Security improvment: put the optout function in another file

[bohnelang]

Piwik should strictly differ between (tracking) requests from users and admin requests from staff.

At the moment the optout function is done by index.php that normally handle admin/staff requests. Thus it is hard to make the login-page safe. (Every web admin knows, that login pages have daily brute force attacks by scripts from Internet :-/)

---

At the moment I am using a work-around: We have this situation
#Internet <--|--> [head www server: www.mydomain.de] <-----> [piwik webserver: piwik.mydomain.de]

Staff can directly access Piwik by http://piwik.mydomain.de/piwik/
Users call Piwik (files) by http://www.mydomain.de/piwik/

I add some Apache Rewrite rules on the head webserver to avoid login attacks from Internet:

#Do not allow anyone from outside (!) to access /piwik/index.php
RewriteRule     ^/piwik/index.php(.*)$                  - [F,L]
RewriteRule     ^/piwik/$                  - [F,L]

#Define a virtual file optout.php that calles index.php with predefined parameter
RewriteCond     %{REQUEST_URI}                          ^/piwik/optout.php$
RewriteCond     %{QUERY_STRING} ^(.*)idsite=(\d+)(.*)$
RewriteRule     ^(.*)$ http://piwik.mydomain.de/piwik/index.php?module=CoreAdminHome&action=optOut&language=de&idsite=%2 [P,NE,L]

#All other requests are send ot the piwik server
ProxyPass        /piwik/ http://piwik.mydomain.de/piwik/
ProxyPassReverse /piwik/ http://piwik.mydomain.de/piwik/

Greetings - Andreas

[gaumondp]

This had bugged us also 3 years ago and what we did was only permit 2 files from being seen from the internet: piwik.js and piwik.php. All others are only visible from our infrastructure or with a VPN connection.

[bohnelang]

This was my first idea, too. But unfortunately the optout function is called by user and done by index.php.
This (untested RewriteRules) could solve this problem if piwik is directly connected to the Internet:

#Internet <--|--> [piwik webserver: piwik.mydomain.de]

#Do not allow anyone from outside (!) to access /piwik/index.php except yout IP range (e.g. 192.168.x.x)
RewriteCond %{REMOTE_ADDR}  !^192\.168\.
RewriteRule     ^/piwik/index.php(.*)$                  - [F,L]

#Do not allow anyone from outside (!) to access /piwik/index.php except yout IP range (e.g. 192.168.x.x)
RewriteCond %{REMOTE_ADDR}  !^192\.168\.
RewriteRule     ^/piwik/$                  - [F,L]

#Define a virtual file optout.php that calles index.php with predefined parameter
RewriteCond     %{REQUEST_URI}                          ^/piwik/optout.php$
RewriteCond     %{QUERY_STRING} ^(.*)idsite=(\d+)(.*)$
RewriteRule     ^(.*)$ /piwik/index.php?module=CoreAdminHome&action=optOut&language=de&idsite=%2 [PT,NE,L]

[janw1]

How can I secure my piwik-Directory when I installed Piwik like:
https://www.mydomain.com/piwik

User from outside should be tracked and use the optout-function.
But only users from "inside" (my ip-range) should be able to login?

[bohnelang]

Therefore I need to know what kind of system, network and web server you have. What IP is your Intrant?

[janw1]

It's an Apache-Webserver (linux-System) and my Intranet-IP-Range begins with 172.25.xx.xx

[bohnelang]

Please try this:

#Internet <--|--> [piwik webserver: www.mydomain.de/piwik/]

apt-cache install apache2-utils
a2enmod rewrite
edit /etc/apache2/sites-enabled/

# Piwik is installed in /piwik/
RewriteEngine   On
RewriteCond %{REMOTE_ADDR}  !^172\.25\.
RewriteRule     ^/piwik/index.php(.*)$                  - [F,L]

RewriteCond %{REMOTE_ADDR}  !^172\.25\.
RewriteRule     ^/piwik/$                - [F,L]

#Define a virtual file optout.php that calles index.php with predefined parameter
RewriteCond     %{REQUEST_URI}                          ^/piwik/optout.php$
RewriteCond     %{QUERY_STRING} ^(.*)idsite=(\d+)(.*)$
RewriteRule     ^(.*)$ /piwik/index.php?module=CoreAdminHome&action=optOut&language=de&idsite=%2 [PT,NE,L]


apache2ctl configtest
apache2ctl restart

[bohnelang]

now please test:

https://www.mydomain.com/piwik/optout.php?idsite=1

and from inside and outside:

https://www.mydomain.com/piwik/

[mattab]

Thanks for the suggestion, but we won't put the opt-out in a different file.

[thomaszbz]

@bohnelang Adding a separate php file which includes the index.php is relatively easy. From there, you can deny accessing the index.php using a .htaccess file .

Example: https://www.slicewise.net/php/piwik-absichern/

[bohnelang]

Thanks - Looks good!