Nextcloud plugin


(Tx7) #1

Hello all,

I just installed Matamo today, and it’s running on Nginx.
I’ve installed Nextcloud plugin with this link: https://github.com/sualko/cloud_piwik/releases/download/v0.4.1/cloud_piwik-0.4.1.tar.gz

I’m using a port 80 redirect to 8443 for my Matamo site.
I’ve entered the site ID, and the Matamo url in Nextcloud app , but I don’t see any visit show up in the dashboard when I access Nextcloud.
Not only that, but whenever I enter the Matamo URL, it is redirect to my public IP address.

Need some help.

Thanks in advance.


(Lukas Winkler) #2

Hi,

The Nextcloud plugin isn’t maintained by the Matomo team, so for issues with it it may be easier to contact the developer.
But in this case I think the plugin isn’t at fault as it only pastes the tracking code into the website. And this sounds rather like an issue with your Matomo instance or webserver.

If you want to make sure that the personal data of your visitors only ends up on your server, you need to setup HTTPS for Matomo. In my opinion everything else is not private.

You can check the javascript console and the network tab of your browser on the nextcloud page for more details.

And make sure that your nginx/apache virtualhost is setup correctly.


(Tx7) #3

I’m using HTTPS cert on all servers.

What do I look for in the Javascript ?

I’m using error_page 497 https://$host:8443$request_uri; for non-standard https redirection.

In Nextcloud plugin, I entered Nextcloud’s site ID,
Url: abc.matamo_url.com

Does Matomo URL need to be in this format?
https://yourserver.com/piwik/index.php


(Lukas Winkler) #4

Ah, okay. In that case everything should be okay.

In the network tab you should see a request for piwik.js and afterwards for piwik.php. Both of them shouldn’t fail and only if the latter returns a 200 OK Matomo did get the data.

That depends on the plugin, but if you have Matomo in a subdirectory, you definitly need to specify this in the URL. So I’d enter https://domain.example/piwik/.


(Tx7) #5

My subdomain Matomo doesn’t have the word ‘piwik’ in there.
I.e: analytics.mydomain.com

I’m using this URL format in the Nextcloud plugin.
Is this correct ?


(Lukas Winkler) #6

Hi,

It should be. But as mentioned before, I haven’t used the plugin, so maybe it is easier to contact the developer.


(Tx7) #7

By the way, I don’t see an official Nginx codes for Matomo on Github, only a download folder.
As result, I’m using Nginx codes by another site.

I want to check my Nginx codes.
Can you share, if you have it ?

Thanks


(Lukas Winkler) #8

Good thing you ask.

The official Matomo nginx config is quite outdated and a bit strange.

Because of this I am currently in the process of replacing it with a more simple, modern config:

If you have any feedback about it, just contact me, so I can improve it.


(Tx7) #9

I suggest the codes page should be easy accessible and friendly like Nextcloud Nginx site.

Here are the codes that I’m using:

 # Forcing HTTPs redirects on non-standard ports
    error_page 497 301 =307 https://$host:8443$request_uri;
    
     # Hide the Nginx version number.
    server_tokens off;
    
    ssl_dhparam  /etc/ssl/certs/dhparam.pem;
    
    
    add_header Strict-Transport-Security "max-age=15768000;
    includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
 
    # Web directory
    root /opt/matomo/;
    index index.php;

    access_log /var/log/nginx/matomo.example.com_access.log;
    error_log /var/log/nginx/matomo.example.com_error.log;

    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;  

    location = /index.php {
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_buffers 256 4k;
        fastcgi_intercept_errors on;
        fastcgi_read_timeout 14400; 
        fastcgi_index index.php;
    }
    location = /piwik.php {
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_buffers 256 4k;
        fastcgi_intercept_errors on;
        fastcgi_read_timeout 14400; 
        fastcgi_index index.php;
    }

    location ~* ^.+\.php$ {
        return 403;
    }
    location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
        return 302 /;
    }
    location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml)$ {
        return 404;
    }
    location ~ ^/(config|core|lang|misc|tmp)/ {
        deny all;
    }

(Tx7) #10

I’m try to use reverse proxy for Matomo with the below codes, but it doesn’t.
My goal is to redirect Matomo URL HTTP port 84 to HTTPS port 8443.

I’ve added these codes to ‘config.ini.php’ in Matomo settings:

[General]
proxy_client_headers[] = "HTTP_X_FORWARDED_FOR"
proxy_client_headers[] = "X-Real-IP"
proxy_host_headers[] = "HTTP_X_FORWARDED_HOST"
proxy_ips[] = "analytic.domain.com"

Nginx Codes:

    # Forcing HTTPs redirects on non-standard ports
    error_page 497 301 =307 https://$host:8443$request_uri;

    
     # Hide the Nginx version number.
    server_tokens off;
    
    ssl_dhparam  /etc/ssl/certs/dhparam.pem;
    
    
    add_header Strict-Transport-Security "max-age=15768000;
    includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
 
    # Web directory
    root /opt/matomo/;
    index index.php;

    access_log /var/log/nginx/matomo.example.com_access.log;
    error_log /var/log/nginx/matomo.example.com_error.log;

    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;  


   location ^~ /piwik/ {
    proxy_pass https://127.0.0.1:8443;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    }
   

    location = /index.php {
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_buffers 256 4k;
        fastcgi_intercept_errors on;
        fastcgi_read_timeout 14400; 
        fastcgi_index index.php;
    }
    location = /piwik.php {
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_buffers 256 4k;
        fastcgi_intercept_errors on;
        fastcgi_read_timeout 14400; 
        fastcgi_index index.php;
    }

    location ~* ^.+\.php$ {
        return 403;
    }
    location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
        return 302 /;
    }
    location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml)$ {
        return 404;
    }
    location ~ ^/(config|core|lang|misc|tmp)/ {
        deny all;
    }

(Fabian Dellwing) #11

Is there any reason at all for this, let’s call it, unorthodox port juggling?

This is my very simple and straight forward config.

server {
        listen       80;
        server_name  stats.promato.de;
        access_log  /var/log/nginx/piwik-access.log combined;
        error_log /var/log/nginx/piwik-error.log;
        root /var/www/piwik;
        index index.php index.html;
        expires max;

        # redirect server error pages to the static page /50x.html
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
                root   /usr/share/nginx/html;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9001
        location ~ \.php$ {
                fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
                fastcgi_pass   unix:/var/run/php/php7.0-fpm.sock;
                fastcgi_index  index.php;
                fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                fastcgi_param HTTP_PROXY ""; # HTTPoxy
                include        fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        location ~ /\.ht {
                deny  all;
        }

        # allow only local traffic, because we use apache as a proxy
        location / {
                allow all;
                expires max;
        }

        location ^~ /.well-known {
                allow all;
                default_type "text/plain";
        }


	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/stats.promato.de/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/stats.promato.de/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


	if ($scheme != "https") {
		return 301 https://$host$request_uri;
	} # managed by Certbot

	if ($bad_referer) {
		return 444;
	}
}

(Tx7) #12

I’m not concerning about the port redirection now.
Just want to make Matomo to work.

I don’t know why your vhost config is very short.


(Fabian Dellwing) #13

To check if it is a Matomo config or nginx config fault you need to access the site without any special redirections.


(Tx7) #14

I removed the port redirection, but no luck.

Any other suggestion ?