Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add system check warnings for php-fpm and nginx if config files are accessible #13589

Closed
Findus23 opened this issue Oct 11, 2018 · 4 comments · Fixed by #18398
Closed

Add system check warnings for php-fpm and nginx if config files are accessible #13589

Findus23 opened this issue Oct 11, 2018 · 4 comments · Fixed by #18398
Assignees
@bx80
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Milestone
4.7.0

Comments

@Findus23
Copy link
Member

Matomo can be used with Nginx instead of Apache.
As Nginx doesn't recognize .htaccess (by default) it is important to use a proper nginx config that blocks access to e.g. tmp/.

Therefore I'd suggest detecting nginx during the installer and show a notice to the admin urging them to take a look at the Matomo nginx config.

One way to detect it would be using $_SERVER["SERVER_SOFTWARE"] which returns nginx/1.14.0 for me. While it isn't 100% accurate, it should be okay for a notice.
@Findus23 Findus23 added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. labels Oct 11, 2018
@fdellwing
Copy link
Contributor

Via JS, you could look at the headers. Even with server_tokens off it will identify itself as nginx.

@Findus23
Copy link
Member Author

I think I'd prefer a server-side detection, because the warning shouldn't be shown when a nginx server is used as a reverse proxy, but rather when nginx is used as the main webserver instead of Apache as then it is most important to implement the .htaccess somewhere else.

BTW: Are you using nginx? It would be really great if you could take a look at https://github.com/matomo-org/matomo-nginx and give feedback so that the new nginx config helps as many Matomo users as possible.

@fdellwing
Copy link
Contributor

I will post feedback as soon as I had time to look throught the options.

@Findus23 Findus23 added this to the 3.9.0 milestone Nov 11, 2018
@Findus23 Findus23 mentioned this issue Dec 27, 2018
Closed
@mattab mattab modified the milestones: 3.9.0, 3.10.0 Mar 18, 2019
@Findus23 Findus23 added the Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. label Mar 20, 2019
@Findus23
Copy link
Member Author

Just saw that Nextcloud is using $_SERVER["SERVER_SOFTWARE"], so using it for detection should be fine.
https://github.com/nextcloud/serverinfo/blob/21e7b5d6b1029c8030ef7f95b5e03938b72ea93c/lib/Controller/ApiController.php#L135-L145

@Findus23 Findus23 mentioned this issue Nov 18, 2021
Closed
@bx80 bx80 mentioned this issue Nov 29, 2021
Merged
11 tasks
@justinvelluppillai justinvelluppillai changed the title Detect Nginx during install and suggest taking a look at the official config Add system check warnings for php-fpm and nginx if config files are accessible Feb 1, 2022
@justinvelluppillai justinvelluppillai added this to the 4.7.0 milestone Feb 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bx80 bx80

Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Projects
None yet
Milestone
4.7.0
Development

Successfully merging a pull request may close this issue.

Add system check warnings for php-fpm and nginx if config files are accessible matomo-org/matomo
5 participants
@mattab @justinvelluppillai @Findus23 @fdellwing @bx80