Hi @mddvul22. Thanks for creating this issue. Matomo actually tries to do a http request on the config file and checks if the response code to be between 400 and 500. So you may need to disallow access in webserver config.
See #17568

Maybe some documentation somewhere should be updated... And a link to this doc should be provided in the warning message?

At least on my server
config/config.ini.php returns a single ';'
tmp/cache/tracker/matomocache_general.php returns an empty file
causing the check to complain since something is returned.

Also to me it seems those files exist by default, how are they supposed to be protected? (The warning should tell you too ..)

I have explained this a bit more detailed here:
https://forum.matomo.org/t/nach-update-auf-4-3-fehlermeldung-required-private-directories/41903/4?u=lukas

Maybe the error message could be expanded with this help

Note:
I'm using centos7 and httpd, the .htaccess is there but doesn't seem to work for me.
I'm investigating possible reasons, the use of php-fpm being one candidate ...

One thing: With the current check Matomo doesn't accept it, if the config.ini.php returns a 304 e.g. to the homepage.

I'm open to other suggestions on the best way to fix this. However, I have placed this in my Matomo Apache configuration:

    <LocationMatch "^/(tmp|config|lang)">
            Require all denied
            Require ip 127.0.0.1
    </LocationMatch>

And this has removed the warning from the Matomo system check. Again, I'm open to suggestions of a better way to address this.

I think initially there was a check for the retrieved content. To adjust the check for redirects etc maybe we could follow redirects and check if the retrieved config is trim($content) !== ';' (before was only a contains check or so) and check whether it's actually returning any content from the config. So if response code is >=400 && < 500 then all is good. If not we'd maybe do some additional checks regarding the redirects etc (we need to follow the redirects to see if it maybe just redirects from http to https etc)

Hi guys, I've also had this problem after updating to 4.3.0, but for a different file and folder. For my site, the "Required Private Directory" warning refers to this URL:

https://matomo.example.com/lang/en.json

My site is running on Apache, and inside my /lang/ directory there is a Matomo-generated .htaccess file which I've attached to my comment here (renamed to a .txt file). As far as I can tell, it's configured correctly to block all the files in this directory.

However, when I check the HTTP response header of the above URL, it's returning "200 OK", rather than 4xx.

Any idea why? To me it feels like Matomo is doing something wrong here.

htaccess.txt

Hello,

I was in the process of manual installation of Matomo 4.3.0 on Centos 6.9 with PHP 7.2.24, MYSQL 5.5, Apache 2.2.

However I face the same issue as mentioned above on the following file i.e :

http://example.com/piwik/lang/en.json

i.e the following error is thrown after visiting Diagnostic->System Check :

Could you please replicate and fix the issue?.

Created #17604 as a first improvement as well as this FAQ https://matomo.org/faq/troubleshooting/how-do-i-fix-the-error-private-directories-are-accessible/ which we can improve and complete over time.

To fully fix this issue we should maybe split the one system check into two system checks:

• private directories that are basically required to fix: '.git/config', 'tmp/cache/tracker/matomocache_general.php', config/config.ini.php
• private directories that should be fixed/that we recommend to be fixed (only lang/en.json and '/tmp/empty' check for now). These directories are basically optional. Once we add more checks eg for core etc then we could move these files in there as well.

Currently, /tmp is also hard coded and we may want to use StaticContainer::get('path.tmp') instead. And in case that strpos($tmpDir, PIWIK_INCLUDE_PATH) === false then we would need to assume the tmp is not in the public directory and don't need to execute the check for the tmp directory.

For docs around this see https://developer.matomo.org/guides/system-check

This is difficult without affecting performance or requiring a certain webserver like Apache and adding an .htaccess file or required information and configuration.

I think one way would be to recommend RewriteRules for Apache and similarly for NGINX in the warning message or linking to a page that describes in detail how to configure the webserver.

To make it easier for the user, we could have a global RewriteRule and proxy everything through index.php?path=$somepath (or another script, e.g. filter.php?path=$somepath and forward to index.php) and have our code filter and do a stream_copy_to_stream for straight files. This function should be pretty much the same speed as a straight request but offer the benefit of our code being the filter for potentially harmful requests.

Not sure what a really quick solution would be at this stage.

@geekdenz be good to have a look at #17577 (comment) which is the only thing left to do.

Not 100% sure what you refer to with affecting performance? The recommendations etc should be already done. We only need to adjust the system check that's all.

Yes. You're right. I over-estimated the requirement and reading again clarifies that it's just a documentation requirement in the diagnostics.

Currently I've got it refactored and it looks like this.

Should the "Recommended Private Directories just be warnings instead of errors?