I there, while checking the protection and security when running matomo on a server.
I found the following issue:
If you install matomo under a server protected directory like :
If you need to track server protected pages everything is fine.
But when you try to track unprotected pages under the same server by adding the matomo JS script in your unprotected pages.
<script type="text/javascript">
var _paq = window._paq = window._paq || [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="//www.mydomain.com/matomo/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '1']);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
</script>
Then this JS code is trying to access the protected area of your server : https//www.mydomain.com/matomo/
The current way Matomo works is either :
So at the moment the way this JS code works you cannot only protect your motomo folder and track unprotected pages.
Is there any workaround this?
You need to ensure piwik.js/matomo.js and piwik.php/matomo.php are public accessible.
See https://matomo.org/docs/security-how-to/#other-tips for more details.
@sgiehl thanks I missed this page.
I will check it out.