@david55 wrote:
Is anybody still following this thread?
I have been struggling for the past couple of days to try to set up my Piwik site so that I can protect against unauthorised access (ie, disallowing accesses which are not from an authenticated website user and not from a local IP address) to the admin area (and any other files) while still allowing all public access to the Opt-Out URI.
I find mod_rewrite (and friends) sometimes quite difficult at the best of times and only seem to be making some partial progress, unfortunately..
The following seems to work to disallow access to all files in general (so far, so good):
<Files "*"> Order Deny,Allow Deny from all Allow from [allowed IP range] AuthType [our local authentication method] Require valid-user </Files>I seem to also need to include index.php in my allowed Files list (NB: My Piwik installation is directly in the DocumentRoot, not within a /piwik folder), otherwise public access will be prevented by my 'global' Files IP and authentication restriction above..
# ~ means use regexp matching <Files ~ "^piwik\.(js|php)|^index\.php$|robots\.txt$"> Order Deny,Allow Allow from all # Satisfy Any needed to override the stricter global Files rules Satisfy Any </Files>The following Location section then seems to successfully override the more restrictive rules which were applied earlier in the parse order, and allows public access to the Opt-Out URI (hurrah):
# Location is *always* parsed after Files, so may override previous rules: # https://httpd.apache.org/docs/2.2/sections.html#mergin # ~ means use regexp matching <Location ~ "^/index.php?module=CoreAdminHome&action=optOut"> Order Deny,Allow Allow from all </Location>Unfortunately, I now seem to be so close, yet still so far away..
If I access https://piwik.example.org/, then I first get asked to authenticate (using our local authentication method).
However, if I access https://piwik.example.org/index.php, then the less restrictive Files section seems to match, and so I get presented with the Piwik login page straight away, meaning that neither our local authentication restriction nor the IP address restriction take effect, unfortunately.
I would still like to prevent (non-OptOut) access to the index.php page by unauthorised users. Malicious access would admittedly require knowledge of the Piwik login details (or exploitation of any potential vulnerability), but I would still prefer to have as many layers of defence available as possible.
Does anybody know of any improvements that I can make to my Apache config to restrict access further (while still allowing access to the Opt-Out URI)?
I am wondering if I could maybe do something such as removing index.php from the 'allowed' Files section, and then creating a mod_rewrite ruleset for a 'fake' URI (eg, https://piwik.example.org/piwik-optout) which would call 'behind-the-scenes' to the opt-out URI, without actually changing the outwardly-facing URI (if somehow possible), but I have had too much of mod_rewrite for today to try to look into this further just yet..!
