Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Piwik block by AdBlock even after renmaing piwik.php piwik.js #7364

Open
sambuev opened this issue Mar 4, 2015 · 68 comments
Open

Piwik block by AdBlock even after renmaing piwik.php piwik.js #7364

sambuev opened this issue Mar 4, 2015 · 68 comments
Labels
Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.

Comments

@sambuev
Copy link

sambuev commented Mar 4, 2015

Hello, I have Piwik installed on my hosting with secret address: interes.site.com/sm/
and I have renamed piwik.php piwik.js to sm.php sm.js and I though it cannot by caught by AdBlock but unfortunately AdBlock on my Safari browser easily blocking Piwik and many other users with their Adblock (on Chrome, Firefox) out of my view :(

screen shot 2015-03-04 at 18 21 38

What can I do to avoid blocking Piwik?
Is it possible to avoid it?

@mattab mattab added the Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change. label Apr 8, 2015
@mattab mattab added this to the Mid term milestone Apr 8, 2015
@MESWEB
Copy link

MESWEB commented Sep 13, 2015

I got this same error but I think this is difficulty for dev piwik

@kylekatarnls
Copy link
Contributor

I use rewriting and replace /piwik.php with juste /p. Works like a charm.

@MESWEB
Copy link

MESWEB commented Sep 13, 2015

Can You give any solution? I trying this but without success with uBlock - https://www.codelibrary.me/tag/ad-block/

@kylekatarnls
Copy link
Contributor

This is what I did (but with a proxy-pass in the same domain).

First remove "analytics" in the URL when you enter the rewrite rule and any word that can be seen as ads.

Then if it's not enough, use a proxypass (http://httpd.apache.org/docs/2.2/fr/mod/mod_proxy.html) on your own domain, so your URL to call Piwik will just look like "/p" and "/j"

(function() {
    _paq.push(['setTrackerUrl', '/p']);
    _paq.push(['setSiteId', 1]);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.defer=true; g.src='/j'; s.parentNode.insertBefore(g,s);
  })();

@Joey3000
Copy link
Contributor

Guys, have you tried just replacing "piwik.php" and "piwik.js" in the tracking code with "js/", as described in https://github.com/piwik/piwik/blob/master/js/README.md? No .htaccess rewriting, file renaming, etc. needed.

See also:
http://forum.piwik.org/read.php?2,83940,125929
http://forum.piwik.org/read.php?4,14971

I've been using that for years. Just make sure that the "piwik" string (or any other string blocked by the ABP) doesn't appear anywhere in the URL (i.e. domain name, directories). After coming across this issue report, I've just tried it again with ABP on Firefox and it doesn't block it. I checked the ABP "easyprivacy" list again, and it only checks for the "piwik" string anywhere in the URL.

P.S.: Another solution is in https://piwik.org/faq/how-to/#faq_132, but that would require the server being able to make outbound connections.

@MESWEB
Copy link

MESWEB commented Sep 15, 2015

Non of all solution what You give not working with uBlock! I think the uBlock is hard to defeat. Only solution is use any server-side tracker. Piwik should use server-side tracking by default.

@Joey3000
Copy link
Contributor

@MESWEB From https://addons.mozilla.org/en-us/firefox/addon/ublock-origin/:

Out of the box, these lists of filters are loaded and enforced:

- EasyList
- Peter Lowe’s Ad server list
- EasyPrivacy
- Malware domains

Any chance your Piwik URL doesn't pass any of those?

@Joey3000
Copy link
Contributor

There is following investigation necessary:

  • If the filter lists can include not just Piwik installation URL parts, but also URL parameters. (I tried the lists provided in the original issue post with ABP on Firefox and Piwik was not blocked. But I haven't checked if the "Peter Lowe’s Ad server list" also used by ublock includes URL parameters. Or if any other list could do that.)
  • If the ability by the plugin to check the parameters is browser dependent (e.g. due to some browser restrictions). Since the original issue post refers to Safari.

And if the block can be URL parameter based, it could be the time for a Piwik plugin where the user could freely change them. (I don't know how deep into the rabbit hole one would need to go to do that.)

