Thumbnails don't appear, etc:S

vipsoft · January 5, 2012, 2:34am

Check your master Apache config. Make sure Options AllowOverride is enabled for the piwik folder.

treacle · January 5, 2012, 10:08am

thanks but where is the Apache config?!
in the mySQL database?
k

treacle · January 5, 2012, 10:17am

maybe i don’t have one?

treacle · January 5, 2012, 1:49pm

I tried asking my host provider:

Date: 05/01/2012 10:14:58 Ticket Number: 703442

I need to change my seetings for the master Apache config, to enable AllowOverride for my piwik folder. How!
Thanks,
Kaspar

Date: 05/01/2012 10:20:06 Ticket Number: 703442 From: Streamline.Net ( Technical Support )

Hi Kaspar Wimberley,

Thank you for your query

We would like to inform you that it is not possible to reconfigure on what is already configured on the server and it is for security purposes. The only command that is supported with the .htaccess file here in Streamline.Net is basic ‘mod_rewrite’ and the rest will cause you error with your website.

Kind regards
The Streamline.net team - Web hosting made easy

Does this mean I have to live with a lack of thumbnails, etc?
k

vipsoft · January 5, 2012, 5:12pm

Ask your hosting provider to diagnose the .htaccess conflict with their locked-down config.

There are .htaccess files in core, config, libs, misc, plugins, themes, etc.

treacle · January 5, 2012, 5:26pm

Ok, have done. But they have terrible customer service. It takes ages to get a very short and fairly useless reply. Cheap but you know why (streamline.net). Wait and see.

kaspar · January 17, 2012, 10:41pm

After waiting and waiting I get a link to my php settings:
http://www.php5.streamlinetrial.co.uk/phpinfo.php
Maybe the answer is in there?
Should it all work ok or am i missing something?
K

kaspar · January 22, 2012, 11:19pm

Anybody out there who might be able to help?
k

treacle · January 28, 2012, 4:01pm

[quote=“Kaspar Wimberley”]
Anybody out there who might be able to help?
k[/quote]

vipsoft · January 28, 2012, 8:36pm

Ask your hosting provider to “AllowOverride AuthConfig Limit”. This permits .htaccess files to use the Allow, Deny, and Satisfy directives.

Alternately, if your hosting provider has “AllowOverride Limit”, you’ll have to remove the “Satisfy” directives from Piwik’s .htaccess files.

Otherwise, if your hosting provider has “AllowOverride None” (or something equally restrictive), you’ll have to remove all the .htaccess files generated by Piwik. You’ll be running without this layer of security. (In which case, I would suggest shopping for another hosting provider.)

treacle · January 28, 2012, 9:21pm

Thanks vipsoft. I’ll chase them on it.
k

kaspar · January 29, 2012, 11:55pm

This is the answer they gave me:

Hi Kaspar Wimberley,

Thank you for your query

The only settings you can use for the .htaccess is the mod_rewrite.

You can refer on this links below.
http://streamlinesupport.co.uk/index.php?page=show&id=33
http://streamlinesupport.co.uk/index.php?page=show&id=130

The info in the two links is as follows:

htaccess FAQ
An htaccess file is a simple ASCII file, such as you would create through a text editor like NotePad.

.htaccess is the file extension. It is not file.htaccess or somepage.htaccess, it is simply named .htaccess

htaccess files must be uploaded as ASCII mode, not BINARY. You may need to CHMOD the htaccess file to 644 or (RW-R–R–). This makes the file usable by the server. Currently .htaccess is only supported on the Linux server.

Most commands in htaccess are meant to be placed on one line only, so if you use a text editor that uses word-wrap, make sure it is disabled or it might throw in a few characters that can cause the Apache to end.

Unfortunately there are only certain commands that are supported on the Linux server, these are

Mod_rewrite

and:

mod_rewrite on Linux web servers
Many blogging, content management, ecommerce and other packages use unfriendly URLs.

This may make it harder for website visitors to remember links to individual pages on your website and for search engines to find your content.

You can present friendlier, easier to remember, search engine friendly URLs to your website visitors by using mod_rewrite on our shared Linux servers.

mod_rewrite with third-party software
If you use a relatively recent PHP blogging or content management system, it’s likely that you’ll be able start using friendly URLs straight away. Many other packages also have built-in support for friendly URLs with mod_rewrite.

Your software’s documentation will show you how to start using mod_rewrite.

mod_rewrite with your own scripts
Our servers use Apache’s standard mod_rewrite, enabling you to create applications that are user friendly, search engine ready and help to reduce malicious access to the inner workings of your code.

Does that mean I’d have to remove all the htaccess files? And what would this reduction in security mean?

Thanks!
K

vipsoft · January 30, 2012, 11:56am

That means your hosting provider wants you to remove the .htaccess files – piwik doesn’t use mod _rewrite.

This layer of security prevents direct access to .php and .tpl files in piwik subfolders.

Removing this layer of security means:

potential path (or other environment) disclosure depending on your php.ini
allows remote probes to fingerprint and identify your piwik version
direct access to third party code which we have not audited

Your hosting provider can mitigate by setting display_errors = Off in php.ini.

kaspar · January 30, 2012, 12:26pm

Thanks for the answers Vipsoft.

[quote=vipsoft]
Removing this layer of security means:

potential path (or other environment) disclosure depending on your php.ini
allows remote probes to fingerprint and identify your piwik version
direct access to third party code which we have not audited

Your hosting provider can mitigate by setting display_errors = Off in php.ini.[/quote]

Do you mean that my service provider should change the php.ini, or can I do this myself in mysql? Do I need to ask them if they can do this? Will this compensate for the security risk that comes when you delete the htaccess files, or would I then leave the htaccess files alone?

Why should I be worried about the three security risks mentioned above? Would other people be able to change my files or only see them? If they can only see them why should I care? Sorry if this is a stupid question, I’m very new to all this.

Thanks again for keeping with me on this,
Kaspar

vipsoft · January 30, 2012, 10:00pm

Ask your hosting provider about php.ini – they may not permit local copies. It can’t be changed via mysql.

It won’t compensate for the absence of .htaccess files. It’ll mitigate by suppressing error messages.

The first two relate to information disclosure, eg a path that contains your account name, which could be used in a phishing attack. Fingerprinting means a remote user can attempt attacks on known vulnerabilities for a given version.

kaspar · February 2, 2012, 10:26am

just heard back. they don’t allow anything like that. looks like I’ll have to live with half a piwik. maybe I’ll try to install it elsewhere.
thanks for your help,
k

kaspar · February 2, 2012, 11:15am

So I’ve given up on my host and put them on a diferent server. bit more confusing but it works!
k