From 08ade5cd1e7b4e6429fec3fd7fc1080decd3e3ac Mon Sep 17 00:00:00 2001 From: cwivagg Date: Sat, 7 Jan 2023 07:42:17 -0500 Subject: [PATCH 1/2] Update matomo-nginx.conf.j2 Fix security problems noted in https://github.com/iiab/iiab/issues/3441. --- roles/matomo/templates/matomo-nginx.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/matomo/templates/matomo-nginx.conf.j2 b/roles/matomo/templates/matomo-nginx.conf.j2 index 0a7b91609..8ec494bc0 100644 --- a/roles/matomo/templates/matomo-nginx.conf.j2 +++ b/roles/matomo/templates/matomo-nginx.conf.j2 @@ -10,6 +10,7 @@ location ~ ^/matomo(.*)\.php(.*)$ { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param PATH_INFO $2; + location ~ ^/matomo/(config|tmp|core|lang) { deny all; return 403; } } location ~ ^/matomo(/)? { From ccaa118dadb03cb784562981e37bf63a5dbc0583 Mon Sep 17 00:00:00 2001 From: cwivagg Date: Sat, 7 Jan 2023 08:27:56 -0500 Subject: [PATCH 2/2] Update matomo-nginx.conf.j2 Move file to higher precedence to handle non-php files as well. --- roles/matomo/templates/matomo-nginx.conf.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/matomo/templates/matomo-nginx.conf.j2 b/roles/matomo/templates/matomo-nginx.conf.j2 index 8ec494bc0..a5fdce030 100644 --- a/roles/matomo/templates/matomo-nginx.conf.j2 +++ b/roles/matomo/templates/matomo-nginx.conf.j2 @@ -1,3 +1,5 @@ +location ~ ^/matomo/(config|tmp|core|lang) { deny all; return 403; } + location ~ ^/matomo(.*)\.php(.*)$ { alias /library/www/matomo$1.php$2; # /library/www/matomo proxy_set_header X-Real-IP $remote_addr; @@ -10,7 +12,6 @@ location ~ ^/matomo(.*)\.php(.*)$ { fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param PATH_INFO $2; - location ~ ^/matomo/(config|tmp|core|lang) { deny all; return 403; } } location ~ ^/matomo(/)? {