@Daijobou opened this Issue on October 19th 2021

I installed matomo years ago and system check was fine and updated every time with new release per automatic. So I dont checked system check again. Unfortunately, updates do not do a system check and report problems right after the update.

Today I updated to newest version per automatic and saw by chance that the system check showed me errors for "Required Private Directories". That was new for me. This problem has however created an update or its a new check that not exists before. I found this tutorial to fix this issue: https://matomo.org/faq/troubleshooting/how-do-i-fix-the-error-private-directories-are-accessible/

After set apache config "AllowOverride None" to "AllowOverride All" and execute ./console core:create-security-files now I get banned from server each time I open matomo settings and there is automatic starting a system check. Because in error_log I see this:

[authz_core:error] AH01630: client denied by server configuration: /.../config/config.ini.php
[authz_core:error] AH01630: client denied by server configuration: /.../tmp/cache/tracker/matomocache_general.php
[authz_core:error] AH01630: client denied by server configuration: /.../tmp/
[authz_core:error] AH01630: client denied by server configuration: /.../tmp/empty
[authz_core:error] AH01630: client denied by server configuration: /.../lang/en.json

and server modsecurity/fail2ban detect this as attack and ban my ip. What exactly does ./console core:create-security-files and how can I take it back?

@Findus23 commented on October 19th 2021 Member

This seems to be the same issue as https://github.com/matomo-org/matomo/issues/17589

What exactly does ./console core:create-security-files and how can I take it back?

It just re-creates the .htaccess files and is unrelated to the issue.

But the "issue" is that files like /tmp/cache/tracker/matomocache_general.php should never be public. Therefore since a few Matomo releases, the system check tests this by trying to access these URLs and making sure they actually deny access.
But it seems like in some setups like yours, instead the webserver is set up to ban you instead due to trying this too often.

Therefore, Matomo 4.5.0 has a new option enable_required_directories_diagnostic = 0 (https://github.com/matomo-org/matomo/pull/18014) in the [General] section of config/config.ini.php that allows you to disable those checks.

@Daijobou commented on October 19th 2021

Thanks, unfortunately, that doesn't really help me in my case. I set enable_required_directories_diagnostic = 0 but still get in error_log client denied by server configuration and access_log:

"GET /.../config/config.ini.php HTTP/1.0" 403 517 "-" "..."
"GET /.../tmp/cache/tracker/matomocache_general.php HTTP/1.0" 403 517 "-" "..."
"GET /.../tmp/ HTTP/1.0" 403 517 "-" "..."
"GET /.../tmp/empty HTTP/1.0" 403 517 "-" "..."
"GET /.../lang/en.json HTTP/1.0" 403 517 "-" "..."

config.ini.php

[General]
enable_required_directories_diagnostic = 0
force_ssl = 1
login_allowlist_apply_to_reporting_api_requests = 0

or does the line belong in global.ini.php? Because https://github.com/matomo-org/matomo/blob/4.x-dev/config/global.ini.php#L836

UPDATE: I set it in both and problem remains.

@HCl-not-HCi commented on October 20th 2021

@Daijobou As far as I know, the option will be released in 4.6.0, so it's not yet implemented in the current release.

Powered by GitHub Issue Mirror