After installing Matomo, the system check is giving me the following errors:
"
We also found that Matomo’s config directory is publicly accessible. While attackers can’t read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.
We found that the above URLs are accessible via the browser, but we recommend they should not be. If possible, please restrict access to them.
"
I have set the permission (eg to the tmp folder) as follows:
chgrp -R apache /var/www/html/matomo/tmp
chmod -R 755 /var/www/html/matomo/tmp
How can I prevent browser access to these directory and files?
File permissions only limit who on your server can access file (and the 5 in 755 means that everyone on the server can read it).
But that’s completly unrelated to the warning that people on the internet can access it. To disallow this you need to set up your webserver properly. If you use apache, then Matomo already creates .htaccess files (and you only need to set up apache to respect them).
If you use another webserver you need to set up the rules yourself (e.g. inspired by https://github.com/matomo-org/matomo-nginx/)
Thanks @Lukas. So, I tried editing the .htaccess located on the root of matomo directory but I got an error that the file should not be edited. Where is the .htaccess that I need to set this permission located?
You don’t need to edit the .htaccess files, but change your webserver to respect the entries in .htaccess.
I don’t really know Apache, but I think the keyword is AllowOverride All.
Thanks for the suggestion. I’ve been reading up online on how matomo wants this configured. The problem I have is that I do not have .htaccess file in the root of my matomo installation. I then created one and added the settings but the system check indicated that I should remove the file. Thoughts?
If you don’t have any .htaccess file in your Matomo directory make sure you are actually using Apache and if so, you can manually create them from the commandline with this command: