After upgrading to Matomo 4.3 I started receiving the following critical issues under the system checks. How do I change the access restrictions on these files. Is this done at a system level or web server level. I am currently running Apache2 as my web server. These errors did not occur before the 4.3 upgrade.
We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.
We also found that Matomo’s config directory is publicly accessible. While attackers can’t read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.
In theory Matomo generates a bunch of .htaccess files that should deny the access, but it seems like this isn’t working for you.
If you use Apache, double-check everything (maybe you have disabled the htaccess support).
If you use nginx, use https://github.com/matomo-org/matomo-nginx/issues as an inspiration.
If you use any other webserver, you will probably have to create your own webserver rules based on the others.
I am using apache and I verified that htacces files are setup to be used in the conf file. See httpd.conf below.
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
I looked in the matomo tmp directory and I saw the following .htaccess file. Does this look correct?
# This file is auto generated by Matomo, do not edit directly
# Please report any issue or improvement directly to the Matomo team.
# First, deny access to all files in this directory
<Files "*">
<IfModule mod_version.c>
<IfVersion < 2.4>
Order Deny,Allow
Deny from All
</IfVersion>
<IfVersion >= 2.4>
Require all denied
</IfVersion>
</IfModule>
<IfModule !mod_version.c>
<IfModule !mod_authz_core.c>
Order Deny,Allow
Deny from All
</IfModule>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</IfModule>
</Files>
I was able to fix this issue on my setup. I am not sure why this would have changed but I noticed that my Apache server conf file for Matomo had the wrong directory defined for options. This needed to be be updated and then the AllowOverride All option would be applied to the Matomo directories.
Current working config files:
Matomo.conf - Old
<Directory /var/www/html/matomo/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
Matomo.conf - New
<Directory /datadrive/www/html/matomo/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
This has resolved the issue in my setup.
My configuration: Server version:Ubuntu 18.04.5 Apache Version: Apache/2.4.29 Mysql: Ver 15.1 Distrib 10.1.48-MariaDB PHP Version: 7.2 Matamo Version: 4.3.1