Matomo causes ERR_CONNECTION_TIMED_OUT

[emernual]

The error log shows following: (I have anonymized the error log by replacing my IP with XXX and the domain with yyy.yy)

[Tue Sep 05 08:28:16.737849 2023] [authz_core:error] [pid 239246] [client XXX:0] AH01630: client denied by server configuration: /var/www/vhosts/yyy.yy/httpdocs/wp-content/plugins/matomo/app/config/global.ini.php [Tue Sep 05 08:28:16.822413 2023] [authz_core:error] [pid 345332] [client XXX:0] AH01630: client denied by server configuration: /var/www/vhosts/yyy.yy/httpdocs/wp-content/plugins/matomo/app/config/global.ini.php [Tue Sep 05 08:28:28.426449 2023] [authz_core:error] [pid 345216] [client XXX:0] AH01630: client denied by server configuration: /var/www/vhosts/yyy.yy/httpdocs/wp-content/plugins/matomo/app/config/global.ini.php [Tue Sep 05 08:28:28.509320 2023] [authz_core:error] [pid 345334] [client XXX:0] AH01630: client denied by server configuration: /var/www/vhosts/yyy.yy/httpdocs/wp-content/plugins/matomo/app/config/global.ini.php [Tue Sep 05 08:28:43.188567 2023] [authz_core:error] [pid 345332] [client XXX:0] AH01630: client denied by server configuration: /var/www/vhosts/yyy.yy/httpdocs/wp-content/plugins/matomo/app/config/global.ini.php [Tue Sep 05 08:28:43.259699 2023] [authz_core:error] [pid 239257] [client XXX:0] AH01630: client denied by server configuration: /var/www/vhosts/yyy.yy/httpdocs/wp-content/plugins/matomo/app/config/global.ini.php

However, the same errors appear in the log on sites that are hosted on a server that does not block me. In fact, this seem to happen on all sites where Matomo is installed.

Troubleshooting:

added this line to the config file and this fixes the issue.

enable_required_directories_diagnostic = 0

After updating from 4.15.1 to 4.15.2, the issue exist again. Could this be a possible bug?

[diosmosis]

@emernual This is the apache webserver denying access to global.ini.php (authz is an apache2 module). Does this error result in the UI or tracking failing? Or are these just errors in the logs? If they are errors in the logs, then it's probably just someone trying to access global.ini.php and being blocked by the webserver. In this case, it can be ignored or the user can just allow access (anyone that tried to view it would just get an empty page).

[annagson]

The errors appear every time I click on any of the Matomo pages in the wp admin area, regardless if it is the settings page och an of the report pages.

The errors happen on two different web hosts, of which one simply blocks me from accessing anything for 15minutes. The other doesn't block me.

There is a thread here about it: https://wordpress.org/support/topic/matomo-causes-err_connection_timed_out/ And here: https://forum.matomo.org/t/matomo-causes-errors-and-some-hosts-block-my-ip-as-a-consequence/53614/

[diosmosis]

Hi @annagson, could you tell me which hosting provider you're experiencing this issue with? And if you are able, would you be able to reach out to them to ask them what might cause them to block your IP?

[annagson]

Hi! That is where all started: I asked them why I am keeping getting blocked, and they told me it is due to those error messages connected to Matomo. It is beebyte.se where I am being blocked. But I also get error messages on another host, it's just that they don't block me... The problem I see is not that I am being blocked (that is just a consequence), it is that there are error messages...

[MatomoForumNotifications]

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/matomo-causes-errors-and-some-hosts-block-my-ip-as-a-consequence/53614/10

[diosmosis]

Hi @annagson those errors are due to your hosting provider's configuration. Matomo tries to check if global.ini.php is accessible by sending a request to that file (it shouldn't be, we want to make sure it isn't), and for some reason, your hosting provider decides to block you for our diagnostic.

Setting enable_required_directories_diagnostic = 0 seems like a usable workaround, but it's up to your hosting provider to ensure your not blocked when this happens.

Perhaps you can ask them: "Why is my IP being blocked when an HTTP request is sent to the /var/www/vhosts/yyy.yy/httpdocs/wp-content/plugins/matomo/app/config/global.ini.php file?" Trying to get an answer that is more precise than "it's because these errors" would be ideal.

One more question: do these error messages appear outside of the logs?

[diosmosis]

Note, this change: https://github.com/matomo-org/matomo-for-wordpress/pull/925 which will hopefully be in the next release may make this issue less of a problem. But you'll still need enable_required_directories_diagnostic = 0 set in config.ini.php for looking at the system report.

