Apache mod_security provides protection against common web server attacks.
Apache mod_security provides protection against common web server attacks.

Matomo (formerly Matomo) and Apache Mod_security

I recently enabled the mod_security plugin for Apache, and encountered several problems with Matomo Analytics; every page load with Matomo enabled triggered a CRITICAL rule violation and blacklisted the user’s IP address. At first, it looked like I had problems with the HTML on particular pages (that may yet be true), but eventually I tracked the problem down to Matomo’s calls to retrieve scripts and images from another domain. I tried several different Matomo plugins, but all had the same problem and all triggered a mod_security violation. In the end, I had to disable two of the rules from the OWASP rule set.

If you are implementing either Matomo or mod_security for the first time, make sure to test all possible combinations of browsers, and privacy settings–the problems did not occur when the “Do Not Track” browser setting was enabled. To do this testing use the following steps:

  • Before you start testing, make sure to white-list your IP address, as you will absolutely trigger a rule violation that will lock you out.
  • Configure mod_security to process rules, but not act on them as you begin to implement the tool.
  • Log in to Web Hosting Manager and open up a tab to the mod_security tools and look at the violations log
  • When you retrieve a page and trigger a violation, report the rule as a false positive and disable it, or figure out another way to bypass the problem.

It would be great if Matomo and mod_security worked well together but at this point they do not.