@anonymous-piwik-user opened this Issue on June 8th 2010

The supplied web.config with 0.6.2 only allows a installation of piwik to reside in /piwik. When you install in in the root you get remote a 404 error. On the server you can see that it caused by the security settings in the web.config.

My suggestion is to make it clear in the documentation that you must edit the web.config file on a iis server if you don't install it in the /piwik directory.

@robocoder commented on June 8th 2010 Contributor

I'm afk and can't test this. Will it run on IIS without web.config? If so, we could generate web.config at runtime (via installer).

@anonymous-piwik-user commented on June 9th 2010

Yes it wil run without web.config. Web.config is the file that configures iis7 or higher.

I don't now why the part of directory security is added. Or who added it.

@robocoder commented on June 9th 2010 Contributor

Thanks.

I'll generate it at installation. We can put web.config files in the subfolders (similar to .htaccess) to prevent direct access to .php files. That'll avoid the hardcoded "/piwik/" and avoid overwriting local mods.

@robocoder commented on June 10th 2010 Contributor

I'll probably make this IIS7-only, but I'd appreciate it if you would test that these also work in your IIS6 server.

Top-level web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <hiddenSegments>
          <add segment="config" />
          <add segment="core" />
          <add segment="lang" />
        </hiddenSegments>
        <fileExtensions>
          <add fileExtension=".tpl" allowed="false" />
        </fileExtensions>
      </requestFiltering>
    </security>
    <directoryBrowse enabled="false" />
    <defaultDocument>
      <files>
        <remove value="index.php" />
        <add value="index.php" />
      </files>
    </defaultDocument>
  </system.webServer>
</configuration>

In libs/web.config and plugins/web.config:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <denyUrlSequences>
          <add sequence=".php" />
        </denyUrlSequences>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>'
@robocoder commented on June 12th 2010 Contributor

(In [2295]) fixes #1416, refs #642 - replace static web.config with runtime generated files (at Installation)

This Issue was closed on June 12th 2010
Powered by GitHub Issue Mirror