deny of /config/config.ini.php

[bst2002git]

Hello,

on my nginx 1.13.1 the deny of /config/config.ini.php does not work, i can access (download) it as octet/stream

[toredash]

Are you sure ? It should be disabled by this line: https://github.com/matomo-org/matomo-nginx/blob/master/sites-available/matomo.conf#L56

Could you provide you config ?

[bst2002git]

Hello @toredash,
you're right.
I'v the problem related to http2 with my browser...
If i make a normal http/1.0 connection it works... strange
I have to keep investigating on nginx, even when i use nginx-debug binary and "error_log ... debug; " it does not show the request into debug log when h2 is activated...
if i access only the directory https://domain.example.com/config/ i get 404 or whatever i have configured and the debug log

[dwaxweiler]

The system check of my Matomo installation also complains about the file mentioned above and tmp/cache/tracker/matomocache_generap.php:

I have just upgraded to Matomo 4.3.0 and noticed this. nginx is used in version 1.14.2.

[Findus23]

Hi,

In my Matomo instance (the one I created this config for) both config/config.ini.php and tmp/cache/tracker/matomocache_generap.php

Make sure you don't have an additional rule allowing thing above this rule:

matomo-nginx/sites-available/matomo.conf

Lines 55 to 59 in 531f0c9

	## disable all access to the following directories
	location ~ ^/(config|tmp|core|lang) {
	deny all;
	return 403; # replace with 404 to not show these directories exist
	}

[joergrenn]

I am setting up Matomo 4.5 with nginx 1.18 and I am getting the error in matomo system check that my config.ini.php is accessible from the internet.
However I am using the recommended configuration and have verified that the location setting is present with "deny all" for the config folder.
When I request the URL manually I get a 403 (forbidden) as expected.
I don't know what I am doing wrong.
could this be a bug?

[taskula]

Matomo checks access using plugins/Diagnostics/Diagnostic/AbstractPrivateDirectories.php function isAccessible(). It evaluates HTTP response code which must be >= 400 and < 500.

In my case Matomo installation was behind a reverse proxy (haproxy) and using curl -v https://yourmatomo/config/config.ini.php on Matomo server returned HTTP code 503, giving a false-positive response in Matomo.

[dwaxweiler]

The system check of my Matomo installation also complains about the file mentioned above and tmp/cache/tracker/matomocache_generap.php: I have just upgraded to Matomo 4.3.0 and noticed this. nginx is used in version 1.14.2.

This error is gone at my installation with version 5.1.0.

[dfranco]

Running Matomo 5.1.0 with nginx 1.20.1

Took nginx config from this repo but still I get a 200 http response while trying to reach the url https://my-matomo.domain.com/config/config.ini.php, with response below

$ curl -v https://matomo.domain.com/config/config.ini.php
*   Trying xx.xx.xx.xx:443...
* Connected to matomo.domain.com (xx.xx.xx.xx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=matomo.domain.com
*  start date: Jun 28 17:31:48 2024 GMT
*  expire date: Sep 26 17:31:47 2024 GMT
*  subjectAltName: host "matomo.domain.com" matched cert's "matomo.domain.com"
*  issuer: C=US; O=Let's Encrypt; CN=E5
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET /config/config.ini.php HTTP/1.1
> Host: matomo.domain.com
> User-Agent: curl/7.76.1
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Unknown (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.20.1
< Date: Sat, 29 Jun 2024 04:34:09 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/8.2.13
< Referrer-Policy: origin
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
<
* Connection #0 to host matomo.domain.com left intact
; $

.. and System check still complain about /config/config.inc.php being available.

Thoughts ?

p.s: I'm surprised there's so many unanswered issues and open PR's on this repo, is Matomo project laking contributors ? Do you need help ?