search

matomo-org / matomo-nginx

Nginx configuration for running Matomo
406 stars 121 forks source link

deny of /config/config.ini.php #63

Open bst2002git opened 3 years ago

bst2002git commented 3 years ago

Hello,

on my nginx 1.13.1 the deny of /config/config.ini.php does not work, i can access (download) it as octet/stream

toredash commented 3 years ago

Are you sure ? It should be disabled by this line: https://github.com/matomo-org/matomo-nginx/blob/master/sites-available/matomo.conf#L56

Could you provide you config ?

bst2002git commented 3 years ago

Hello @toredash, you're right. I'v the problem related to http2 with my browser... If i make a normal http/1.0 connection it works... strange I have to keep investigating on nginx, even when i use nginx-debug binary and "error_log ... debug; " it does not show the request into debug log when h2 is activated... if i access only the directory https://domain.example.com/config/ i get 404 or whatever i have configured and the debug log

dwaxweiler commented 3 years ago

The system check of my Matomo installation also complains about the file mentioned above and tmp/cache/tracker/matomocache_generap.php: Screenshot_2021-05-20 System Check - Administration - Matomo I have just upgraded to Matomo 4.3.0 and noticed this. nginx is used in version 1.14.2.

Findus23 commented 3 years ago

Hi,

In my Matomo instance (the one I created this config for) both config/config.ini.php and tmp/cache/tracker/matomocache_generap.php

Make sure you don't have an additional rule allowing thing above this rule: https://github.com/matomo-org/matomo-nginx/blob/531f0c90197fab6ade1e9908e4d008108a948bf0/sites-available/matomo.conf#L55-L59

joergrenn commented 2 years ago

I am setting up Matomo 4.5 with nginx 1.18 and I am getting the error in matomo system check that my config.ini.php is accessible from the internet. However I am using the recommended configuration and have verified that the location setting is present with "deny all" for the config folder. When I request the URL manually I get a 403 (forbidden) as expected. I don't know what I am doing wrong. could this be a bug?

taskula commented 3 months ago

Matomo checks access using plugins/Diagnostics/Diagnostic/AbstractPrivateDirectories.php function isAccessible(). It evaluates HTTP response code which must be >= 400 and < 500.

In my case Matomo installation was behind a reverse proxy (haproxy) and using curl -v https://yourmatomo/config/config.ini.php on Matomo server returned HTTP code 503, giving a false-positive response in Matomo.

dwaxweiler commented 2 months ago

The system check of my Matomo installation also complains about the file mentioned above and tmp/cache/tracker/matomocache_generap.php: Screenshot_2021-05-20 System Check - Administration - Matomo I have just upgraded to Matomo 4.3.0 and noticed this. nginx is used in version 1.14.2.

This error is gone at my installation with version 5.1.0.

dfranco commented 1 month ago

Running Matomo 5.1.0 with nginx 1.20.1

Took nginx config from this repo but still I get a 200 http response while trying to reach the url https://my-matomo.domain.com/config/config.ini.php, with response below

$ curl -v https://matomo.domain.com/config/config.ini.php
*   Trying xx.xx.xx.xx:443...
* Connected to matomo.domain.com (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=matomo.domain.com
*  start date: Jun 28 17:31:48 2024 GMT
*  expire date: Sep 26 17:31:47 2024 GMT
*  subjectAltName: host "matomo.domain.com" matched cert's "matomo.domain.com"
*  issuer: C=US; O=Let's Encrypt; CN=E5
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET /config/config.ini.php HTTP/1.1
> Host: matomo.domain.com
> User-Agent: curl/7.76.1
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Unknown (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.20.1
< Date: Sat, 29 Jun 2024 04:34:09 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/8.2.13
< Referrer-Policy: origin
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
<
* Connection #0 to host matomo.domain.com left intact
; $

.. and System check still complain about /config/config.inc.php being available.

Thoughts ?

p.s: I'm surprised there's so many unanswered issues and open PR's on this repo, is Matomo project laking contributors ? Do you need help ?