-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New system check to warn that Piwik is not compatible with mod_security #3371
Comments
It's never going to happen I think! |
Also reported here: http://forum.piwik.org/read.php?2,88617,page=1#msg-98619
|
Is there any update to this? I have my hosting with HostGator shared hosting and they are not willing to disable mod_sec for the whole server. The one tech I talked with said he could disable some rules for my domain as long as they are not flagged as required for them - but he would need to know which rules to disable. Is there any progress in knowing what rules to disable? This could be a path to allowing many more users to install Piwik. God Willing. Thanks. |
Same problem here with napa-web-designer. HostGator told us that they can't disable mod_sec for the whole server because i'm on a shared hosting. They just need to know which rules to disable. I don't know what rule it is to tell them. |
Same, i'm on hostgator |
This problem exists also on my onlydomains.com host. Any chance we can get the right custom rules that we can suggest to the hoster ? |
Hello guys, at this point we do not have enough information to know how to make progress re: this issue. The short answer: your web host should ideally not enable software that break stuff. mod_security rules are really breaking Piwik and it's not Piwik's fault (unfortunately, because that also means we can't easily fix it). Maybe you have some details which mod security rules trigger the warnings/errors? Maybe we could contact Hostgator to get them to disable such rules for Piwik users... |
I do agree with you: it's the way they have configured mod_sec that is breaking non-malicious applications and should be their duty to fix it.
does it ring any bell ? something that can be changed in piwik to workaround this ? I know this has already be answered...but just in case this log has something different.. Thanks! |
Hi @ordex thanks for the log line. In this case I believe the issue is that the Piwik URL If anyone has some other log lines matching some other mod security rules, feel free to post them here. |
Hi there, I do not know much about PiWik but quite a bit about ModSecurity. The log reported by @ordex points to rule id Otherwise, we are looking into publishing a brief guide on how to run and secure PiWik in combination with ModSecurity. |
Hey guys; I just wanted to follow up on this. Here is a list of rules for piwik to serve its files properly 950120 The only issue i've been seeing is; that end-users who have piwik tracking enabled are also seeing issues, and disabling all of the above is not idea. ps: i also found this But haven't tested it. |
ModSecurity Core Rule Set 3.0 has been released in the meantime. Last week actually. The new release brings a huge reduction in false positives. Most likely all or almost all of the ones mentioned by @zmjwong. https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-November/002265.html Please upgrade. In the meantime I have been continuing on my ModSec/Piwik integration. Complete blogpost coming soon now. |
Is it enough? It seems quite simple |
They configure ModSecurity to not look at POST requests. It depends on the setup, but generally this does not sound like a safe practice. |
Sorry if I misunderstand but they don't configure ModSecurity, they configure Piwik, no? or atleast they configure ModSecurity to not look at POST requests but for Piwik? like a whitelist?
I didn't enable mod_security yet but I intend to and I just installed Piwik. |
Sorry for not making myself clear. Yes, that's what I meant. They configure it in a way that piwik requests coming in as POST requests bypass ModSecurity. |
Inspired by https://twitter.com/julianguttzeit/status/1107794236701925377 I think it would be worth it to find out common mod_security rules that break Matomo and make a system check that makes requests to URLs matching these patterns and checks if it returns 403. |
I'll move it to the priority backlog. 3.10, 3.11, and pretty much 3.12 are already quite full and I think it doesn't have too much of a priority compared to all the other things. |
@tsteur Okay, I added the |
👍 be for sure good to have |
see #18064 we won't work on this for now as it's hard to impossible to identify if mod_security is installed or not and mod_security seems to be no longer supported in 2024. I'll close this issue for now as |
Nah, it's just that Trustwave wants to hand over ModSecurity to an open source community. Talks are happening as we speak. In the end, the engine for the SecLanguage does not matter too much. What is important and what "incompatible" means is that the OWASP ModSecurity Core Rule Set has rules that bite Matomo and these rules run on ModSecurity or a compatible web application firewall. And there are several compatible options. |
Reported in: #2997, some work was done in the early days in #1460
As a proposed solution to inform users of potential issues early:
See similar #5081
The text was updated successfully, but these errors were encountered: