Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IIS: web.config only allows installation in /piwik subdir #1416

Closed
anonymous-matomo-user opened this issue Jun 8, 2010 · 5 comments
Closed
Assignees
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Milestone

Comments

@anonymous-matomo-user
Copy link

The supplied web.config with 0.6.2 only allows a installation of piwik to reside in /piwik. When you install in in the root you get remote a 404 error. On the server you can see that it caused by the security settings in the web.config.

My suggestion is to make it clear in the documentation that you must edit the web.config file on a iis server if you don't install it in the /piwik directory.

@robocoder
Copy link
Contributor

I'm afk and can't test this. Will it run on IIS without web.config? If so, we could generate web.config at runtime (via installer).

@anonymous-matomo-user
Copy link
Author

Yes it wil run without web.config. Web.config is the file that configures iis7 or higher.

I don't now why the part of directory security is added. Or who added it.

@robocoder
Copy link
Contributor

Thanks.

I'll generate it at installation. We can put web.config files in the subfolders (similar to .htaccess) to prevent direct access to .php files. That'll avoid the hardcoded "/piwik/" and avoid overwriting local mods.

@robocoder
Copy link
Contributor

I'll probably make this IIS7-only, but I'd appreciate it if you would test that these also work in your IIS6 server.

Top-level web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="config" />
          <add segment="core" />
          <add segment="lang" />
        </hiddenSegments>
        <fileExtensions>
          <add fileExtension=".tpl" allowed="false" />
        </fileExtensions>
      </requestFiltering>
    </security>
    <directoryBrowse enabled="false" />
    <defaultDocument>
      <files>
        <remove value="index.php" />
        <add value="index.php" />
      </files>
    </defaultDocument>
  </system.webServer>
</configuration>

In libs/web.config and plugins/web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <denyUrlSequences>
          <add sequence=".php" />
        </denyUrlSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>'

@robocoder
Copy link
Contributor

(In [2295]) fixes #1416, refs #642 - replace static web.config with runtime generated files (at Installation)

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
Development

No branches or pull requests

2 participants