@onelsonic opened this Issue on January 25th 2021

I there, while checking the protection and security when running matomo on a server.

I found the following issue:

If you install matomo under a server protected directory like :

  • mydomain.com/matomo/ (Htaccess protected)

If you need to track server protected pages everything is fine.

But when you try to track unprotected pages under the same server by adding the matomo JS script in your unprotected pages.

<script type="text/javascript">
  var _paq = window._paq = window._paq || [];
  /* tracker methods like "setCustomDimension" should be called before "trackPageView" */
  (function() {
    var u="//www.mydomain.com/matomo/";
    _paq.push(['setTrackerUrl', u+'matomo.php']);
    _paq.push(['setSiteId', '1']);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);

Then this JS code is trying to access the protected area of your server : https//www.mydomain.com/matomo/

The current way Matomo works is either :

  • all your pages and the matomo installation are running under a server protection (server login prompts are then expected)
  • all your pages and the matomo installation are running unprotected (no server login prompts expected)
  • all your pages are running unprotected but the matomo installation is under a server protection (then you get unexpected promts when browsing your unprotected pages)

So at the moment the way this JS code works you cannot only protect your motomo folder and track unprotected pages.

Is there any workaround this?

@sgiehl commented on January 25th 2021 Member

You need to ensure piwik.js/matomo.js and piwik.php/matomo.php are public accessible.
See https://matomo.org/docs/security-how-to/#other-tips for more details.

@onelsonic commented on January 25th 2021

@sgiehl thanks I missed this page.
I will check it out.

This Issue was closed on January 25th 2021
Powered by GitHub Issue Mirror