Closed fdellwing closed 5 years ago
Thanks for making me check my config again, going crazy for more than half an hour because tmp/
wasn't blocked and finally noticing that including the cache config at the top wasn't the best idea because it matches first.
So I now reordered the rules and it works the way it should.
Combine these two locations:
It is intentional that the order is
location ~ /(config|tmp|core|lang)
location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$
location ~ /(libs|vendor|plugins|misc/user)
that way everything from config|tmp|core|lang
is blocked, but static files from libs|vendor|plugins|misc/user
are allowed.
Do not serve .ht files:
I don't think it would be critical if they are public, but it definitely doesn't hurt.
Serve .well-known
Do you have a specific reason in mind. In case you mean for Let's Encrypt, then one could only add the rule to the HTTP server and use a separate root.
Make sure httpoxy is prohibited:
I kind of understand the reasonding, but am really confused why this is mentioned nowhere in the really extensive debian nginx config.
Are you sure, you do not want to provide one?
That's a good question. I don't want people to overwrite their config with the Matomo one as this shouldn't be a matter of Matomo, but providing a commented one for people to compare theirs with sounds useful. Do you have an idea how to make this clear?
Mine is this:
Apart from gzip I can't think of anything that's essential, and even that shouldn't be enabled by default without knowing the implications (less secure encryption)
that way everything from config|tmp|core|lang is blocked, but static files from libs|vendor|plugins|misc/user are allowed.
Makes sense.
I don't think it would be critical if they are public, but it definitely doesn't hurt.
It may show file system specific information to an attacker and should never be accessible.
Do you have a specific reason in mind. In case you mean for Let's Encrypt, then one could only add the rule to the HTTP server and use a separate root.
It is probably not needed here.
I kind of understand the reasonding, but am really confused why this is mentioned nowhere in the really extensive debian nginx config.
There are some people out there, thinking that the bug is mitigated. But it isn't, the namespace there still overlaps today and if a vulnerable library is used it is still critical. I include it in every fastcgi config together with a link to httpoxy.
That's a good question. I don't want people to overwrite their config with the Matomo one as this shouldn't be a matter of Matomo,
True
but providing a commented one for people to compare theirs with sounds useful.
Good idea
Here is my config, I commented the parts that are important for me:
There are some people out there, thinking that the bug is migated. But it isn't, the namespace there still overlaps today and if a vulnerable library is used it is still critical. I include it in every fastcgi config together with a link to httpoxy.
It definitely doesn't hurt or break anything, so I'll include it.
Regarding server_tokens and co: I think the easiest way is just adding a Tips
section to the readme explaining them.
Regarding server_tokens and co: I think the easiest way is just adding a Tips section to the readme explaining them.
Good plan
However the new configuration breaks the AdBlocker workarounds (calling /js/ instead of piwik.php directly in the tracking script)
@kissifrot You are right, I just fixed it
BTW: you could also add
rewrite /statistics.php /piwik.php;
rewrite /statistics.js /piwik.js;
to the nginx config and use these paths in the tracking code.
I have now added a Tips section. If someone knows more, please open a PR or issue.
I looked through your changes and have some additional hints:
Combine these two locations: https://github.com/matomo-org/matomo-nginx/blob/518f3cb89b8cc33d2429287ab7b533c2c8df87d2/sites-available/matomo.conf#L35 https://github.com/matomo-org/matomo-nginx/blob/518f3cb89b8cc33d2429287ab7b533c2c8df87d2/sites-available/matomo.conf#L69
Do not serve .ht files:
Serve .well-known:
Make sure httpoxy is prohibited: https://github.com/matomo-org/matomo-nginx/blob/518f3cb89b8cc33d2429287ab7b533c2c8df87d2/sites-available/matomo.conf#L45 https://github.com/matomo-org/matomo-nginx/blob/518f3cb89b8cc33d2429287ab7b533c2c8df87d2/sites-available/matomo.conf#L51
You did not provide a nginx.conf, but there are some more important configs to consider. Are you sure, you do not want to provide one?