@kylekatarnls
Copy link
Contributor

@MESWEB Piwik was using server-side (it was called phpMyVisites), but for many reasons (performances, security) it has been switched to client-side and it's a good thing. I use proxypass + url-rewriting (it's exactly equivalent to the solution mentionned by @Joey3000, but it is faster because it does not use PHP) and uBlock does not block this solution.

@MESWEB
Copy link

MESWEB commented Sep 30, 2015

Yes I know it and I try changing url or filenames and dynamic changed filenames with .htaccess with RewriteRuele but without effect. I saw something strange - Any of my browser (Opera, Chrome, Waterfox) hasn't be counted by piwik but when Author of the PIWIK goes on my site I see his log in PIWIK. So my question is WTF? I'm not only one with this strange bug.

@kylekatarnls
Copy link
Contributor

Maybe you missclicked on uBlock and add a filter in your browser try to reset uBlock. Else, if all your stuff is on the same domain, it should not be blocked as uBlock does not search in the response body but only in request URLs.

@bdore
Copy link

bdore commented May 22, 2017

Ok so I was able to go around Opera's built-in adblocker with some major changes to PiWik. I'm still testing to see if it holds together after deploy. This was tested only on a local server and PiWik self-hosted:

  • Opera has an option to send "do no track" requests which are respected by PiWik. I did not find a workaround for that but I figure if the user goes that far I might as well respect that.

Changes I made to the PiWik installation files:

  • rename installation directory to p
  • p/piwik.js renamed to p.js
  • p/piwik.php renamed to p.php
  • main script array _paq renamed to yourArray. Not sure if this is necessary, try without this first
    • find _paq, replace with yourArray in p.js
  • find all occurrences of action_name in files under p/ (action_name is a request parameter, this was being picked up by the blocker)
    • replace ocurrences with yourParameter in:
      • p.js
      • core/Tracker/ActionPageview.php
      • core/Tracker/Request.php
      • js/piwik.js
      • js/piwik.min.js
      • vendor/piwik/piwik-php-tracker/PiwikTracker.php

Do all this at your own risk, this is totally experimental. This probably breaks something in PiWik. Not thoroughly tested.

@novakin
Copy link

novakin commented May 24, 2017

@bdore would be great to be able to do that trough a plugin

@sboesch
Copy link

sboesch commented Jun 19, 2017

Keep in mind, instead of renaming any files, you should also be able to create symlinks:

$ ln -s piwik.js p.js && ln -s piwik.php p.php

This is much cleaner and at least uBlock seems to allow these requests as far as I checked for now.

@FabriceSalvaire
Copy link

A lot of things are wrong here !

EasyList contains these basic rules :

  • /piwik-$domain=~github.com|~piwik.org
  • /piwik.$script,domain=~piwik.org
  • /piwik.php /piwik/*$domain=~github.com|~piwik.org
  • /piwik1.
  • /piwik2.js
  • /piwik_
  • /piwikapi.js
  • /piwikC_
  • /piwikTracker.
  • .php?action_name=
  • .php?logRefer=
  • .php?logType=
  • .php?p=stats&
  • .php?ping=
  • .php?refcode=
  • .php?tracking=

Thus we have just to change in the tracking script

  • piwik.js to foo.js
  • piwik.php to foo

And a two URL rules in the webserver to map them to the original paths.

It will work until the parameter list doesn't contain evident keywords like stat, log, track ... Blockers can try to be clever, but they will never broke the www.

@arnowelzel
Copy link

arnowelzel commented Sep 12, 2017

If you use the "proxy" script to hide the real URL of your Piwik server (see https://github.com/piwik/tracker-proxy) you can also use that to hide parameter names as well.

When sending the JavaScript, just do a str_replace for "action_name=" to something else, e.g. "aname=" and then rename the $_GET parameter back to the original name. You should also rename this proxy script from "piwik.php" to something else.

So - first replace "action_name" in the provided JavaScript from the Piwik server:

        if ($piwikJs = $content) {
            echo str_replace('"action_name="', '"aname="', $piwikJs); 
        } else {

And this to accept "aname" as parameter but forward it as "action_name" in the server side CURL request to the Piwik server:

if(isset($_GET['aname']) {
        $_GET['action_name'] = $_GET['aname'];
        unset($_GET['aname']);
}
foreach ($_GET as $key => $value) {
    $url .= urlencode($key ). '=' . urlencode($value) . '&';
}

But be aware, that even the new parameter name "aname" may once get into filter lists as well - so you may have to use something else.

