self-signed certificates – Patrick's Blog(2)

To keep track of some website statistics I use Piwik, an excellent free web analytics tool that provides you with detailed reports on your website’s visitors, your marketing campaigns and much more.

Obviously I want to make sure that information is secure and shielded from unauthorized access. After too many Certificate Authorities recently dropped the ball (TurkTrust and Diginotar but Google for more) it makes more sense to use self-signed certificates and client certificate authentication.

Unfortunately Piwik does not support client certificate authentication in its tracker code so how can self-signed certificates and client certificate authentication still be used?

They can not… sorta.

Nginx to the rescue. The fast growing webserver ( actually an HTTP and reverse proxy server, as well as a mail proxy server) is tremendously flexible and granular and allows you to provide limited non-SSL access to piwik.js and piwik.php while the actual webinterface behind index.php is only available on an SSL link with client certificate authentication. While I would prefer to see support for SSL with self-signed certificates & client certificate authentication in Piwik’s tracker code, this should do for now.

Example configuration:

server {
    listen your_web_host_ip:80;
    server_name piwik.example.org;
    limit_conn arbeit 32;
    access_log /var/log/nginx/piwik_access.log;
    error_log /var/log/nginx/piwik_error.log error;
    root /usr/share/nginx/piwik.example.org;
    index index.php;

    location = /piwik.js {
    }

    location = /piwik.php {
        fastcgi_pass 127.0.0.1:9001;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include         fastcgi_params;
    }

    location / {
        deny all;
    }

   location ~* ^.+\.php$ {
        deny all;
    }
} # server

server {

listen your_web_host_ip:80;

server_name piwik.example.org;

limit_conn arbeit 32;

access_log /var/log/nginx/piwik_access.log;

error_log /var/log/nginx/piwik_error.log error;

root /usr/share/nginx/piwik.example.org;

index index.php;

location = /piwik.js {

}

location = /piwik.php {

fastcgi_pass 127.0.0.1:9001;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

}

location / {

deny all;

}

location ~* ^.+\.php$ {

deny all;

}

} # server

I’ll leave the SSL enabled full Piwik configuration as an exercise to the reader. Piwik on nginx is well documented as is the SSL part.

If you know a way to make Piwik’s tracker code work with SSL with self-signed certificates & client certificate authentication then please leave a comment.

Tag: self-signed certificates

Piwik, nginx and self-signed certificates