Add system check warnings for php-fpm and nginx if config files are accessible (#18398)

* Added setup checks and warning for php-fpm and nginx if config files are accessible

* Fix to still show server info if nginx but access rules exist

* Only attempt config access check if matomo is installed, check global.ini.php access instead of config.ini.php

* Updated UI screenshot

* Typo and text fixes

* Typo fix

* Updated UI screenshot

Co-authored-by: sgiehl <stefan@matomo.org>

4 files changed, 73 insertions, 6 deletions

diff --git a/plugins/Diagnostics/Diagnostic/PhpInformational.php b/plugins/Diagnostics/Diagnostic/PhpInformational.php
index a50663e9c2..bbe5d0f847 100644
--- a/plugins/Diagnostics/Diagnostic/PhpInformational.php
+++ b/plugins/Diagnostics/Diagnostic/PhpInformational.php
@@ -32,12 +32,43 @@ class PhpInformational implements Diagnostic
         $results = [];
 
         if (defined('PHP_OS') && PHP_OS) {
-            $results[] = DiagnosticResult::informationalResult('PHP_OS',  PHP_OS);
+            $results[] = DiagnosticResult::informationalResult('PHP_OS', PHP_OS);
         }
         if (SettingsPiwik::isMatomoInstalled() && defined('PHP_BINARY') && PHP_BINARY) {
             $results[] = DiagnosticResult::informationalResult('PHP_BINARY', PHP_BINARY);
         }
-        $results[] = DiagnosticResult::informationalResult('PHP SAPI', php_sapi_name());
+
+        // Check for php fpm and warn about access rules
+
+        $isGlobalConfigIniAccessible = true; // Assume true if not installed yet
+
+        if (SettingsPiwik::isMatomoInstalled()) {
+            $rpd = new RequiredPrivateDirectories($this->translator);
+            $isGlobalConfigIniAccessible = $rpd->isGlobalConfigIniAccessible();
+        }
+
+        if (strpos(strtolower(php_sapi_name()), 'fpm-fcgi') !== false && $isGlobalConfigIniAccessible) {
+
+            $comment = php_sapi_name()."<br><br>";
+
+            if (!empty($_SERVER['SERVER_SOFTWARE'])) {
+                if (strpos(strtolower($_SERVER['SERVER_SOFTWARE']), 'apache') !== false) {
+                    $comment .= $this->translator->translate('Diagnostics_PHPFPMWarningApache', [
+                        '<code>ProxyPass /config !</code>', '<code>mod_proxy_fcgi.c</code>', '<code>ProxyPassMatch</code>']);
+                } else if (strpos(strtolower($_SERVER['SERVER_SOFTWARE']), 'nginx') !== false) {
+                    $comment .= $this->translator->translate('Diagnostics_PHPFPMWarningNginx', [
+                        '<a href="https://github.com/matomo-org/matomo-nginx#readme" target="_blank">', '</a>']);
+                } else {
+                    $comment .= $this->translator->translate('Diagnostics_PHPFPMWarningGeneric');
+                }
+            } else {
+                $comment .= $this->translator->translate('Diagnostics_PHPFPMWarningGeneric');
+            }
+
+            $results[] = DiagnosticResult::singleResult('PHP SAPI', DiagnosticResult::STATUS_WARNING, $comment);
+        } else {
+            $results[] = DiagnosticResult::informationalResult('PHP SAPI', php_sapi_name());
+        }
 
         if (SettingsPiwik::isMatomoInstalled()) {
             $cliPhp = new CliPhp();
diff --git a/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php b/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php
index 7370877941..b34dab5d51 100644
--- a/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php
+++ b/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php
@@ -8,6 +8,9 @@
 
 namespace Piwik\Plugins\Diagnostics\Diagnostic;
 
+use Piwik\Common;
+use Piwik\SettingsPiwik;
+
 /**
  * Checks whether certain directories in Matomo that should be private are accessible through the internet.
  */
@@ -36,4 +39,14 @@ class RequiredPrivateDirectories extends AbstractPrivateDirectories
         $atLeastOneIsAccessible = parent::computeAccessiblePaths($result, $baseUrl, $testUrls);
         return $this->configIniAccessible || $atLeastOneIsAccessible;
     }
+
+    public function isGlobalConfigIniAccessible()
+    {
+        $baseUrl = SettingsPiwik::getPiwikUrl();
+        if (!Common::stringEndsWith($baseUrl, '/')) {
+            $baseUrl .= '/';
+        }
+        return $this->isAccessible(new DiagnosticResult(''), $baseUrl . 'config/global.ini.php', ';', 'trusted_hosts[]');
+    }
+
 }
diff --git a/plugins/Diagnostics/Diagnostic/ServerInformational.php b/plugins/Diagnostics/Diagnostic/ServerInformational.php
index 9a2478ab54..27475089e6 100644
--- a/plugins/Diagnostics/Diagnostic/ServerInformational.php
+++ b/plugins/Diagnostics/Diagnostic/ServerInformational.php
@@ -8,9 +8,10 @@
 namespace Piwik\Plugins\Diagnostics\Diagnostic;
 
 use Piwik\Translation\Translator;
+use Piwik\SettingsPiwik;
 
 /**
- * Informatation about the server.
+ * Information about the server.
  */
 class ServerInformational implements Diagnostic
 {
@@ -28,8 +29,26 @@ class ServerInformational implements Diagnostic
     {
         $results = [];
 
-        if ( ! empty( $_SERVER['SERVER_SOFTWARE'] ) ) {
-            $results[] = DiagnosticResult::informationalResult('Server Info', $_SERVER['SERVER_SOFTWARE']);
+        if (!empty($_SERVER['SERVER_SOFTWARE'])) {
+
+            $isGlobalConfigIniAccessible = true; // Assume true if not installed yet
+
+            if (SettingsPiwik::isMatomoInstalled()) {
+                $rpd = new RequiredPrivateDirectories($this->translator);
+                $isGlobalConfigIniAccessible = $rpd->isGlobalConfigIniAccessible();
+            }
+
+            if (strpos(strtolower($_SERVER['SERVER_SOFTWARE']), 'nginx') !== false && $isGlobalConfigIniAccessible) {
+
+                $comment = $_SERVER['SERVER_SOFTWARE']."<br><br>";
+                $comment .= $this->translator->translate('Diagnostics_HtaccessWarningNginx', [
+                        '<a href="https://github.com/matomo-org/matomo-nginx#readme" target="_blank">', '</a>']);
+
+                $results[] = DiagnosticResult::singleResult('Server Info', DiagnosticResult::STATUS_WARNING, $comment);
+
+            } else {
+                $results[] = DiagnosticResult::informationalResult('Server Info', $_SERVER['SERVER_SOFTWARE']);
+            }
         }
 
         return $results;
diff --git a/plugins/Diagnostics/lang/en.json b/plugins/Diagnostics/lang/en.json
index a0c9388bf7..a33e49b529 100644
--- a/plugins/Diagnostics/lang/en.json
+++ b/plugins/Diagnostics/lang/en.json
@@ -29,6 +29,10 @@
         "PrivateDirectoryIsAccessible": "We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.",
         "ConfigIniAccessible": "We also found that Matomo's config directory is publicly accessible. While attackers can't read the config now, if your webserver stops executing PHP files for some reason, your MySQL credentials and other information will be available to anyone. Please check your webserver config and deny access to this directory.",
         "AllPrivateDirectoriesAreInaccessible": "All private directories are inaccessible from the internet.",
-        "UrlsAccessibleViaBrowser": "We found that the above URLs are accessible via the browser, but we recommend they should not be. If possible, please restrict access to them."
+        "UrlsAccessibleViaBrowser": "We found that the above URLs are accessible via the browser, but we recommend they should not be. If possible, please restrict access to them.",
+        "PHPFPMWarningApache": "PHP FPM will ignore .htaccess rules for .php files. To ensure that sensitive files cannot be accessed directly it is recommended to exclude certain directories from being handled by PHP FPM by adding the line %1$s to the %2$s section in your apache virtual host config just above the %3$s line.",
+        "PHPFPMWarningNginx": "PHP FPM will ignore .htaccess rules for .php files. To ensure that sensitive files cannot be accessed directly it is recommended to exclude certain directories from being handled by PHP FPM. For more information please see the %1$s official nginx server configuration %2$s",
+        "PHPFPMWarningGeneric": "PHP FPM may ignore .htaccess rules for .php files. To ensure that sensitive files cannot be accessed directly it is recommended to configure your web server to exclude the /config directory from being handled by PHP FPM.",
+        "HtaccessWarningNginx": "To ensure that sensitive files cannot be accessed directly it is recommended to configure your web server to restrict access to certain directories. For more information please see the %1$s official nginx server configuration %2$s"
     }
 }
\ No newline at end of file