Piwik plugin LoginHttpAuth blocks WP-Piwik

Resolved

(@barthat)

So things were working nicely until I decided to block unauthorised users to the Piwik login page by using the Piwik Marketplace plugin LoginHttpAuth.

The following is a modified version of the .htaccess code that Piwik recommends for this plugin.

#### Begin - Authentication  ##########
#
# https://raw.githubusercontent.com/piwik/plugin-LoginHttpAuth/master/TemplateHtaccess/.htaccess
#
# This is a sample .htaccess file that will enable HTTP Authentication for your Piwik on apache server
# To enable, move this file into the root of your Piwik folder, next to index.php and piwik.php

# Restrict outside access
# Replace the path below by the absolute path pointing to your htpasswd
AuthUserFile /home/useracct/.htpasswds/public_html/piwik/passwd
#AuthGroupFile /dev/null
AuthName "piwik"
AuthType Basic
Order Allow,Deny

# All files by default require authentication...
<Files "*">
    Require valid-user
</Files>

# modified authentication by ip address
<Files "*">
	Allow from piwik.mydomain.com mydomain.com xx.xxx.xxx.xx
</Files>

# ... except piwik.php and piwik.js which do not require authentication
<Files ~ "^piwik\.(js|php)|robots\.txt$">
# <Files ~ "^piwik\.(js|php)|phpinfo\.php|robots\.txt$">
    Allow from all
    Satisfy any
# Including below line did not work for me
#   Require all granted
</Files>

I thought that by allowing the WP domain that WP-Piwik would be able to access the files it needed, but it is being blocked. Which files in Wp-Piwik do I need to whitelist?

Here is the output of the testscript

WP-Piwik 1.0.5
Mode: http

Test 1/3: global.getPiwikVersion

bool(false)

array(2) {
  [0]=>
  string(603) "HTTP/1.1 401 Unauthorized
Server: cloudflare-nginx
Date: Tue, 03 Nov 2015 14:41:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d1b6c4d209a282208b59.....561685; expires=Wed, 02-Nov-16 14:41:25 GMT; path=/; domain=.mydomain.com; HttpOnly
Cache-Control: public, max-age=0
Expires: Tue, 03 Nov 2015 14:41:25 GMT
Vary: Accept-Encoding,User-Agent
WWW-Authenticate: Basic realm="piwik"
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block
X-Turbo-Charged-By: LiteSpeed
CF-RAY: 23f8d7.....9be-ORD

"
  [1]=>
  string(148) "https://piwik.mydomain.com/?module=API&method=API.getBulkRequest&format=json&urls[0]=method%3DAPI.getPiwikVersion%26idSite%3D1&token_auth=..."
}

Test 2/3: SitesManager.getSitesWithAtLeastViewAccess

bool(false)

array(2) {
  [0]=>
  string(603) "HTTP/1.1 401 Unauthorized
Server: cloudflare-nginx
Date: Tue, 03 Nov 2015 14:41:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=db1ac606a579f479febe9ab4a667e....1685; expires=Wed, 02-Nov-16 14:41:25 GMT; path=/; domain=.mydomain.com; HttpOnly
Cache-Control: public, max-age=0
Expires: Tue, 03 Nov 2015 14:41:25 GMT
Vary: Accept-Encoding,User-Agent
WWW-Authenticate: Basic realm="piwik"
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block
X-Turbo-Charged-By: LiteSpeed
CF-RAY: 23f8d705....5b5-ORD

"
  [1]=>
  string(221) "https://piwik.mydomain.com/?module=API&method=API.getBulkRequest&format=json&urls[0]=method%3DAPI.getPiwikVersion%26idSite%3D1&urls[1]=method%3DSitesManager.getSitesWithAtLeastViewAccess%26idSite%3D1&token_auth=..."
}

Test 3/3: SitesManager.getSitesIdFromSiteUrl

bool(false)

array(2) {
  [0]=>
  string(603) "HTTP/1.1 401 Unauthorized
Server: cloudflare-nginx
Date: Tue, 03 Nov 2015 14:41:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dde143a0f0e58a996a1a6dfb19a2481446561685; expires=Wed, 02-Nov-16 14:41:25 GMT; path=/; domain=.mydomain.com; HttpOnly
Cache-Control: public, max-age=0
Expires: Tue, 03 Nov 2015 14:41:25 GMT
Vary: Accept-Encoding,User-Agent
WWW-Authenticate: Basic realm="piwik"
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block
X-Turbo-Charged-By: LiteSpeed
CF-RAY: 23f8d706f24d-ORD

