Using .htaccess to restrict access

leogarcia1988 · June 23, 2016, 4:03am

Thank you for the code. saved me hours of hair pulling and stress.

S-d · July 23, 2016, 7:13pm

Which htacess code for Apache servers is the best now?
In this Thread there are a lot of snippets, but i don´t know which is the best for an optimal save piwik…

Can you tell me which code i should use? I´m not very good in this…

Thank you!

mettug · September 5, 2016, 12:57pm

what you can do with .htaccess.
I really need to learn about that file for my site

mettug · September 5, 2016, 12:58pm

what you can do with .htaccess.
I really need to learn about that file for my site

georgetgonzales · September 29, 2016, 11:38am

You can block visitors in the .htaccess using the host name of the visitor.

ahmetduzen2001 · November 5, 2016, 10:58am

thanks alot for your information

bpit · December 20, 2016, 2:40pm

What I wanted is to restrict access to piwik using HttpAuth whilst allowing piwik.(php|js) and OptOut which is required in germany.

What worked for me:

   # Auth protect Everything
   <Files "*">
     AuthType Basic
     AuthName "Piwik"
     AuthUserFile /{PATH}/.htpasswd
     Require valid-user
   </Files>

   # Allow external access to piwik.php and piwik.js and robots.txt
   <FilesMatch "(^piwik\.(php|js)|robots\.txt)">
     Order Deny,Allow
     Allow from All
     Satisfy any
   </FilesMatch>

   # Allow Opt-Out
   <Files "index.php">
     <If "(%{QUERY_STRING} == 'module=CoreAdminHome&action=optOut')">
       Order Deny,Allow
       Allow from All
       Satisfy Any
      </If>
   </Files>

Hope this helps!

chriz · December 20, 2016, 2:58pm

@ bpit
Its better to use require than “allow,deny” in .htaccess I think!

 # Auth protect Everything
   <Files "*">
     AuthType Basic
     AuthName "Piwik"
     AuthUserFile /{PATH}/.htpasswd
     Require valid-user
   </Files>

   # Allow external access to piwik.php and piwik.js and robots.txt
   <FilesMatch "(^piwik\.(php|js)|robots\.txt)">
     Require all granted
   </FilesMatch>

   # Allow Opt-Out
   <Files "index.php">
     <If "(%{QUERY_STRING} == 'module=CoreAdminHome&action=optOut')">
       Require all granted
      </If>
   </Files>

edited (Copy & Paste Mistake)

bpit · December 20, 2016, 10:39pm

Hello @chriz
Thank you for your reply.

You’re absolutely right.

While “allow,deny” and “Allow from all” are allowed to be mixed with the new directives of apache 2.4, it is discouraged.

With the Require Directive the order is important (see Authentication and Authorization - Apache HTTP Server Version 2.4)
the Require directive not only specifies which authorization methods should be used, it also specifies the order in which they are called. Multiple authorization methods are called in the same order in which the Require directives appear in the configuration.

Hence, we also don’t need the Satisfy Directive anymore:

<Files "*">
 AuthType Basic
 AuthName "Piwik"
 # to be explicit, state the provider
 AuthBasicProvider file
 AuthUserFile /{PATH}/.htpasswd
 Require valid-user
</Files>
 
# Allow external access to piwik.php and piwik.js and robots.txt
<FilesMatch "(^piwik\.(php|js)|robots\.txt)">
 Require all granted
</FilesMatch>

# Allow Opt-Out
<Files "index.php">
 <If "(%{QUERY_STRING} == 'module=CoreAdminHome&action=optOut')">
   Require all granted
 </If>
</Files>

P.S. Somehow the “OptOut” part got twice in your answer. In one of that parts Files is closed with FilesMatch - which would throw an error! Therefore I put the whole entry here again.

(Edited: “P.S” to make it clearer what I meant)

chriz · December 21, 2016, 8:02am

Hello @bpit

Oh, that was a copy & paste mistake. Thank you!
I have edited the post.

ranseier · January 24, 2018, 4:17pm

Updated simple .htaccess for Apache 2.4

  <Files "*">
      Require ip 172.16.0.0/12
      Require ip 192.168.39.0/24
  </Files>

  <Files ~ "^piwik.(js|php)$">
      Require all granted
  </Files>

Daniel_Dixon · June 25, 2018, 7:28am

Hello Everyone,

I got crucial tips from your answer, thanks for sharing your answers it will be helpful for me,

Regards,

Daniel

TechTIQ Solutions,

HuffinPuffin · July 6, 2018, 2:40am

I hope this can help someone else in the same situation!

I was trying to use Matomo Tracker Proxy as well as Matomo’s Opt Out iframe. I followed the .htaccess instructions mentioned above, and got the following 401 error:

HTTP401: DENIED - The requested resource requires user authentication. GET - http://example.com/matomo-proxy.php?module=CoreAdminHome&action=optOut&language=en&backgroundColor=&fontColor=&fontSize=&fontFamily=

@fdellwing kindly modified the QUERY_STRING to fix the issue. This is the .htaccess that works for me now:

<Files "*">
 AuthType Basic
 AuthName "Piwik"
 # to be explicit, state the provider
 AuthBasicProvider file
 AuthUserFile "/PATH/TO/.htpasswd"
 Require valid-user
</Files>
 
# Allow external access to piwik.php and piwik.js and robots.txt
<FilesMatch "(^piwik\.(php|js)|robots\.txt)">
 Require all granted
</FilesMatch>

# Allow Opt-Out
<Files "index.php">
 <If "(%{QUERY_STRING} =~ /^module\=CoreAdminHome\&action\=optOut/)">
   Require all granted
 </If>
</Files>

I hope this can help someone who has as little knowledge as me!

fdellwing · July 6, 2018, 6:56am

I just thought some more about this and will kindly suggest an additional change to the check.

