search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.83k stars 2.64k forks source link

False-positive "required private directories" error using LoginLdap+SAML #19719

Open grandpaslab opened 2 years ago

grandpaslab commented 2 years ago

Expected Behavior

No error when /config, /tmp, etc. are not accessible through the browser

Current Behavior

False-positive "required private directories" error in System Check when access to /config, etc. is prohibited, but app is behind SAML auth w/ LoginLdap's web server auth enabled.

Possible Solution

System Check should only show the "required private directories" error if the requested directories/files are returned.

Steps to Reproduce (for Bugs)

  1. Install & enable LoginLdap plugin
  2. Enable LoginLdap's web server auth (Kerberos/REMOTE_USER)
  3. Run system check

Context

I'm running Matomo with the LoginLdap plugin for user management, and using Okta SAML auth via mod_auth_mellon (Apache) to set REMOTE_USER. mod_auth_mellon redirects to an Okta login page. Presumably the system check is assuming any 200 response means the requested file (/config/config.ini.php, etc.) is exposed through the web.

Your Environment

sgiehl commented 2 years ago

@grandpaslab Thanks for reporting this issue. I'm not sure if it would be easy to automatically handle such specific setups correctly. In your case maybe it makes more sense to simply disable the diagnostic check by setting the config value enable_required_directories_diagnostic