Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

installing matomo under protected directory and tracking pages in unprotected directory #17142

Closed
onelsonic opened this issue Jan 25, 2021 · 2 comments
Labels
answered For when a question was asked and we referred to forum or answered it.

Comments

@onelsonic
Copy link

I there, while checking the protection and security when running matomo on a server.

I found the following issue:

If you install matomo under a server protected directory like :

  • mydomain.com/matomo/ (Htaccess protected)

If you need to track server protected pages everything is fine.

But when you try to track unprotected pages under the same server by adding the matomo JS script in your unprotected pages.

<script type="text/javascript">
  var _paq = window._paq = window._paq || [];
  /* tracker methods like "setCustomDimension" should be called before "trackPageView" */
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u="//www.mydomain.com/matomo/";
    _paq.push(['setTrackerUrl', u+'matomo.php']);
    _paq.push(['setSiteId', '1']);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
  })();
</script>

Then this JS code is trying to access the protected area of your server : https//www.mydomain.com/matomo/

The current way Matomo works is either :

  • all your pages and the matomo installation are running under a server protection (server login prompts are then expected)
  • all your pages and the matomo installation are running unprotected (no server login prompts expected)
  • all your pages are running unprotected but the matomo installation is under a server protection (then you get unexpected promts when browsing your unprotected pages)

So at the moment the way this JS code works you cannot only protect your motomo folder and track unprotected pages.

Is there any workaround this?

@sgiehl
Copy link
Member

sgiehl commented Jan 25, 2021

You need to ensure piwik.js/matomo.js and piwik.php/matomo.php are public accessible.
See https://matomo.org/docs/security-how-to/#other-tips for more details.

@sgiehl sgiehl closed this as completed Jan 25, 2021
@sgiehl sgiehl added the answered For when a question was asked and we referred to forum or answered it. label Jan 25, 2021
@onelsonic
Copy link
Author

@sgiehl thanks I missed this page.
I will check it out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
answered For when a question was asked and we referred to forum or answered it.
Projects
None yet
Development

No branches or pull requests

2 participants