# Allow Opt-Out
<Files "index.php">
 <If "(%{QUERY_STRING} =~ /^module\=CoreAdminHome\&action\=optOut(?!.*module\=)(?!.*action\=)/)">
   Require all granted
 </If>
</Files>

If someone wants to know why, take a look at this:

github.com/matomo-org/matomo

Supplying multiple HTTP parameters with the same name may cause Matomo to interpret values in unanticipated ways.

opened 08:27AM - 18 Jun 18 UTC

closed 09:39AM - 18 Jun 18 UTC

appyo

answered

When creating rewrite rules to block the login page from the internet (only optO…ut should be allowed), I found some strange behavior in Matomo v3.5.1. If someone adds parameters with the same name to the URL, then the original module and action will no longer be called. This makes it difficult to block the login page Example: https://##matomo-url##/index.php?module=CoreAdminHome&module=Login&action=optOut&action=index The expected behavior here should be the opt-out page, not the login page.

In short, someone could craft a link that matches the regex but does request completely different than the OptOut.

Lukas · November 14, 2018, 9:00pm

6 posts were split to a new topic: Restrict API access per IP address

augustind · February 21, 2019, 11:43am

Firstly, thanks a lot @bpit @HuffinPuffin for your well working solution
Just to let you know :

it seems that in last Matomo version, the piwik.js was renamed matomo.js. Unfortunately it will popup an Apache Authentication window to any user who just display your website …
that optOut option uses a new file optOut.js which shouldn’t be blocked by Apache

It changes

<FilesMatch "(^piwik\.(php|js)|robots\.txt)">

by

<FilesMatch "(^piwik\.(php|js)|^matomo\.(php|js)|robots\.txt|optOut.js)">

So here is the conf which work for me

<Files "*">
 AuthType Basic
 AuthName "Authentication Required"
 # to be explicit, state the provider
 AuthBasicProvider file
 AuthUserFile "/etc/httpd/.htpasswd"
 Require valid-user
</Files>

# Allow external access to piwik.php and piwik.js and matomo.js and robots.txt
<FilesMatch "(^piwik\.(php|js)|^matomo\.(php|js)|robots\.txt|optOut.js)">
 Require all granted
</FilesMatch>

# Allow Opt-Out
<Files "index.php">
 <If "(%{QUERY_STRING} =~ /^module\=CoreAdminHome\&action\=optOut/)">
   Require all granted
 </If>
</Files>

I kept the reference to ^piwik\.(php|js) just in case …

goodspeedal · June 21, 2019, 3:41am

For the Matomo Tag Manager as we’ll, you may need to allow the “container_xxx.js” as well.

<FilesMatch "(^piwik\.(php|js)|^matomo\.(php|js)|^container_.*\.js|robots\.txt|optOut.js)">
 Require all granted
</FilesMatch>

Simone_Fantini · February 28, 2020, 7:40am

Even if this is an old post, in the How to configure Matomo for security User Guide - Analytics Platform - Matomo Docs, still this post is linked. So i have fixed the security issue with Nginx, blocking all the requests via basic_auth, exect for the one needed to Matomo, even for the iframe.

first do a map of $request_uri and populare a variable, in my case called $auth_basic

map $request_uri $auth_basic {
    default                                               "Restricted Area";
    ~*^/index\.php\?module=CoreAdminHome&action=optOut$   off;
    ~*^/piwik\.(js|php)|matomo\.(js|php)|container_.*\.js|robots\.txt$     off;
}

place the basic auth in the nginx config, eg. like this:

.....
    auth_basic           $auth_basic;
    auth_basic_user_file /path/to/my/basic_auth_file; 
.....

thats it!

-all the request to matomo will get 401, all the requests to matomo.php , matomo.js , piwik.php , piwik.js , and also to the URL index.php?module=CoreAdminHome&action=optOut will be allowed with http code 200

enjoy

mezzomedia · March 3, 2020, 2:49pm

I tried a solution inspired by the Apache 2.4 suggestion of @goodspeedal at Using .htaccess to restrict access , modified to restrict Matomo by IP and only allow specific public files.

(note: I’ve replaced the server IP and my IP with placeholder text below)

<Files "*">
        # Allow localhost IPv4 IPv6
        Require ip 127.0.0.1 ::1
        # Allow server IPv4 IPv6
        Require ip <server_IPv4> <server_IPv6>
        # Allow my IP
        Require ip <my_IP>
</Files>

# Allow public access to basic Matomo files
<FilesMatch "(^piwik\.(php|js)|^matomo\.(php|js)|^container_.*\.js|robots\.txt|optOut.js)">
        Require all granted
</FilesMatch>

This example works fine for access from the browser, however, the auto-archiving cron job for Matomo fails… Even though the server IP and localhost are both allowed.

Any ideas to allow access for the archiving cron job, as well?

brianyam · March 3, 2020, 3:53pm

Not really sure your meaning, as the the crontab is using php to execute internal command without to go/request via the web, (neither related to Apache). So just follow the intructions to create crontab will be work.
https://matomo.org/docs/setup-auto-archiving/