matomo-org / matomo-nginx

Nginx configuration for running Matomo
408 stars 121 forks source link

Warnings about sensitive files being exposed during Matomo setup still there after using this repository #69

Open etec-masterofsynapse opened 2 years ago

etec-masterofsynapse commented 2 years ago

While running through the current 4.11.0 setup and using the files in the repository, I still get

PHP FPM will ignore .htaccess rules for .php files. To ensure that sensitive files cannot be accessed directly it is recommended to exclude certain directories from being handled by PHP FPM. For more information please see the official nginx server configuration

To ensure that sensitive files cannot be accessed directly it is recommended to configure your web server to restrict access to certain directories. For more information please see the official nginx server configuration

in PHP SAPI and Server info.

Isn't the solution to these errors to utilize the files in this repository?

dscham commented 1 year ago

Bumping this!

Altough I assume, since it's a warning and not an error. That the installer just checks what kind of php and webserver you use and always displays the message when you either use php-fpm, nginx or both. Don't know if a fix is really worth the time. As it would have to check configuration or file access itself somehow.

etec-masterofsynapse commented 1 year ago

Bumping this!

Altough I assume, since it's a warning and not an error. That the installer just checks what kind of php and webserver you use and always displays the message when you either use php-fpm, nginx or both. Don't know if a fix is really worth the time. As it would have to check configuration or file access itself somehow.

Thanks for our input.

However, on the topic of actually checking the web config, I think it would be very useful to actually do that since I am sure nearly no-one is running their Matomo instance behind a Zero Trust solution, so security vulnerabilities pertaining to readable confidential folders are very real.

dscham commented 1 year ago

Then more people have to recognize this. As long as it's just us two the matomo contributors probably won't see a reason to work on it. And I don't know if I want to get into PHP for that.

From what I see in the config, this should be save anyways. It's just an annoyance that the system check shows a misleading info there.

etec-masterofsynapse commented 1 year ago

The problem with this, IT security as a whole and Zero Trust is, that it is not easily understood, so it will be hard to gain a reasonable audience to raise awareness.

dscham commented 1 year ago

Sadly true.

Update on the issue for me though: It's gone. Idk why exactly. Steps I did where: enabling a crontab for the archive, setting MySql to max packet size 64MB, enabling force_ssl in the global.ini.php and updating the manifest.inc.php with the changed md5sum of that global.ini. Now all checks are green. I think that the only thing that could make some kind of sense to have resolved it for me is the force_ssl.