Allow moving all files apart from assets out of web root #19505
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Enhancement
For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Milestone
this is a bit of a continuation of #8120
At the moment, Matomo can only be used by settings the web root to the directory all Matomo files are in. This means additional web server configuration and precisely crafted rules are required so that security-relevant files (especially tmp/ and config/) are not publicly accessible. But as web server configurations vary widely and as the recent "private directories" system check shows, there are a lot of people for who these configurations don't work (most commonly because
AllowOverride
is disabled (#17819) and therefore the .htaccess files created by Matomo do nothing). And the system check that tries to access the URLs that should be private makes some people aware of this, but often confuses people (#18693) or creates new issues (#18182, #17589, #18967, #19149) either because the failing requests trigger things like fail2ban or because it exposes broken cacert-setups.And that is completely ignoring the question of people who don't use apache and then have to find out themselves that they need to block some file requests or their Matomo setup is insecure.
To get to the point: I feel like offering a Matomo install which works similar to this (and how most modern PHP/laravel applications work) would solve a lot of complexity which gaining a lot of security:
Also this would be an optional feature as there are still people who don't know what a web root is (even though a lot of PHP FOSS applications don't offer any other way to be used).
In summary, I think this would make it a lot harder for people to accidentally shoot themselves into the foot in regard to security (it's not like I haven't noticed in the past that I had some important Matomo files accidentally public), but it also has the disadvantage of offering "one more way" to install Matomo.
The text was updated successfully, but these errors were encountered: