@thesteffi opened this Issue on May 3rd 2018

Hi,

I started getting errors when trying to open the transition overlay. It keeps on loading and in console there is a 403 shown.

bildschirmfoto 2018-05-03 um 13 05 13

To resolve it I already tried to set file and folder permissions to 777 temporarily but the error was still not resolved. Usually permissions are set to 755 for folders and 644 for files.

I also tried switching from php 7.2.4 to 7.0.29 but that didn't help either.

Hope you can help me find the issues cause.

Best,
Stefanie

@fdellwing commented on May 3rd 2018 Contributor

https://en.wikipedia.org/wiki/HTTP_403

So the problem is, that the webserver blocks the call. You should take a look at your webserver logs to resolve the problem.

@thesteffi commented on May 4th 2018

Thanks for the log files tip. Just found that mod_security was messing with matomo.

[Thu May 03 15:48:10.864971 2018] [:error] [pid 31694] [client xxx.xxx.xxx.xx:42296] [client xxx.xxx.xxx.xx] ModSecurity: Access denied with code 403 (phase 2). Match of "beginsWith %{request_headers.host}" against "TX:1" required. [file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"] [line "179"] [id "340162"] [rev "294"] [msg "Protected by Atomicorp.com Basic Non-Realtime WAF Rules: URL detected as argument, possible RFI attempt detected"] [data "%TX:1,TX:1"] [severity "CRITICAL"] [hostname "dashboard.ebnerpublishing.com"] [uri "/matomo/piwik/index.php"] [unique_id "WusTGlXWe9wAAHvO7bsAAAAR"], referer: https://dashboard.ebnerpublishing.com/matomo/piwik/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday

Switched mod_security to detection only and now transitions display again. Is there any rule that I could insert to mod_security as exception so that it can be turned on without interfering with matomo?

Best,
Stefanie

@thesteffi commented on May 4th 2018

Just solved the issue by myself by disabling the single rule by its id (340162). For everyone else struggling with this issue and using Plesk see here and for everyone else just google SecRuleRemoveById. If anyone has a better solution let me know :)

This Issue was closed on May 4th 2018
Powered by GitHub Issue Mirror