed in the past that I had some important Matomo files accidentally public), but it also has the disadvantage of offering "one more way" to install Matomo.

Unterberger.Media · March 24, 2023, 2:53pm

Ideally the files should not be in public folder. But the htaccess protection is good enough as a firewall/sandbox.

The root problem is, that my installation didn’t create the htaccess (i guess not enough file permissions to write the file, but didn’t show an error). the htaccess is good enough as a security.

I will test it soon in another server and debug the installation, why the file was not created.

the installer checks a hundred things, but not if the disk is writable.
or check if the .htaccess file is there.

It’s the Murphy’s law case. “that will never happen”. But i managed to trigger the bug.
The rule never to ignore errors, but break on critical errors.

A “defensive programming” could be to have a .htaccess default in the github which will
get replaced, and the default redirects to a error page to tell something is wrong with the
htaccess and needs to be generated.

also one suspicious thing is to use “.zip” file on a unix server. as all the file-permissions get lost. Normally its better to have a .tgz install file. I tried to follow the instructions. Maybe the behaviour is different cloning the github project instead of using the compiled .zip
Also some file permissions might change if you upload files with ftp, or upload the zip and extract it on server via ssh (bash).

heurteph-ei · March 27, 2023, 8:33am

Hi @Unterberger.Media
Can you add your interesting information in the GitHub ticket? This can help development team to improve the distribution and/or the documentation…

Unterberger.Media · March 27, 2023, 12:25pm

Sure, i can share my findings. First i need to replicate the issue, and fix my installation. It will take a few days. As this is a “theoretical” problem, and not immediate, my priority to fix it it is medium and not highest on my list.

I am lucky to have different projects and servers to test it and figure out if it is a one off and i made mistakes installing it, or if it is a repeatable bug.

And even if i made it wrong, the manual/tutorial installing it, and the install wizard, should make aware of this rare case.

I think it went under the radar, as my matomo installation “works” even without the htaccess, but i got suspicious in terms of security.

Digging deeper in this forum i learned after a while, that the project takes this serious enough (eg. protecting private files with a htaccess) and my installation has an error. Still it hold true that build-tools should not be in the public folders in first place, because things can always break in ways which are out of your control.

Statistically probably a few people of the 100k to 1 Mio users of matomo server also had the bug, but it is probably not often. And the cloud version is safe with a correct installation.

Its good that these topics can be discussed in the forum, which might take a few days, but surfaces interesting information which is hidden when you just browse the manual.

I have another “bug” with “custom dimensions” even when it was still piwik. So i will do some research what i might do wrong. (its a behaviour which worked in google analytics, but porting it to matomo, does not behave in an expected way) . i am not sure if i use it wrong, or if its a bug. I will do some research and open another thread/question.

Naser_Aslam · March 27, 2023, 12:45pm

Hi @Unterberger.Media ,
Actually, It was my mistake or blunder, I was updating the config fine which was redirecting all the traffic to another file i.e. at port 443 SSL file.

I added the following configuration in the config file which is listening port 443 and the error was resolved.

However, thanks for your explanation!

Unterberger.Media · March 27, 2023, 2:38pm

But that is useful information “sharing your mistake”. I think this forum with the open general question is the field of “fuzzy and confusing” things, where one can find the odd and strange rare cases and get ideas how to solve it. 99% is in the manual and doing it right. This forum is for the 1% of odd things. And sometimes its real bugs in strange combination, and sometimes its just doing it wrong, but one gets hints to find the right way to do it.