Matomo 4.3.1: Require Private Directories

2021-05-29

After upgrading to Matomo 4.3.1 a newly introduced (starting from > 4.3) bright red security alert is shown in the Matomo System Report:

“We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them. We also found that Matomo’s config directory is publicly accessible. While attackers can’t read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory. "

Well, “learning more” always sounds good, so heading over to:

https://matomo.org/faq/troubleshooting/how-do-i-fix-the-error-private-directories-are-accessible/

As advised, I then execute the following command:

./console core:create-security-files

But alas, no success. Not quite yet. Still that red security alert showing up. So what to do? Let’s keep it easy and simply restrict Apache from accessing the folders in question.

Following lines in your Apache configuration at /etc/apache2/apache2.conf:

1
2
3
4


        <LocationMatch "^/(tmp|config|lang)">
            Require all denied
            Require ip 127.0.0.1
        </LocationMatch>

Basically denying access for all except 127.0.0.1 to the directories in question.

Apache restart and you’re good to go!

:wq

#Matomo #Apache