Using .htaccess to restrict access


(leo garcia) #71

I tried the original posting code and that one did not work for me. I tried the variation below and that did the trick.

was gonna use it on http://coffeenwine.com ended up using it on another website.


(leo garcia) #72

Thank you for the code. saved me hours of hair pulling and stress.


(S-d) #74

Which htacess code for Apache servers is the best now?
In this Thread there are a lot of snippets, but i don´t know which is the best for an optimal save piwik…

Can you tell me which code i should use? I´m not very good in this…

Thank you!


(Mehmet Tugra) #76

what you can do with .htaccess.
I really need to learn about that file for my site


(Mehmet Tugra) #77

what you can do with .htaccess.
I really need to learn about that file for my site


(George Gonzales) #78

You can block visitors in the .htaccess using the host name of the visitor.


(Ahmet Düzen) #79

thanks alot for your information


#80

What I wanted is to restrict access to piwik using HttpAuth whilst allowing piwik.(php|js) and OptOut which is required in germany.

What worked for me:

   # Auth protect Everything
   <Files "*">
     AuthType Basic
     AuthName "Piwik"
     AuthUserFile /{PATH}/.htpasswd
     Require valid-user
   </Files>

   # Allow external access to piwik.php and piwik.js and robots.txt
   <FilesMatch "(^piwik\.(php|js)|robots\.txt)">
     Order Deny,Allow
     Allow from All
     Satisfy any
   </FilesMatch>

   # Allow Opt-Out
   <Files "index.php">
     <If "(%{QUERY_STRING} == 'module=CoreAdminHome&action=optOut')">
       Order Deny,Allow
       Allow from All
       Satisfy Any
      </If>
   </Files>

Hope this helps!


#81

@ bpit
Its better to use require than “allow,deny” in .htaccess I think!

 # Auth protect Everything
   <Files "*">
     AuthType Basic
     AuthName "Piwik"
     AuthUserFile /{PATH}/.htpasswd
     Require valid-user
   </Files>

   # Allow external access to piwik.php and piwik.js and robots.txt
   <FilesMatch "(^piwik\.(php|js)|robots\.txt)">
     Require all granted
   </FilesMatch>

   # Allow Opt-Out
   <Files "index.php">
     <If "(%{QUERY_STRING} == 'module=CoreAdminHome&action=optOut')">
       Require all granted
      </If>
   </Files>

edited (Copy & Paste Mistake)


#82

Hello @chriz
Thank you for your reply.

You’re absolutely right.

While “allow,deny” and “Allow from all” are allowed to be mixed with the new directives of apache 2.4, it is discouraged.

With the Require Directive the order is important (see Authentication and Authorization - Apache HTTP Server Version 2.4)
the Require directive not only specifies which authorization methods should be used, it also specifies the order in which they are called. Multiple authorization methods are called in the same order in which the Require directives appear in the configuration.

Hence, we also don’t need the Satisfy Directive anymore:

<Files "*">
 AuthType Basic
 AuthName "Piwik"
 # to be explicit, state the provider
 AuthBasicProvider file
 AuthUserFile /{PATH}/.htpasswd
 Require valid-user
</Files>
 
# Allow external access to piwik.php and piwik.js and robots.txt
<FilesMatch "(^piwik\.(php|js)|robots\.txt)">
 Require all granted
</FilesMatch>

# Allow Opt-Out
<Files "index.php">
 <If "(%{QUERY_STRING} == 'module=CoreAdminHome&action=optOut')">
   Require all granted
 </If>
</Files>

P.S. Somehow the “OptOut” part got twice in your answer. In one of that parts Files is closed with FilesMatch - which would throw an error! Therefore I put the whole entry here again.

(Edited: “P.S” to make it clearer what I meant)


SSL-Verschlüsselung erstellt, Matomo trackt nun nicht mehr
Matomo Tracker Proxy, Opt-out iframe AND htaccess - 401 denied problem
#83

Hello @bpit

Oh, that was a copy & paste mistake. Thank you!
I have edited the post.


#89

Updated simple .htaccess for Apache 2.4

  <Files "*">
      Require ip 172.16.0.0/12
      Require ip 192.168.39.0/24
  </Files>

  <Files ~ "^piwik.(js|php)$">
      Require all granted
  </Files>

(Daniel Dixon) #92

Hello Everyone,

I got crucial tips from your answer, thanks for sharing your answers it will be helpful for me,

Regards,

Daniel

TechTIQ Solutions,


#93

I hope this can help someone else in the same situation!

I was trying to use Matomo Tracker Proxy as well as Matomo’s Opt Out iframe. I followed the .htaccess instructions mentioned above, and got the following 401 error:

HTTP401: DENIED - The requested resource requires user authentication. GET - http://example.com/matomo-proxy.php?module=CoreAdminHome&action=optOut&language=en&backgroundColor=&fontColor=&fontSize=&fontFamily=

@fdellwing kindly modified the QUERY_STRING to fix the issue. This is the .htaccess that works for me now:

<Files "*">
 AuthType Basic
 AuthName "Piwik"
 # to be explicit, state the provider
 AuthBasicProvider file
 AuthUserFile "/PATH/TO/.htpasswd"
 Require valid-user
</Files>
 
# Allow external access to piwik.php and piwik.js and robots.txt
<FilesMatch "(^piwik\.(php|js)|robots\.txt)">
 Require all granted
</FilesMatch>

# Allow Opt-Out
<Files "index.php">
 <If "(%{QUERY_STRING} =~ /^module\=CoreAdminHome\&action\=optOut/)">
   Require all granted
 </If>
</Files>

I hope this can help someone who has as little knowledge as me! :pray: :grinning:


(Fabian Dellwing) #94

I just thought some more about this and will kindly suggest an additional change to the check.

# Allow Opt-Out
<Files "index.php">
 <If "(%{QUERY_STRING} =~ /^module\=CoreAdminHome\&action\=optOut(?!.*module\=)(?!.*action\=)/)">
   Require all granted
 </If>
</Files>

If someone wants to know why, take a look at this:


In short, someone could craft a link that matches the regex but does request completely different than the OptOut.


Matomo Tracker Proxy, Opt-out iframe AND htaccess - 401 denied problem
(Lukas Winkler) #96

6 posts were split to a new topic: Restrict API access per IP address