Opened 4 years ago

Closed 4 years ago

#1416 closed Bug (fixed)

IIS: web.config only allows installation in /piwik subdir

Reported by: mvanlaar Owned by: vipsoft
Priority: low Milestone: Piwik 0.6.3
Component: Core Keywords:
Cc: Sensitive: no

Description

The supplied web.config with 0.6.2 only allows a installation of piwik to reside in /piwik. When you install in in the root you get remote a 404 error. On the server you can see that it caused by the security settings in the web.config.

My suggestion is to make it clear in the documentation that you must edit the web.config file on a iis server if you don't install it in the /piwik directory.

Change History (7)

comment:1 Changed 4 years ago by vipsoft (robocoder)

I'm afk and can't test this. Will it run on IIS without web.config? If so, we could generate web.config at runtime (via installer).

comment:2 Changed 4 years ago by vipsoft (robocoder)

  • Component changed from Documentation to Core
  • Keywords web.config security documentation removed
  • Owner set to vipsoft

comment:3 Changed 4 years ago by mvanlaar

Yes it wil run without web.config. Web.config is the file that configures iis7 or higher.

I don't now why the part of directory security is added. Or who added it.

comment:4 Changed 4 years ago by vipsoft (robocoder)

Thanks.

I'll generate it at installation. We can put web.config files in the subfolders (similar to .htaccess) to prevent direct access to .php files. That'll avoid the hardcoded "/piwik/" and avoid overwriting local mods.

comment:5 Changed 4 years ago by vipsoft (robocoder)

  • Summary changed from webconfig with 0.6.2 only allow installations in /piwik subdir to IIS: web.config only allows installation in /piwik subdir

comment:6 Changed 4 years ago by vipsoft (robocoder)

I'll probably make this IIS7-only, but I'd appreciate it if you would test that these also work in your IIS6 server.

Top-level web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="config" />
          <add segment="core" />
          <add segment="lang" />
        </hiddenSegments>
        <fileExtensions>
          <add fileExtension=".tpl" allowed="false" />
        </fileExtensions>
      </requestFiltering>
    </security>
    <directoryBrowse enabled="false" />
    <defaultDocument>
      <files>
        <remove value="index.php" />
        <add value="index.php" />
      </files>
    </defaultDocument>
  </system.webServer>
</configuration>

In libs/web.config and plugins/web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <denyUrlSequences>
          <add sequence=".php" />
        </denyUrlSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>'

comment:7 Changed 4 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from new to closed

(In [2295]) fixes #1416, refs #642 - replace static web.config with runtime generated files (at Installation)

Note: See TracTickets for help on using tickets.