@omarr1000
Copy link

@arnoweizel: where do place this code? In which file?
I tried in piwik.php (from tracker-proxy), but no success, nothing is replaced, still have "action_name"
thx for an advice in advance

@arnowelzel
Copy link

@omarr1000: then you did something wrong. See the script here, which I use on my own server (https://arnowelzel.de):

https://arnowelzel.de/samples/piwik-tracker-proxy.txt

@omarr1000
Copy link

thx! now I got it, did write the code at the wrong line )-;

@londonuk371
Copy link

I had to do 2 things:
-First the symlinks $ ln -s piwik.js p.js && ln -s piwik.php p.php like proposed by @sboesch

  • Then modifiy piwik.js / piwik.php:
    piwik:js
    Rename "action_name=" to "_action_name"
    piwik.php
    Added in the first line of piwik.php:
    if(isset($_GET['_action_name'])) { $_GET['action_name'] = $_GET['_action_name']; }

ublocOrigin was blocking ?action_name=

@suppadeliux
Copy link

suppadeliux commented Jul 31, 2020

Hello, I tried some of the solutions from this issue, and somehow now my ad blocker is not blocking the request anymore!!

I created links with the command ln -s piwik.js p.js && ln -s piwik.php p.php & ln -s matomo.js m.js && ln -s matomo.php m.php, and also changed the action_name and idsite for something else.

And since I am using the angular plugin for matomo, I am overloading some of the code so I can change the _paq.push(['setTrackerUrl', u + 'p.php']); and the g.src = !!scriptUrl ? scriptUrl : u + 'p.js';

BUT, now I have this error:
https://mysite.com/p.php?my_action.......... 403 (Forbidden)

I guess that the tracker cannot find the file p.php. But i have no idea where to change this.

For example if I type in my browser the matomo instance mysite.com/piwik.php or mysite.com/matomo.php .
I have the message (This resource is part of Matomo. Keep full control of your data with the leading free and open source web analytics & conversion optimisation platform.)

But if I type mysite.com/p.php, this doesnt work and sends an error.

I am so confused that I dont really know what to do, maybe the solution is pretty easy but I cant see that.

Thank you for your help.

UPDATE - 4th august: Since my matomo instance was served by an nginx web server, I updated the configuration file, and added the name file m.php in sites-available and that's it!.

Maybe this will be helpful for someone.

@Tealk
Copy link

Tealk commented Feb 6, 2021

I really do not know how to get around this
grafik

@arnowelzel
Copy link

arnowelzel commented Feb 6, 2021

I really do not know how to get around this
grafik

By using a proxy script which takes parameters with other names and forwards this to the real script of Matomo as suggested already in 2017.

@Tealk
Copy link

Tealk commented Feb 6, 2021

By using a proxy script which takes parameters with other names and forwards this to the real script of Matomo as suggested already in 2017.

Does this still work, this is already a good 4 years old

@arnowelzel
Copy link

By using a proxy script which takes parameters with other names and forwards this to the real script of Matomo as suggested already in 2017.

Does this still work, this is already a good 4 years old

Yes - it still works, even with a current version of Matomo. The script I posted here is still in use on my own website and many others:

https://arnowelzel.de/samples/piwik-tracker-proxy.txt

@kylekatarnls
Copy link
Contributor

It was even mentioned yet in 2015 ^^
#7364 (comment)

Principle is that there are plenty different ad blockers trying to use different detection ways, you have to let nothing making possible to link the script to Matomo.

