Required Private Directories

After upgrading to Matomo 4.3 I started receiving the following critical issues under the system checks. How do I change the access restrictions on these files. Is this done at a system level or web server level. I am currently running Apache2 as my web server. These errors did not occur before the 4.3 upgrade.

Required Private Directories:
/config/config.ini.php
/tmp/
/tmp/empty
/tmp/cache/tracker/matomocache_general.php
/lang/en.json

We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.

We also found that Matomo’s config directory is publicly accessible. While attackers can’t read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.

2 Likes

I have the same problem.
Matomo crashes when you want to go to Personal or Diagnostics!
View log :

Hi @kdmail001,

Have you checked if those files are public (as in that e.g. https://your.matomo//lang/en.json return the content of the files?)

@Pi_Manu, your issue sounds a bit more like this:

Oh thank you!

I had searched everywhere but obviously I missed this topic.
This corrected my problem.

Thank you again

1 Like

If I check the URL to the en.json file in a browser it does return the json contents. What is the best way to correct this?

Hi @kdmail001,

In theory Matomo generates a bunch of .htaccess files that should deny the access, but it seems like this isn’t working for you.
If you use Apache, double-check everything (maybe you have disabled the htaccess support).
If you use nginx, use https://github.com/matomo-org/matomo-nginx/issues as an inspiration.
If you use any other webserver, you will probably have to create your own webserver rules based on the others.

@Lukas

I am using apache and I verified that htacces files are setup to be used in the conf file. See httpd.conf below.

# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
        Require all denied
</FilesMatch>

I looked in the matomo tmp directory and I saw the following .htaccess file. Does this look correct?

# This file is auto generated by Matomo, do not edit directly
# Please report any issue or improvement directly to the Matomo team.

# First, deny access to all files in this directory
<Files "*">
<IfModule mod_version.c>
        <IfVersion < 2.4>
                Order Deny,Allow
                Deny from All
        </IfVersion>
        <IfVersion >= 2.4>
                Require all denied
        </IfVersion>
</IfModule>
<IfModule !mod_version.c>
        <IfModule !mod_authz_core.c>
                Order Deny,Allow
                Deny from All
        </IfModule>
        <IfModule mod_authz_core.c>
                Require all denied
        </IfModule>
</IfModule>
</Files>

Hi,

I have never used Apache before, so I can’t really help with Apache-related issues.

I will keep looking into it. Is there a default .htacess file I can look at or a script to regenerate one?

looks correct, I have exactly the same htacess here on 4.2.1

Hello Team,

I have the same issue as well after I updated to 4.3.1, running Apache/2.4.29 (Ubuntu). I tried this https://matomo.org/faq/troubleshooting/how-do-i-fix-the-error-private-directories-are-accessible/ but it doesn’t fix the issue.

Thanks in Advance.

I was able to fix this issue on my setup. I am not sure why this would have changed but I noticed that my Apache server conf file for Matomo had the wrong directory defined for options. This needed to be be updated and then the AllowOverride All option would be applied to the Matomo directories.

Current working config files:

Matomo.conf - Old

 <Directory /var/www/html/matomo/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     </Directory>

Matomo.conf - New

 <Directory /datadrive/www/html/matomo/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
     </Directory>

This has resolved the issue in my setup.

My configuration:
Server version:Ubuntu 18.04.5
Apache Version: Apache/2.4.29
Mysql: Ver 15.1 Distrib 10.1.48-MariaDB
PHP Version: 7.2
Matamo Version: 4.3.1

1 Like

Hello Kdmail,

This works for me as well I added this to 000-default.conf file

 <Directory /var/www/html/matomo/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted
</Directory>

Thanks man!

I,m also Facing this issue on my website.