This seems to be the same issue as #17589

What exactly does ./console core:create-security-files and how can I take it back?

It just re-creates the .htaccess files and is unrelated to the issue.

But the "issue" is that files like /tmp/cache/tracker/matomocache_general.php should never be public. Therefore since a few Matomo releases, the system check tests this by trying to access these URLs and making sure they actually deny access.
But it seems like in some setups like yours, instead the webserver is set up to ban you instead due to trying this too often.

Therefore, Matomo 4.5.0 has a new option enable_required_directories_diagnostic = 0 (#18014) in the [General] section of config/config.ini.php that allows you to disable those checks.

Thanks, unfortunately, that doesn't really help me in my case. I set enable_required_directories_diagnostic = 0 but still get in error_log client denied by server configuration and access_log:

"GET /.../config/config.ini.php HTTP/1.0" 403 517 "-" "..."
"GET /.../tmp/cache/tracker/matomocache_general.php HTTP/1.0" 403 517 "-" "..."
"GET /.../tmp/ HTTP/1.0" 403 517 "-" "..."
"GET /.../tmp/empty HTTP/1.0" 403 517 "-" "..."
"GET /.../lang/en.json HTTP/1.0" 403 517 "-" "..."

config.ini.php

[General]
enable_required_directories_diagnostic = 0
force_ssl = 1
login_allowlist_apply_to_reporting_api_requests = 0

or does the line belong in global.ini.php? Because https://github.com/matomo-org/matomo/blob/4.x-dev/config/global.ini.php#L836

UPDATE: I set it in both and problem remains.

@Daijobou As far as I know, the option will be released in 4.6.0, so it's not yet implemented in the current release.

@Daijobou, is there any news on version 4.6+? Do you still encounter the problem?

@Daijobou, is there any news on version 4.6+? Do you still encounter the problem?

The issue was fixed for the second time in version 4.10 (#18967). So it should be fixed now (at least it was when I tried it the last time). However, I didn't try it for some time now.