@Tealk
Copy link

Tealk commented Feb 6, 2021

https://arnowelzel.de/samples/piwik-tracker-proxy.txt

but the tracking code seems to have changed and i am not really fit in javascript

<!-- Matomo -->
<script type="text/javascript">
    var _paq = window._paq = window._paq || [];
    _paq.push(['requireCookieConsent']);
    _paq.push(['setSecureCookie', true]);
    _paq.push(['trackAllContentImpressions']);
    (function() {
        var u = "https://trackedsite.com/";
        _paq.push(['setTrackerUrl', u + 'indexx.php']);
        _paq.push(['setSiteId', '6']);
        var d = document,
            g = d.createElement('script'),
            s = d.getElementsByTagName('script')[0];
        g.type = 'text/javascript';
        g.async = true;
        g.src = u + 'indexx.js';
        s.parentNode.insertBefore(g, s);
    })();
</script>
<noscript>
    <p><img src="https://trackedsite.com/indexx.php?idsite=6&amp;rec=1" style="border:0;" alt="" /></p>
</noscript>
<!-- End Matomo Code -->

how do I have to adjust this now?

@arnowelzel
Copy link

https://arnowelzel.de/samples/piwik-tracker-proxy.txt

but the tracking code seems to have changed and i am not really fit in javascript

The proxy script does not need to be changed - it just loads the content of piwik.js from Matomo and replaces a number of parameter names so they can be used with a different name.

On my site, the script is then used this way:

<script>
    var pkBaseURL = "https://arnowelzel.de/";
    document.write(unescape("%3Cscript src='" + pkBaseURL + "pwproxy.php' type='text/javascript'%3E%3C/script%3E"));
</script><script>
    try {
        var piwikTracker = Piwik.getTracker(pkBaseURL + "pwproxy.php", 1);
        piwikTracker.trackPageView();
        piwikTracker.enableLinkTracking();
        piwikTracker.disableCookies();
    } catch( err ) {}
</script><noscript><p><img src="https://arnowelzel.de/pwproxy.php?ids=1&amp;rec=1" style="border:0" alt="" /></p></noscript>

And this works with Matomo just fine. No need for any JavaScript changes. Just put pwproxy.php with the content as shown in https://arnowelzel.de/samples/piwik-tracker-proxy.txt and use it as shown above.

I also have page which shows the statistics of my site by using the Matomo API: https://arnowelzel.de/en/tools/statistics

@Tealk
Copy link

Tealk commented Feb 6, 2021

is it possible to enable _paq.push(['setSecureCookie', true]);?

and i have some functions like:

function showHome() {
  ...
  _paq.push(['setDocumentTitle', 'Home']);
  _paq.push(['trackPageView']);
}

Also I get the message and I do not want to turn off nosniff
The resource of "https://trackedsite.com/mproxy.php" was blocked because of a MIME type conflict ("text/html") (X-Content-Type-Options: nosniff).

@arnowelzel
Copy link

You can substitude the _paq calls with the respective Methods of piwikTracker, e.g.

piwikTracker.setDocumentTitle('Home');
piwikTracker.trackPageView();

Note: piwikTracker.trackPageView(); is already included in my code.

See the available methods of the "old" API at https://developer.matomo.org/api-reference/tracking-javascript.

About the cookie consent: I don't set a cookie at all (piwikTracker.disableCookies();), so I also don't need any consent for this. In my experience this is good enough to get useful statistics for a website. I don't need information about returning visitors. However - if you use cookies you should also implement some kind of cookie consent dialog on your website to fulfil GDPR requirements.

@Tealk
Copy link

Tealk commented Feb 6, 2021

However - if you use cookies you should also implement some kind of cookie consent dialog on your website to fulfil GDPR requirements.

I have written a very nice one for myself.

@omarr1000
Copy link

omarr1000 commented Oct 1, 2021

@arnowelzel
I just added your script (piwik-tracker-proxy.txt) and the js on the site. So far fine, no errors etc.
BUT in my Matomo nothing is tracking! Any idea?

var pkBaseURL = "https://sayami.de/";
document.write(unescape("%3Cscript src='" + pkBaseURL + "pwproxy.php' type='text/javascript'%3E%3C/script%3E"));
</script><script>
try {
  var piwikTracker = Piwik.getTracker(pkBaseURL + "pwproxy.php", 1);
  piwikTracker.trackPageView();
  piwikTracker.enableLinkTracking();
  piwikTracker.disableCookies();
} catch( err ) {}

grafik

The default tracking code did work...

thx in advance (-;

@arnowelzel
Copy link

@omarr1000 The script has to be named pwproxy.php, so you can call it using https://sayami.de/pwroxy.php. Also you need to need to adjust the script so it uses the correct tracking IDs from your server.

