tx7
July 29, 2018, 12:56am
1
Hello all,
I just installed Matamo today, and it’s running on Nginx.https://github.com/sualko/cloud_piwik/releases/download/v0.4.1/cloud_piwik-0.4.1.tar.gz
I’m using a port 80 redirect to 8443 for my Matamo site.
Need some help.
Thanks in advance.
Lukas
July 29, 2018, 8:02am
2
Hi,
The Nextcloud plugin isn’t maintained by the Matomo team, so for issues with it it may be easier to contact the developer.
If you want to make sure that the personal data of your visitors only ends up on your server, you need to setup HTTPS for Matomo. In my opinion everything else is not private.
You can check the javascript console and the network tab of your browser on the nextcloud page for more details.
And make sure that your nginx/apache virtualhost is setup correctly.
tx7
July 29, 2018, 10:23am
3
I’m using HTTPS cert on all servers.
What do I look for in the Javascript ?
I’m using error_page 497 https://$host:8443$request_uri; for non-standard https redirection.
In Nextcloud plugin, I entered Nextcloud’s site ID,
Does Matomo URL need to be in this format?https://yourserver.com/piwik/index.php
Lukas
July 29, 2018, 10:49am
4
Ah, okay. In that case everything should be okay.
In the network tab you should see a request for piwik.js and afterwards for piwik.php. Both of them shouldn’t fail and only if the latter returns a 200 OK Matomo did get the data.
That depends on the plugin, but if you have Matomo in a subdirectory, you definitly need to specify this in the URL. So I’d enter https://domain.example/piwik/.
tx7
July 29, 2018, 10:58am
5
My subdomain Matomo doesn’t have the word ‘piwik’ in there.analytics.mydomain.com
I’m using this URL format in the Nextcloud plugin.
Lukas
July 29, 2018, 10:59am
6
Hi,
It should be. But as mentioned before, I haven’t used the plugin, so maybe it is easier to contact the developer.
tx7
July 29, 2018, 11:36am
7
By the way, I don’t see an official Nginx codes for Matomo on Github, only a download folder.
I want to check my Nginx codes.
Thanks
Lukas
July 29, 2018, 11:48am
8
Good thing you ask.
The official Matomo nginx config is quite outdated and a bit strange.
Because of this I am currently in the process of replacing it with a more simple, modern config:
https://github.com/findus23/matomo-nginx/
If you have any feedback about it, just contact me, so I can improve it.
tx7
July 29, 2018, 11:54am
9
I suggest the codes page should be easy accessible and friendly like Nextcloud Nginx site.
Here are the codes that I’m using:
# Forcing HTTPs redirects on non-standard ports
error_page 497 301 =307 https://$host:8443$request_uri;
# Hide the Nginx version number.
server_tokens off;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Web directory
root /opt/matomo/;
index index.php;
access_log /var/log/nginx/matomo.example.com_access.log;
error_log /var/log/nginx/matomo.example.com_error.log;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location = /index.php {
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_buffers 256 4k;
fastcgi_intercept_errors on;
fastcgi_read_timeout 14400;
fastcgi_index index.php;
}
location = /piwik.php {
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_buffers 256 4k;
fastcgi_intercept_errors on;
fastcgi_read_timeout 14400;
fastcgi_index index.php;
}
location ~* ^.+\.php$ {
return 403;
}
location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
return 302 /;
}
location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml)$ {
return 404;
}
location ~ ^/(config|core|lang|misc|tmp)/ {
deny all;
}
tx7
July 29, 2018, 10:37pm
10
I’m try to use reverse proxy for Matomo with the below codes, but it doesn’t.
I’ve added these codes to ‘config.ini.php’ in Matomo settings:
[General]
proxy_client_headers[] = "HTTP_X_FORWARDED_FOR"
proxy_client_headers[] = "X-Real-IP"
proxy_host_headers[] = "HTTP_X_FORWARDED_HOST"
proxy_ips[] = "analytic.domain.com"
Nginx Codes:
# Forcing HTTPs redirects on non-standard ports
error_page 497 301 =307 https://$host:8443$request_uri;
# Hide the Nginx version number.
server_tokens off;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Web directory
root /opt/matomo/;
index index.php;
access_log /var/log/nginx/matomo.example.com_access.log;
error_log /var/log/nginx/matomo.example.com_error.log;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location ^~ /piwik/ {
proxy_pass https://127.0.0.1:8443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
}
location = /index.php {
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_buffers 256 4k;
fastcgi_intercept_errors on;
fastcgi_read_timeout 14400;
fastcgi_index index.php;
}
location = /piwik.php {
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_buffers 256 4k;
fastcgi_intercept_errors on;
fastcgi_read_timeout 14400;
fastcgi_index index.php;
}
location ~* ^.+\.php$ {
return 403;
}
location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
return 302 /;
}
location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml)$ {
return 404;
}
location ~ ^/(config|core|lang|misc|tmp)/ {
deny all;
}
fdellwing
July 30, 2018, 9:56am
11
Is there any reason at all for this, let’s call it, unorthodox port juggling?
This is my very simple and straight forward config.
server {
listen 80;
server_name stats.promato.de;
access_log /var/log/nginx/piwik-access.log combined;
error_log /var/log/nginx/piwik-error.log;
root /var/www/piwik;
index index.php index.html;
expires max;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9001
location ~ \.php$ {
fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY ""; # HTTPoxy
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
location ~ /\.ht {
deny all;
}
# allow only local traffic, because we use apache as a proxy
location / {
allow all;
expires max;
}
location ^~ /.well-known {
allow all;
default_type "text/plain";
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/stats.promato.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/stats.promato.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($bad_referer) {
return 444;
}
}
tx7
July 31, 2018, 12:37am
12
I’m not concerning about the port redirection now.
I don’t know why your vhost config is very short.
fdellwing
July 31, 2018, 6:53am
13
To check if it is a Matomo config or nginx config fault you need to access the site without any special redirections.
tx7
August 2, 2018, 2:04am
14
I removed the port redirection, but no luck.
Any other suggestion ?