Denying /plugins results in missing images/icons in the GUI

[mrimann]

The current suggestion is to render a 403 forbidden response to requests for /plugins/..., with the following rule (see https://github.com/matomo-org/matomo-nginx/blob/5b232af8ec1fd9d033f1c4ab9343f4073df64644/sites-available/matomo.conf#L80C1-L83C6):

    location ~ ^/(libs|vendor|plugins|misc|node_modules) {
        deny all;
        return 403;
    }

This results in e.g. the Matomo Logo on top left corner of the Matomo GUI to be unavailable: https://your.webserver.tld/plugins/Morpheus/images/logo.svg?matomo

Suggested solution: add a more specific location matcher so that requests to images are still possible, but not neccessarily everything unter /plugins/ is reachable.

[dfranco]

I'm facing the same issue with Matomo 5.1.0

[dfranco]

Found a way to fix the nginx config by add below block

...
location ~*  \.(jpg|jpeg|png|gif|css|js|ico|svg|woff)$ {
    expires 1d;
  }
...

Above block MUST be declared before corresponding blow such as

...
location /some.path {
  deny all;
  return 403;
}
...

I've the cache expiration to 1 day, feel free to change this value at your convenience.

Hope it helps others.