@omarr1000
Copy link

sure I know, all done as you mentioned, is named pwproxy.php, in that file edited the correct path and auth_token

$PIWIK_URL = 'https://sayami.de/path_to_matomo/';
$TOKEN_AUTH = 'xxxyyyyzzzz';

with tracking ID you mean the SiteId? or the token_auth?

@arnowelzel
Copy link

arnowelzel commented Oct 1, 2021

(forget the comment about pwproxy.php - seems to be ok now)

And yes, I talk about the TOKEN_AUTH, just follow the instructions in the script.

And is https://sayami.de/path_to_matomo/ the correct path? If you run Matomo on another domain you have to put the domain here not some path inside sayami.de

@omarr1000
Copy link

The Matomo path is in the same domain as described

@arnowelzel
Copy link

Then I don't know what's wrong, sorry.

@jsvtrlvrslv
Copy link

The

https://arnowelzel.de/samples/piwik-tracker-proxy.txt

but the tracking code seems to have changed and i am not really fit in javascript

The proxy script does not need to be changed - it just loads the content of piwik.js from Matomo and replaces a number of parameter names so they can be used with a different name.

On my site, the script is then used this way:

<script>
    var pkBaseURL = "https://arnowelzel.de/";
    document.write(unescape("%3Cscript src='" + pkBaseURL + "pwproxy.php' type='text/javascript'%3E%3C/script%3E"));
</script><script>
    try {
        var piwikTracker = Piwik.getTracker(pkBaseURL + "pwproxy.php", 1);
        piwikTracker.trackPageView();
        piwikTracker.enableLinkTracking();
        piwikTracker.disableCookies();
    } catch( err ) {}
</script><noscript><p><img src="https://arnowelzel.de/pwproxy.php?ids=1&amp;rec=1" style="border:0" alt="" /></p></noscript>

And this works with Matomo just fine. No need for any JavaScript changes. Just put pwproxy.php with the content as shown in https://arnowelzel.de/samples/piwik-tracker-proxy.txt and use it as shown above.

I also have page which shows the statistics of my site by using the Matomo API: https://arnowelzel.de/en/tools/statistics

Does this trick still work in the latest version of Matomo?

@arnowelzel
Copy link

arnowelzel commented Jan 11, 2023 via email

@elmaxid
Copy link

elmaxid commented Feb 22, 2023

Hello,

I'm playing with Matomo on premise and I found that some ad blockers like Adblock, ublock, etc. are blocking Matomo's JavaScript.

Let me tell you how I solved it and apparently it's been working fine for a few days.

  1. I have Matomo installed on a server with nginx.

The hack consists of changing the URL of the requests, for which I did the following:

Within the root directory of Matomo:

  1. Created a directory called "mt" within the root directory:

mkdir mt

  1. Created symbolic links of the js and php:
ln -s matomo.js mat.js
ln -s matomo.php mt/index.php

Make sure that the last "matomo.php" has a symbolic link created inside the "mt" directory.

Added to the nginx configuration that the "mt" directory serves the index.php directly.


location /mt {
   index index.php;
 }
  1. Modify the script like:

<script>
          var _paq = window._paq = window._paq || [];      
          _paq.push(['trackPageView']);
          _paq.push(['enableLinkTracking']);
          (function() {
            var u="//xxxx.xxx.com/";
            _paq.push(['setTrackerUrl', u+'mt/']);
            _paq.push(['setSiteId', '3588']);
            var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
            g.async=true; g.src=u+'mat.js'; s.parentNode.insertBefore(g,s);
          })();
        </script>

and now works with adblock and ublock without problem

I hope this help

M.

@foxx9
Copy link

foxx9 commented May 4, 2023

Hi,
The simplest way is to use what @Joey3000 mentioned :
https://github.com/piwik/piwik/blob/master/js/README.md

Use js/ both as the javascript and php url AND enable POST requests to avoid parameters filtering:

...
_paq.push(['setTrackerUrl', u+'js/']);
....
_paq.push(['setRequestMethod', 'POST']);
...
g.async=true; g.src=u+'js/'; s.parentNode.insertBefore(g,s);
...