"
  [1]=>
  string(324) "https://piwik.mydomain.com/?module=API&method=API.getBulkRequest&format=json&urls[0]=method%3DAPI.getPiwikVersion%26idSite%3D1&urls[1]=method%3DSitesManager.getSitesWithAtLeastViewAccess%26idSite%3D1&urls[2]=method%3DSitesManager.getSitesIdFromSiteUrl%26idSite%3D1%26url%3Dhttps%3A%2F%2Fmydomain.com&token_auth=..."
}

array(2) {
  ["global_settings"]=>
  array(57) {
    ["revision"]=>
    string(10) "2015101201"
    ["last_settings_update"]=>
    string(10) "1446025832"
    ["piwik_mode"]=>
    string(4) "http"
    ["piwik_url"]=>
    string(34) "https://piwik.mydomain.com/"
    ["piwik_path"]=>
    string(37) "/home/useracct/public_html/piwik/"
    ["piwik_user"]=>
    string(0) ""
    ["piwik_token"]=>
    string(3) "set"
    ["auto_site_config"]=>
    string(1) "0"
    ["default_date"]=>
    string(12) "current_week"
    ["stats_seo"]=>
    string(1) "0"
    ["dashboard_widget"]=>
    string(5) "today"
    ["dashboard_chart"]=>
    string(1) "1"
    ["dashboard_seo"]=>
    string(1) "0"
    ["toolbar"]=>
    string(1) "0"
    ["capability_read_stats"]=>
    array(5) {
      ["administrator"]=>
      string(1) "1"
      ["editor"]=>
      string(1) "0"
      ["author"]=>
      string(1) "0"
      ["contributor"]=>
      string(1) "0"
      ["subscriber"]=>
      string(1) "0"
    }
    ["perpost_stats"]=>
    string(1) "0"
    ["plugin_display_name"]=>
    string(8) "WP-Piwik"
    ["piwik_shortcut"]=>
    string(1) "0"
    ["shortcodes"]=>
    string(1) "0"
    ["track_mode"]=>
    string(2) "js"
    ["track_codeposition"]=>
    string(6) "footer"
    ["track_noscript"]=>
    string(1) "1"
    ["track_nojavascript"]=>
    string(1) "0"
    ["proxy_url"]=>
    string(28) "//piwik.mydomain.com/"
    ["track_content"]=>
    string(8) "disabled"
    ["track_search"]=>
    string(1) "0"
    ["track_404"]=>
    string(1) "0"
    ["add_post_annotations"]=>
    string(1) "0"
    ["add_customvars_box"]=>
    string(1) "0"
    ["add_download_extensions"]=>
    string(0) ""
    ["set_download_extensions"]=>
    string(0) ""
    ["disable_cookies"]=>
    string(1) "0"
    ["limit_cookies"]=>
    string(1) "0"
    ["limit_cookies_visitor"]=>
    string(8) "34186669"
    ["limit_cookies_session"]=>
    string(4) "1800"
    ["limit_cookies_referral"]=>
    string(8) "15778463"
    ["track_admin"]=>
    string(1) "0"
    ["capability_stealth"]=>
    array(4) {
      ["administrator"]=>
      string(1) "1"
      ["editor"]=>
      string(1) "1"
      ["author"]=>
      string(1) "1"
      ["contributor"]=>
      string(1) "1"
    }
    ["track_across"]=>
    string(1) "0"
    ["track_across_alias"]=>
    string(1) "0"
    ["track_feed"]=>
    string(1) "0"
    ["track_feed_addcampaign"]=>
    string(1) "0"
    ["track_feed_campaign"]=>
    string(4) "feed"
    ["track_heartbeat"]=>
    string(2) "30"
    ["cache"]=>
    string(1) "1"
    ["http_connection"]=>
    string(4) "curl"
    ["http_method"]=>
    string(4) "post"
    ["disable_timelimit"]=>
    string(1) "0"
    ["connection_timeout"]=>
    string(1) "5"
    ["disable_ssl_verify"]=>
    string(1) "0"
    ["piwik_useragent"]=>
    string(3) "php"
    ["piwik_useragent_string"]=>
    string(8) "WP-Piwik"
    ["track_datacfasync"]=>
    string(1) "1"
    ["track_cdnurl"]=>
    string(0) ""
    ["track_cdnurlssl"]=>
    string(0) ""
    ["force_protocol"]=>
    string(5) "https"
    ["update_notice"]=>
    string(7) "enabled"
  }
  ["settings"]=>
  array(6) {
    ["name"]=>
    string(0) ""
    ["site_id"]=>
    string(1) "1"
    ["noscript_code"]=>
    string(120) "<noscript><p><img src="//www.piwik.mydomain.com/js/index.php?idsite=1" style="border:0;" alt="" /></p></noscript>"
    ["tracking_code"]=>
    string(0) ""
    ["last_tracking_code_update"]=>
    string(1) "0"
    ["dashboard_revision"]=>
    string(1) "0"
  }
}

