@Simone_Fantini wrote:
Even if this is an old post, in the How to configure Matomo for security User Guide - Analytics Platform - Matomo Docs, still this post is linked. So i have fixed the security issue with Nginx, blocking all the requests via basic_auth, exect for the one needed to Matomo, even for the iframe.
- first do a map of $request_uri and populare a variable, in my case called $auth_basic
map $request_uri $auth_basic { default "Restricted Area"; ~*^/index\.php\?module=CoreAdminHome&action=optOut$ off; ~*^/piwik\.(js|php)|matomo\.(js|php)|container_.*\.js|robots\.txt$ off; }
- place the basic auth in the nginx config, eg. like this:
..... auth_basic $auth_basic; auth_basic_user_file /path/to/my/basic_auth_file; .....thats it!
-all the request to matomo will get 401, all the requests to
matomo.php,matomo.js,piwik.php,piwik.js, and also to the URLindex.php?module=CoreAdminHome&action=optOutwill be allowed with http code 200enjoy