@twarkie
Copy link

twarkie commented May 6, 2023

Hi, The simplest way is to use what @Joey3000 mentioned : https://github.com/piwik/piwik/blob/master/js/README.md

Use js/ both as the javascript and php url AND enable POST requests to avoid parameters filtering:

...
_paq.push(['setTrackerUrl', u+'js/']);
....
_paq.push(['setRequestMethod', 'POST']);
...
g.async=true; g.src=u+'js/'; s.parentNode.insertBefore(g,s);
...

This almost works. The script is loaded just fine even with adblock, but the actual tracking request is still blocked. Not sure why but maybe the url parameters are filtered somehow. Having _paq.push(['setRequestMethod', 'POST']); seems to keep all parameters in the URL even though the request is sent using POST. Would be nice to have a clean URL and move the url params to post data.

@arnowelzel
Copy link

@twarkie Modern blockers do not only work based on URL patterns but also recognize the behaviour of trackers like Piwik/Matomo. For example uBlock Origin recognizes that as "tracker ping" request and will block that, no matter how you name parameters or URL. This is something you can not overcome.

@Fransferdy
Copy link

It is 2024, I'm trying to use Matomo, I use the browser Brave here. Well, Brave sure seems to be awesome at privacy, because it blocks matomo no matter what I do!

  1. I changed directories (matomo) to analise.

  2. I changed matomo.js to analise.js, and matomo.php to batatinha.php

  3. Changed action_name to master_potato
    At this point, Brave still blocks the php call, but not the js files.

  4. I went into the js sendRequest function, and replaced the query parameters with a Reverse, base64Encoded version of themselves, something like query = base64Encode(query).reverse()

  5. In the anali.sephp(matomo.php), I unreverse and decode the base64, before setting the query parameters for PHP.

The above is working correctly, but somehow Brave still manages to find out it is a tracking request and blocks it.

So all files have different names, the query parameters are completly different and obfuscated, and still, Brave manages to keep my privacy(and everyone elses! haha). I don't know what else I can do.

Also, the default matomo.js script seems to only count Page Loads, so it does not really work with React Websites, Matomo does have an alternative to that, which is the Tag Manager, that generates and regenerates a custom matomo.js, 'destroying' all the possible corrections we have been doing in this thread, any ideas ?
At this point I think that if you want to avoid adblockes and use analytics with a Reactive Website, maybe Matono isn't ideal.

@arnowelzel
Copy link

Modern blockers stop Matomo and other access tracking tools because of their behaviour and not because of specific URLs - and as far I know there is no way to circumvent this.

@jsvtrlvrslv
Copy link

jsvtrlvrslv commented Jan 27, 2024

Modern blockers stop Matomo and other access tracking tools because of their behaviour and not because of specific URLs - and as far I know there is no way to circumvent this.

Do you have any material that proves this?

If you use a script on the same domain, pass the .php and only then, via the server side, send the .php to Matomo (external domain)... will this not solve the problem?

@arnowelzel
Copy link

Just look at the network requests list in the web developer tools and look for type "ping" requests which get blocked, for example with uBlock Origin enabled. This kind of block can not be circumvented since the behaviour is blocked, not an URL.

@Fransferdy
Copy link

Fransferdy commented Jan 27, 2024

Modern blockers stop Matomo and other access tracking tools because of their behaviour and not because of specific URLs - and as far I know there is no way to circumvent this.

Do you have any material that proves this?

If you use a script on the same domain, pass the .php and only then, via the server side, send the .php to Matomo (external domain)... will this not solve the problem?

That's the next thing I will try, I just need to find out how to get the stats from matomo.js so I can pack it and send it to my server in each page load and history change.

I wonder if Brave marks variables with tracking/user information as "tainted" somehow and any attempt to "send" them out of the browser is blocked.(it would be really cool if they did that, and hard to manage lol)

@jsvtrlvrslv
Copy link

Também vou tentar isso. Quando tiveres novidades partilha!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Development

No branches or pull requests