Thanks.

https://ww.wp.xz.cn/plugins/wp-piwik/

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author braekling
(@braekling)

10 years, 7 months ago

You should ask the plugin’s author how to use the Piwik API in combination with his HttpAuth plugin. Just two ideas on my side: Add user & password to the Piwik URL (https://user:pass@url) – but this may cause new security issues. Or disable HttpAuth for requests from the WordPress server’s IP.

https://ww.wp.xz.cn/support/topic/http-auth-rule-for-piwik

rubix101
(@rubix101)

10 years, 4 months ago

We have observed a similar issue. Previously, we could see statistics both in Piwik and WP-Piwik. If we use and/or tweak the sample .htaccess file https://raw.githubusercontent.com/piwik/plugin-LoginHttpAuth/master/TemplateHtaccess/.htaccess , we are able to log into the popup dialog box, but login attempts into Piwik as a superuser give “Error: Wrong Username and password combination.”

From the Piwik forums I found the plugin code: https://github.com/piwik/plugin-LoginHttpAuth/blob/master/Auth.php#L51-L64
Does anything obvious pop out at you on what they would need to edit to work with WP-Piwik?

On another note, are there any potential issues with WP-Piwik and Let’s Encrypt? What settings should we change if we go that route instead? I will ask for assistance in the Piwik forums as well.

Thanks.

Plugin Author braekling
(@braekling)

10 years, 4 months ago

In REST (http) mode WP-Piwik just has to be able to create a HTTP connection to Piwik. If this one is blocked in any way, WP-Piwik is not able to work anymore, of course. So you should always make sure to whitelist WP-Piwk (= allow its access to Piwik via HTTP).

I don’t know what “Let’s encrypt” is doing and how it is working. If the HTTP connection to Piwik is still possible, it should not affect WP-Piwik.

Btw.: If Piwik and WP-Piwik are running on the same system, you can also switch to PHP API and avoid the HTTP connections.

rubix101
(@rubix101)

10 years, 4 months ago

We’ve only installed Piwik and WP-Piwik for 1 week, and aren’t clear on the responsibilities of each.

For us, Piwik and WP-Piwik are on the same system. For LoginHttpAuth we either only got it working with htpasswd, OR were only able to log into Piwik, instead of our original goal of both. With LoginHttpAuth, we could only get WP-Piwik to connect with (Self-hosted,HTTP API,default). We are guessing this is by design. Without LoginHttpAuth, we could get WP-Piwik to connect with both (Self-hosted,HTTP API,default) and (Self-hosted,PHP API). Instead of LoginHttpAuth, we’re leaning towards SSL at this point.

What are the pros/cons of PHP API vs HTTP API?
Will the PHP API work with SSL?
What settings would we need to adjust for SSL?

For those settings common to Piwik and WP-Piwik, should changes in WP-Piwik be automatically reflected in Piwik itself, or does WP-Piwik tell Piwik “we’re using our settings and ignoring yours” or should everything be manually made to match in Piwik and in WP-Piwik for both to work properly?
Thanks.

Plugin Author braekling
(@braekling)

10 years, 4 months ago

WP-Piwik is not a remote for Piwik. It’s more like a monitor: It uses Piwik’s API to get data from Piwik and to show it inside WordPress. As an additional feature, it also is able to get Piwik’s default tracking code and offers some options to change it (e.g., to define cookie timeouts). This spares you adding (and modifying) the tracking code manually.

Just one exception: WP-Piwik is able to generate a new site and to update the site title inside Piwik, if necessary. (Also using Piwik’s API.)

There are not “overlapping” settings in Piwik and WP-Piwik.

The REST API uses the HTTP to connect to Piwik. This is the easiest way to use WP-Piwik, because it doesn’t care about Piwik’s location. (But of course, a HTTP connection should be possible.)

The PHP API includes some PHP libraries of Piwik. This only works if WordPress and Piwik are running on the same machine and WP-Piwik is allowed to include the files (e.g., depending on safe mode settings). Typically, this is more complicated, but faster and more secure. It doesn’t care about SSL because it does not use a HTTP connection.

See https://developer.piwik.org/guides/querying-the-reporting-api

For SSL you just should make sure to use the right URL in WP-Piwik’s settings and a valid certificate.

One hint: To keep the tracking code working, you also should avoid redirects on your Piwik server. If your Piwik server supports SSL only and does a redirect from http to https, you should use the “force HTTPS” feature, see expert settings -> force protocol – don’t rely on a HTTP redirect! Best practice would be to make sure your Piwik system supports all protocolls which are supported by your WordPress system. E.g., if WordPress is using http and https, Piwik should do so, too.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Piwik plugin LoginHttpAuth blocks WP-Piwik’ is closed to new replies.