Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security improvment: put the optout function in another file #11039

Closed
bohnelang opened this issue Dec 19, 2016 · 10 comments
Closed

Security improvment: put the optout function in another file #11039

bohnelang opened this issue Dec 19, 2016 · 10 comments
Labels
wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.

Comments

@bohnelang
Copy link

bohnelang commented Dec 19, 2016
edited

Piwik should strictly differ between (tracking) requests from users and admin requests from staff.

At the moment the optout function is done by index.php that normally handle admin/staff requests. Thus it is hard to make the login-page safe. (Every web admin knows, that login pages have daily brute force attacks by scripts from Internet :-/)

At the moment I am using a work-around: We have this situation
#Internet <--|--> [head www server: www.mydomain.de] <-----> [piwik webserver: piwik.mydomain.de]

Staff can directly access Piwik by http://piwik.mydomain.de/piwik/
Users call Piwik (files) by http://www.mydomain.de/piwik/

I add some Apache Rewrite rules on the head webserver to avoid login attacks from Internet:

#Do not allow anyone from outside (!) to access /piwik/index.php
RewriteRule     ^/piwik/index.php(.*)$                  - [F,L]
RewriteRule     ^/piwik/$                  - [F,L]

#Define a virtual file optout.php that calles index.php with predefined parameter
RewriteCond     %{REQUEST_URI}                          ^/piwik/optout.php$
RewriteCond     %{QUERY_STRING} ^(.*)idsite=(\d+)(.*)$
RewriteRule     ^(.*)$ http://piwik.mydomain.de/piwik/index.php?module=CoreAdminHome&action=optOut&language=de&idsite=%2 [P,NE,L]

#All other requests are send ot the piwik server
ProxyPass        /piwik/ http://piwik.mydomain.de/piwik/
ProxyPassReverse /piwik/ http://piwik.mydomain.de/piwik/

Greetings - Andreas
@gaumondp
Copy link

This had bugged us also 3 years ago and what we did was only permit 2 files from being seen from the internet: piwik.js and piwik.php. All others are only visible from our infrastructure or with a VPN connection.

@bohnelang
Copy link
Author

bohnelang commented Dec 21, 2016
edited

This was my first idea, too. But unfortunately the optout function is called by user and done by index.php.
This (untested RewriteRules) could solve this problem if piwik is directly connected to the Internet:

#Internet <--|--> [piwik webserver: piwik.mydomain.de]

#Do not allow anyone from outside (!) to access /piwik/index.php except yout IP range (e.g. 192.168.x.x)
RewriteCond %{REMOTE_ADDR}  !^192\.168\.
RewriteRule     ^/piwik/index.php(.*)$                  - [F,L]

#Do not allow anyone from outside (!) to access /piwik/index.php except yout IP range (e.g. 192.168.x.x)
RewriteCond %{REMOTE_ADDR}  !^192\.168\.
RewriteRule     ^/piwik/$                  - [F,L]

#Define a virtual file optout.php that calles index.php with predefined parameter
RewriteCond     %{REQUEST_URI}                          ^/piwik/optout.php$
RewriteCond     %{QUERY_STRING} ^(.*)idsite=(\d+)(.*)$
RewriteRule     ^(.*)$ /piwik/index.php?module=CoreAdminHome&action=optOut&language=de&idsite=%2 [PT,NE,L]

@janw1
Copy link

janw1 commented Feb 3, 2017

How can I secure my piwik-Directory when I installed Piwik like:
https://www.mydomain.com/piwik

User from outside should be tracked and use the optout-function.
But only users from "inside" (my ip-range) should be able to login?

@bohnelang
Copy link
Author

Therefore I need to know what kind of system, network and web server you have. What IP is your Intrant?

@janw1
Copy link

janw1 commented Feb 3, 2017

It's an Apache-Webserver (linux-System) and my Intranet-IP-Range begins with 172.25.xx.xx

@bohnelang
Copy link
Author

bohnelang commented Feb 6, 2017
edited

Please try this:

#Internet <--|--> [piwik webserver: www.mydomain.de/piwik/]

apt-cache install apache2-utils
a2enmod rewrite
edit /etc/apache2/sites-enabled/

# Piwik is installed in /piwik/
RewriteEngine   On
RewriteCond %{REMOTE_ADDR}  !^172\.25\.
RewriteRule     ^/piwik/index.php(.*)$                  - [F,L]

RewriteCond %{REMOTE_ADDR}  !^172\.25\.
RewriteRule     ^/piwik/$                - [F,L]

#Define a virtual file optout.php that calles index.php with predefined parameter
RewriteCond     %{REQUEST_URI}                          ^/piwik/optout.php$
RewriteCond     %{QUERY_STRING} ^(.*)idsite=(\d+)(.*)$
RewriteRule     ^(.*)$ /piwik/index.php?module=CoreAdminHome&action=optOut&language=de&idsite=%2 [PT,NE,L]


apache2ctl configtest
apache2ctl restart

@bohnelang
Copy link
Author

bohnelang commented Feb 6, 2017
edited

now please test:

https://www.mydomain.com/piwik/optout.php?idsite=1

and from inside and outside:

https://www.mydomain.com/piwik/

@mattab
Copy link
Member

mattab commented Feb 20, 2017

Thanks for the suggestion, but we won't put the opt-out in a different file.

@mattab mattab closed this as completed Feb 20, 2017
@mattab mattab added the wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it. label Feb 20, 2017
@thomaszbz
Copy link

@bohnelang Adding a separate php file which includes the index.php is relatively easy. From there, you can deny accessing the index.php using a .htaccess file .

Example: https://www.slicewise.net/php/piwik-absichern/

@bohnelang
Copy link
Author

Thanks - Looks good!

@mattab mattab mentioned this issue Jun 21, 2017
Closed
@dwayne45 dwayne45 mentioned this issue Dec 19, 2023
Open
@sirinartk sirinartk mentioned this issue Dec 20, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix If you can reproduce this issue, please reopen the issue or create a new one describing it.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mattab @gaumondp @thomaszbz @bohnelang @janw1