[annagson]

I asked the hosting provider that doesn't block me what they think of it, and the reply is that they do think that it is correct to block any session/user that suddenly pinpoint any specific file in the file system - as this is exactly what hackers would do. Hence, to use "fail to ban" in this case would be correct according to this hosting provider (even if they don't apply it at this moment).

So, if I understand this correctly: Matomo uses my session to check if this specific file is accessible every time I do anything (e.g. view a Matomo report or check the Matomo settings). And after 3-4 clicks around Matomo hosting providers lite beebyte.se chooses to block my IP-adress for a certain amount of time.

Do you have an idea when the next release will be?

[diosmosis]

The next release will be made this Monday NZT.

[diosmosis]

@annagson 4.15.3 of Matomo for WordPress was just released. Can you try using it and seeing if it improves things for you?

[annagson]

Hi! I updated to the latest version and the errors so still appear but they seem to only happen once. At least they are not triggered again when trying to click around Matomo in wp-admin.

However, there is a new error. I paste those errors that appear and it is the last one that is new:

(I have anonymized the error log by replacing my IP with XXX and the domain with yyy.yy) [Mon Nov 06 16:11:45.735850 2023] [authz_core:error] [pid 19182:tid 140125361387264] [client XXX:34858] AH01630: client denied by server configuration: /srv/www/yyy.yy/www/wp-content/plugins/matomo/app/config/global.ini.php [Mon Nov 06 16:11:45.795321 2023] [authz_core:error] [pid 11387:tid 140123828115200] [client XXX:34860] AH01630: client denied by server configuration: /srv/www/yyy.yy/www/wp-content/plugins/matomo/app/config/global.ini.php [Mon Nov 06 16:11:46.020060 2023] [authz_core:error] [pid 11321:tid 140125203830528] [client XXX:51266] AH01630: client denied by server configuration: /srv/www/yyy.yy/www/wp-content/plugins/matomo/app/vendor/matomo/device-detector/regexes/bots.yml

[diosmosis]

@annagson can you provide a screenshot of these errors appearing in your wordpress?

[annagson]

Hi! They appear in the error log, do you still want a screenshot?

[diosmosis]

@annagson if they just appear in the error log you can either ignore them or set enable_required_directories_diagnostic = 0 under the [General] section in your /path/to/wordpress/wp-content/uploads/matomo/config/config.ini.php. Those log entries should not affect your ability to use Matomo.

Is your IP still blocked when using Matomo or has that issue been solved?

[annagson]

No, I am not blocked anymore as the errors are only repeated 3 times and this seems to be below the threashold for fail2ban.

There is no such file in that folder. There is a screenshot of that path/folder here: https://forum.matomo.org/t/matomo-causes-errors-and-some-hosts-block-my-ip-as-a-consequence/53614/5

I added an empty file with that file namne following the advice of your colleague here: https://forum.matomo.org/t/matomo-causes-errors-and-some-hosts-block-my-ip-as-a-consequence/53614/7 Anyhow, it didn't affect the error messages and now, after updating Matomo, the whole file is gone....

[diosmosis]

@annagson the file needs to have:

[General]
enable_required_directories_diagnostic = 0

not just enable_required_directories_diagnostic = 0. (Also note, that user is not affiliated with Matomo's support team, but I believe they help out quite a bit on the forums.)

The file shouldn't have disappeared after updating, that's definitely an issue, though a different one. Would you be able to tell me which hosting providers you're using?

---

If Matomo is currently usable for you, then I will consider this specific issue resolved. I've created a new one regarding the config.ini.php file: https://github.com/matomo-org/matomo-for-wordpress/issues/944 which I'll get to when priorities allow.

If you have any further issues feel free to let me know here or create a new issue.

[annagson]

I added the file according to your description and it doesn't change the fact that Matomo produces error messages, neither in 4.15.2 nor in 4.15.3. But with that said, Matomo seems usable for me from v4.15.3 as there is only the three errors quoted above within a certain time, thus I am not blocked.

Also, I could confirm that the file disappears upon updating to v 4.15.3

In these tests I have been using sites hosted at www.beebyte.se (where I am blocked by fail2ban) and www.enbart.se (where I am currently not blocked). The file disappears upon updating Matomo on both hosting providers.

[diosmosis]

I created another issue regarding the fact that the setting in config.ini.php doesn't appear to have an effect: https://github.com/matomo-org/matomo-for-wordpress/issues/945

Thanks for reporting it! Again if you notice any other issues, let us know.