SSL on Piwik with non official SSL certificate


#1

If your try to use SSL on Piwik in the normal way with a self-signed certificate an issue is that your certificat is not accepted by web browsers when your send your trackings query. And if you want to track your blog or personnal page a valide SSL certificate is very expansive. A solution is to use a configuration of your virtual host (maybe it can be done with .htaccess) and not the piwik option.

We will grant http access to piwik.php and piwik.js and force all other traffic to https. Your piwik is on piwik.mydomaine.com. Put in your Apache virtual host config :


<VirtualHost *:80>
       [ your ServerName DocumentRoot etc. settings ]

	# =================================================
	# Rewriting and redirect settings for piwik.php et piwik.js
	# =================================================
        RewriteCond %{REQUEST_URI} !^/piwik.js$
        RewriteCond %{REQUEST_URI} !^/piwik.php$
        RewriteRule ^(.*)$ https://piwik.mydomaine.com$1 [R,L]

       [ your directory settings ]
</VirtualHost>

And your General SSL settings :


NameVirtualHost *:443
<VirtualHost *:443>

        [ your ServerName and DocumentRoot settings here ]

	# =================================================
	# SSL/TLS settings
	# =================================================

	SSLEngine on
	SSLOptions +StrictRequire
	<Directory />
			SSLRequireSSL
	</Directory>

	SSLProtocol -all +TLSv1 +SSLv3
	SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

	SSLCertificateFile /etc/apache2/ssl/piwikmydomaine.crt
	SSLCertificateKeyFile /etc/apache2/ssl/piwikmydomaine-key.pem

	SSLVerifyClient none
	SSLProxyEngine off

	SetEnvIf User-Agent ".*MSIE.*" 
					nokeepalive ssl-unclean-shutdown 

        [  your directory settings herer ]

</VirtualHost>

Hope it can be useful.


#2

i made a similar config in nginx:


server{
         server_name ***************;
        root " *************** ";

        listen 80;

        location ~(/piwik.js|/js/piwik.js){
                # juat adding a empty decalaration will make nginx serve this files
                #return 404; only for testing purposes
        }

        location /js{
                #return 404;
                # rewrite the acces from http://mypiwikurl/js to -> http://mypiwikurl/js/index.php
                rewrite ^ http://$http_host/js/index.php permanent;
        }

        #run the php files piwik.php and js/index.php
        location ~ (/piwik.php|/js/index.php){
                #autoindex on;
                fastcgi_split_path_info ^(.+\.php)(.*)$;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

                fastcgi_param SCRIPT_NAME $fastcgi_script_name;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_param SERVER_NAME $host;
                include        fastcgi_params;
                # fast cgi php-fpm as unix socket, modify as needed
                fastcgi_pass   unix:***********.sock;
        }

        location /{
                #redirect the rest of trafic to ssl site
                if ($scheme = 'http' ){
                        rewrite ^ https://$http_host$request_uri? permanent;
                        #return 403;
                        break;
                }
        }
}

server {
        server_name *********************;
        root "*********************";

        # Here goes your standart ssl server config
}


i know this is far from perfect, and i’m still working on this but fow now it woks.