harden piwik directory structure #8120
Comments
|
Hi @thomaszbz Our official standpoint on this is that it can be done at the webserver level and we recommend to do it at the web server level. For example the nginx-piwik project: https://github.com/perusio/piwik-nginx will configure hardened security and will only allow access to those few needed files. Unfortunately we won't change the directory structure in Piwik core (it is too much work), so please consider doing it at web server config. (leaving the issue opened as our decision may change in the future) |
mattab
added
the
Task
|
Actually, I expected that you would close this issue instantly either for being duplicate or somehow stupid/paranoid ;) Now, the point is:
Concerning https://github.com/perusio/piwik-nginx I want to remark that it does not fit my needs anyways:
Actually, piwik-nginx really strengthens my opinion that the directory structure needs to be improved (or at least worked around) to be configurable by any webserver. I guess that the fact that Piwik uses the same index.php for backend and frontend (e.g. opt-out) makes it impossible to distinguish both of them easily in webserver configuration rules (unless you work with rules on obscure URLs which can change every update). At least, you could have a look at my workaround: |
|
That's the workaround described in http://www.slicewise.net/php/piwik-absichern/ : . Basically, what it does:
This is not very sophisticated because
However: Using a seperate proxy file allowed me to easily apply web server configuration rules. Maybe this could be an option for you if you don't want to change the whole directory structure. I could also live with a bunch of symlinks in a wwwroot subfolder collecting all the files to be URL-accessible from the original directory structure. Still, there would be no dependency to a web server (e.g. apache, nginx). Please don't get me wrong: I don't want you to add additional http authentification. This specific .htaccess is just one of the use cases I described. |
|
@thomaszbz if somehow you manage to create a good apache configuration for hardened Piwik, it would be great if you could put this on Github in a repository |
|
As said: A good webserver configuration (no matter which webserver) is currently not possible, as long as the limitations in the Piwik file structure exist. That should also hold true for piwik-nginx repository. |
|
some remarks from my experience deploying piwik with nginx. i first went more or less accordingly to https://github.com/perusio/piwik-nginx which is quiet obviously bloated as a general advise. location / {
deny all;
location = /index.php {
# test if there's a request to the admin interface from outside
# the local network, drops the request unless the optOut-option is targeted
if ( $remote_addr != "1.2.3.4" ) { set $admin_test "x"; }
if ( $query_string !~ "^module=CoreAdminHome&action=optOut(&.*)?" ) { set $admin_test "${admin_test}x"; }
if ( $admin_test = "xx" ) { return 444; }
allow all;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location = /piwik.php {
allow all;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location = /piwik.js {
allow all;
}
location ~* \.(css|gif|html|js|png|svg)$ {
allow 1.2.3.4;
}
}my suggestion would be to move the opt-out functionality to the location / {
deny all;
allow 1.2.3.4;
location = /index.php {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /(optout|piwik)\.php {
allow all;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location /piwik.js {
allow all;
} |
|
Won't fix as far as i know, unless there is a specific issue that would require this in the future. |
mattab
added
the
answered
Disclaimer: I'm using the term "backend" for the GUI accessible to authentificated users in this issue.
As far as I can see, Piwik claims to be easily installable in a wwwroot by just dropping the piwik files there. As long as secret resources like the Piwik backend are secured e.g. via login: This is nice and nothing to be concerned about, at least in the first place. Many php applications do it this way, as for example TYPO3 CMS.
However, there is also a different approach which can be considered paranoid by some people: Why on earth should ressources made public if there is no need to do so? What, if there's a security issue in the backend authentification of Piwik at some time? What, if some misconfigured web server does not render PHP files and offers a download instead?
In the Piwik scenario, there's only two things that need to be made public:
The problem here is that, currently,
To harden piwik, I schematically suggest an improved directory structure (which is similar to what some sophisticated php-frameworks like symphony2 offer):
Basically, this means that php code is not accessible via url, as it resides in /src which is not in /wwwroot. Plus, the backend can be protected easily via URL /backend/*.
Still, the new structure allows not to use /wwwroot as wwwroot as well as using the same URLs via optional symlinks. Basically, this means piwik can still be just dropped somewhere in a wwwroot as before, thereby having the old level of security.
Keep in mind that the suggested directory structure was just schematically. Of course, the naming should better fit to what Piwik already uses. Therefore requires further discussion.
Right now, I worked around the problem with a proxy php file for the opt-out (securing the route which is accessible by anomynous users) and then securing anything else with additional http-authentification (.htaccess). Workaround (in German): http://www.slicewise.net/php/piwik-absichern/
There's other use-cases as well like
Thereby, BC may not be broken as
Most of BC can be done via the corresponding symlinks (or duplicate files). Even if users can't configure their vhost to use /wwwroot as the wwwroot, they still benefit from being able to secure their Piwik installation via .htaccess.
The text was updated successfully, but these errors were encountered: