@oparoz opened this issue on January 11th 2014

When a new plugin is installed, an .htaccess file is created in the plugins folder with the following content. <Files "*"> <IfModule mod_access.c> Deny from all </IfModule> <IfModule !mod_access_compat> <IfModule mod_authz_host.c> Deny from all </IfModule> </IfModule> <IfModule mod_access_compat> Deny from all </IfModule> </Files>

This configuration completely breaks Piwik for us. Leaving the logs littered with messages like this: Jan 11 00:55:44.367351 2014 [pid 95149:tid 34394546176 1.2.3.4:59467 AH01797: client denied by server configuration: /public_html/pro/plugins/Login/javascripts/login.js

We're using PHP-FPM 5.4 via FastCGI on Apache 2.4 Files are owned by the user. PHP is run as the user.

Keywords: htaccess, php-fpm

@oparoz commented on January 11th 2014

I've just activated the TreemapVisualization plugin and got a different .htaccess, which works.

<Files ~ ".(php|php4|php5|inc|tpl|in|twig)$"> <IfModule mod_access.c> Deny from all </IfModule> <IfModule !mod_access_compat> <IfModule mod_authz_host.c> Deny from all </IfModule> </IfModule> <IfModule mod_access_compat> Deny from all </IfModule> </Files> <Files ~ ".(test.php|gif|ico|jpg|png|svg|js|css|swf)$"> <IfModule mod_access.c> Allow from all </IfModule> <IfModule !mod_access_compat> <IfModule mod_authz_host.c> Allow from all </IfModule> </IfModule> <IfModule mod_access_compat> Allow from all </IfModule> Satisfy any </Files>

@mattab commented on January 30th 2014

Thanks for the report!

I don't think we can easily fix this one, hopefully users experimenting the bug will find this ticket and know to delete the .htaccess causing problems.

@anonymous-piwik-user commented on May 9th 2014

We have to do better here. I just installed the Security check plugin and when I did it installed the .htaccess file in the plugins directory that is in the OP.

That broke all the images across the entire thing and I spent an hour trying to figure out: 1. Did the recent update to 2.2.0 break this? 2. Did another developer tweak the apache settings to break this? 3. Are the files messed up somehow?

Installing a plugin shouldn't break the entire rest of the site by installing a hidden file into a fairly random directory.

This is pretty bad.

STR: - cd $PIWIK_INSTALL_DIR/plugins - cat .htaccess - Install the number one plugin in the marketplace, SecurityInfo and then enable it. - cat .htaccess

@mattab commented on May 13th 2014

The other day I stumbled upon this commit in phpbb: https://github.com/phpbb/phpbb/pull/2386/files#diff-f72a38c4bec79cc6ded3f8e435d6bd55L11

Maybe we could check out this one, and possibly how other popular open source projects have sorted their .htaccess so it works across all server configurations.

@mattab commented on May 14th 2014

See related/possibly same issue #4941

@mattab commented on May 14th 2014

Replying to mlissner:

We have to do better here. I just installed the Security check plugin and when I did it installed the .htaccess file in the plugins directory that is in the OP.

Are you sure it's the htaccess in OP, or maybe it created the htacess in: #4499 rather than ticket description?

@anonymous-piwik-user commented on May 14th 2014

Replying to matt:

Are you sure it's the htaccess in OP, or maybe it created the htacess in: #4499 rather than ticket description?

Yeah, I'm sure. Just checked the server and it still has an .htaccess.bak file with the contents from the OP.

@mattab commented on May 14th 2014

In 6e83e2299b9fc9a876fda6d7576d88bca933c0ee: Refs #4499 #4941 Adding <IfModule !mod_authz_host.c> around the Satisfy any which may fix the issue.

To test run the following command in the piwik directory:

rm js/.htaccess plugins/.htaccess core/.htaccess libs/.htaccess vendor/.htaccess misc/user/.htaccess

(this deletes all current htaccess files)

Then visit the System check page
(this re-creates the .htaccess files)

Then browse Piwik -> is it working fine?

If not, check your error log and please paste error as a comment in the ticket.
@anonymous-piwik-user commented on May 17th 2014

This seems to be related, in Piwik 2.2.3-b6, image files are not displayed (icons, etc) getting 500 errors instead.

Issue caused by .htaccess in plugins directory, section starting with

<Files ~ "\.(test\.php|gif|ico|jpg|png|svg|js|css|htm|html|swf)$">

Once that section is commented icons display correctly.

However, possibly a different issue, still get 500 error (see chrome console) with this file

/libs/jquery/themes/base/images/ui-bg_flat_75_ffffff_40x100.png 500 (Internal Server Error)
@mattab commented on May 19th 2014

Issue caused by .htaccess in plugins directory, section starting with

<Files ~ "\.(test\.php|gif|ico|jpg|png|svg|js|css|htm|html|swf)$">

Once that section is commented icons display correctly.

Because it works on my dev, the demo, and many other servers so I'm trying to understand why not on yours and some others:

When this <Files> element is in your htaccess files, and you access piwik, does it log some errors in your server error log?

what is the error message?

maybe you do understand why this <Files> somehow creates error on your server?

we need more help from you guys to fix the issue properly, cheers :)

@mattab commented on May 21st 2014

In 7183d210291c8a2cc8f27231fb7f7bdb7055a16a: Refs #4499 This should fix the issue with htaccess files being incorrect. Todo: create Update file to re-create all htaccess files.

@mattab commented on May 21st 2014

In 2e0b98dc678db7241655b065234763f9e35fab21: Fixes #4499 Adding upgrade file to re-create all htaccess files with the correct values.

@anonymous-piwik-user commented on May 21st 2014

Sorry, I did not have mail notification on, just noticed your post.

Unfortunately I don't have access to the full server log, I do have a php error log and there were no errors there.

I don't know what that section of the htaccess causes problems - I didn't do much debugging, the problem could be anywhere in the 2nd half of the htaccess file after <Files> although the commands used are not used in any other application that I used.

I noticed a comment in the new code you posted related to new instruction in Apache 2.4. My server is on Apache 2.2.25 and I normally use Deny / Allow instructions in htaccess.

@mattab commented on May 21st 2014

@samiam can you please try the latest beta version? this issue should be fixed after you upgrade, but we would like to know for sure that it is fixed for you. If not, we will try some more thing. See: http://piwik.org/faq/how-to-update/faq_159/

@anonymous-piwik-user commented on May 21st 2014

Hmm, I thought it was but the page is not loading properly and I am getting errors in the browser dev panel

GET http://www.mydomain.com/plugins/Morpheus/images/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday net::ERR_TOO_MANY_REDIRECTS index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday:1
GET http://www.mydomain.com/plugins/Zeitgeist/images/index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday net::ERR_TOO_MANY_REDIRECTS index.php?module=CoreHome&action=index&idSite=1&period=day&date=yesterday:1

Also getting php errors

[21-May-2014 11:58:28 UTC] PHP Fatal error:  Call to undefined method Piwik\SettingsPiwik::rewriteMiscUserPathWithInstanceId() in /home/user/public_html/analytics/plugins/CoreAdminHome/CustomLogo.php on line 150
[21-May-2014 11:58:28 UTC] PHP Fatal error:  Call to undefined method Piwik\SettingsPiwik::rewriteTmpPathWithInstanceId() in /home/user/public_html/analytics/core/Twig.php on line 63
@anonymous-piwik-user commented on May 21st 2014

I looked at this as bit more. As far as I can see the update to the latest beta nuked a .htaccess that I had in the Piwik root folder. After replacing this it seems to work fine.

@mattab commented on May 23rd 2014

In 01d9dd07a38f8f0f36839c6dfa3a7ab431ec3493: When deleting htaccess files, make sure we only delete those that we may have created. Thank you @samiam for the report of bug, that's really helpful. We will not over-delete (often important) htaccess of more Piwik users! refs #4499 Will be available in 2.3.0-rc2

This issue was closed on May 23rd 2014
Powered by GitHub Issue Mirror