@robertharm opened this Issue on December 12th 2017

Follow-up ticket to comments at https://github.com/piwik/piwik/issues/4577#issuecomment-349647360

With Piwik v3.2.1 IP restrictions for viewing dashboards were introduced (https://piwik.org/faq/how-to/faq_25543/)

An unwanted sideffect from this feature is that e.g. the Piwik plugin for WordPress is broken, resulting in unaccessable backend for all users where have the permission to "show statistics" and "Dashboard graph".

I guess it would be best to add a new option which allows to restrict access to the login form only, as this would not break the Piwik WordPress plugin for other (WordPress) users whose IP is not whitelisted.

@MaximeCulea commented on October 29th 2020

Hello there, this is definitely a must-have feature for multiple purposes:

  • security, in adding a layer of authorization on the login form, which is pretty handy in case of bruteforce.
  • before even allowing any registered user, it filters the people from where they can connect from. In big companies, such I work with, they all do connect from a VPN, Firewall, etc, which is mandatory to use an application.

This could be done in two way:

  • for the self-hosting, an htaccess config documented in a FAQ.
  • for other instances, a global configuration where we edit an IP list. Of course, a check could be done on the current IP to prevent any self lockdown.
@sgiehl commented on October 29th 2020 Member

@MaximeCulea
Regarding .htaccess restriction there are some notes in this FAQ: https://matomo.org/docs/security-how-to/#other-tips
To restrict the login for certain IPs you can use the config: https://matomo.org/faq/how-to/faq_25543/

@MaximeCulea commented on October 29th 2020

@sgiehl awesome, that's what I was talking about. Thank you!
Badly, the internal search tool and Google search did not allowed me to find this documentation :/

Anyway, I have like 32 IPs to add, is there a way to add some comments into the config.ini.php to arrange them?

@sgiehl commented on October 29th 2020 Member

Anyway, I have like 32 IPs to add, is there a way to add some comments into the config.ini.php to arrange them?

sure. You can start comments using ;

@MaximeCulea commented on October 29th 2020

Many thanks !! @sgiehl
Hope I didn't carjack the issue of @robertharm :)

@robertharm commented on October 29th 2020

ok for me @MaximeCulea ;-)
Thanks for the update - did not know that login_whitelist_ip[] exists - so the issue could actually be closed IMO

@tsteur commented on October 29th 2020 Member

Thanks @robertharm

This Issue was closed on October 29th 2020
Powered by GitHub Issue Mirror