Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow moving all files apart from assets out of web root #19505

Open
Findus23 opened this issue Jul 10, 2022 · 5 comments
Open

Allow moving all files apart from assets out of web root #19505

Findus23 opened this issue Jul 10, 2022 · 5 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.

Comments

@Findus23
Copy link
Member

this is a bit of a continuation of #8120

At the moment, Matomo can only be used by settings the web root to the directory all Matomo files are in. This means additional web server configuration and precisely crafted rules are required so that security-relevant files (especially tmp/ and config/) are not publicly accessible. But as web server configurations vary widely and as the recent "private directories" system check shows, there are a lot of people for who these configurations don't work (most commonly because AllowOverride is disabled (#17819) and therefore the .htaccess files created by Matomo do nothing). And the system check that tries to access the URLs that should be private makes some people aware of this, but often confuses people (#18693) or creates new issues (#18182, #17589, #18967, #19149) either because the failing requests trigger things like fail2ban or because it exposes broken cacert-setups.
And that is completely ignoring the question of people who don't use apache and then have to find out themselves that they need to block some file requests or their Matomo setup is insecure.

To get to the point: I feel like offering a Matomo install which works similar to this (and how most modern PHP/laravel applications work) would solve a lot of complexity which gaining a lot of security:

  • Matomo would have a public/ directory
  • People could use Matomo by setting their webroot to this directory
  • public/index.php would be a simple script that imports the main index.php and probably fixes some path
  • and probably a config.ini.php option that would enable this mode (as otherwise "default" users would have duplicate URLs)
  • JS/CSS assets would work out of the box as they use index.php
  • other assets would need to be copied to a corresponding subpath in public/ either implicitly ("copy some directory in every plugin") or explicitly ("allow specifying a list of files that need to be public in the plugin description")
  • While I don't think large changes are needed, these changes still feel breaking enough for me that this would need to be part of Matomo 5

Also this would be an optional feature as there are still people who don't know what a web root is (even though a lot of PHP FOSS applications don't offer any other way to be used).

In summary, I think this would make it a lot harder for people to accidentally shoot themselves into the foot in regard to security (it's not like I haven't noticed in the past that I had some important Matomo files accidentally public), but it also has the disadvantage of offering "one more way" to install Matomo.

@Findus23 Findus23 added Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels Jul 10, 2022
@Findus23 Findus23 added this to the For Prioritization milestone Jul 10, 2022
@heurteph-ei
Copy link

@Findus23 , you write:

  • JS/CSS assets would work out of the box as they use index.php

Do you mean Matomo tracker JS file and MTM containers?
If yes, this will then prevent the easy publication of MTM containers through CDN for example...

@Findus23
Copy link
Member Author

Do you mean Matomo tracker JS file and MTM containers?
If yes, this will then prevent the easy publication of MTM containers through CDN for example...

When I wrote this, I didn't think of those. I just mean the JS and the CSS that is used by the Matomo Backend.
It's true that matomo.js (and all variants of those) and the MTM containers would need to be inside the public root. But that should not be more complex to solve than the rest of this issue.

@MatomoForumNotifications

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/how-to-harden-a-matomo-installation/49765/6

@MatomoForumNotifications

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/impossible-to-install-the-wordpress-plugin-on-elementor/49767/4

@MatomoForumNotifications

This issue has been mentioned on Matomo forums. There might be relevant details there:

https://forum.matomo.org/t/required-private-directories-recommended-private-directories/50193/2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Projects
None yet
Development

No branches or pull requests

3 participants