Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

IIS: web.config only allows installation in /piwik subdir #1416

Closed
anonymous-piwik-user opened this Issue · 5 comments

2 participants

@anonymous-piwik-user

The supplied web.config with 0.6.2 only allows a installation of piwik to reside in /piwik. When you install in in the root you get remote a 404 error. On the server you can see that it caused by the security settings in the web.config.

My suggestion is to make it clear in the documentation that you must edit the web.config file on a iis server if you don't install it in the /piwik directory.

@robocoder
Collaborator

I'm afk and can't test this. Will it run on IIS without web.config? If so, we could generate web.config at runtime (via installer).

@anonymous-piwik-user

Yes it wil run without web.config. Web.config is the file that configures iis7 or higher.

I don't now why the part of directory security is added. Or who added it.

@robocoder
Collaborator

Thanks.

I'll generate it at installation. We can put web.config files in the subfolders (similar to .htaccess) to prevent direct access to .php files. That'll avoid the hardcoded "/piwik/" and avoid overwriting local mods.

@robocoder
Collaborator

I'll probably make this IIS7-only, but I'd appreciate it if you would test that these also work in your IIS6 server.

Top-level web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="config" />
          <add segment="core" />
          <add segment="lang" />
        </hiddenSegments>
        <fileExtensions>
          <add fileExtension=".tpl" allowed="false" />
        </fileExtensions>
      </requestFiltering>
    </security>
    <directoryBrowse enabled="false" />
    <defaultDocument>
      <files>
        <remove value="index.php" />
        <add value="index.php" />
      </files>
    </defaultDocument>
  </system.webServer>
</configuration>

In libs/web.config and plugins/web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <denyUrlSequences>
          <add sequence=".php" />
        </denyUrlSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>'
@robocoder
Collaborator

(In [2295]) fixes #1416, refs #642 - replace static web.config with runtime generated files (at Installation)

@anonymous-piwik-user anonymous-piwik-user added this to the Piwik 0.6.3 milestone
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.