Run one multi-domain GDPR compliant matomo on multiple subdomains simultaneously

faebe · February 5, 2020, 8:37am

It looks like matomo needs to run on the same domain as each domain/website in order to be considered a ‘first-party’ tracking solution under GDPR (at least with latest court decisions and press releases form data protections authorities in Germany). Even if all websites are hosted on the same server. Afaik a subdomain is still considered to be the ‘same domain’. How would you go about this?

My approach: I have one shared hosting solution that runs multiple websites (in separate directories and databases) and their domains (mysite-a . com, mysite-b . com, mysite-c . com). In the past I have used one matomo installation (in a separate directory and database) on the subdomain matomo . mysite-a . com to track all sites/domains. I want to keep having one matomo installation instead of 3 separate installations and databases. I therefore created 3 subdomains matomo . mysite-a . com, matomo . mysite-b . com, matomo . mysite-c . com that all point to the same single matomo directory. In matomo all subdomains are set up as a ‘Trusted Matomo Hostname’. Each tracking JS snippet for each domain has the matching subdomain as an URL. So far everything seems to track perfectly. Matomo can be accesed from all subdomains and the opt-out seems to be set for each domain separately (opt-out widget also contains matching subdomain url for each domain).

Im neither sure that this is considered good practice in matomo nor that this is totally GDPR compliant. Any suggestions?

Lukas · February 5, 2020, 10:14am

Hi,

I am doing the same thing since I started using Matomo and haven’t been seeing any major issues with it.

There is just one bug:
Every time you visit Matomo at matomo.somesite.example it sets this URL as the piwikURL in the config. This causes Matomo to use this URL wherever URLs are generated (e.g. in the E-Mail reports) independent on which site this report belongs to.

github.com/matomo-org/matomo

Let users assign a specific matomo URL / trusted host to a specific site

opened 09:24AM - 28 Jun 19 UTC

tsteur

Enhancement

Say you have multiple trusted hosts configured in Matomo: * foo.example.com …* bar.example.com * analytics.example.com They are all used for different purposes/sites. When we currently get `SettingsPiwik::getMatomoUrl()` the last used URL will be used. This will be used for example in scheduled reports. When then sending out the email, one of those URLs will be used randomly depending on which one was used last. However, a user might want to force the usage of a specific trusted host when accessing a site and maybe wants to force the usage of a specific host in emails etc. The same applies to Tag Manager containers which contains a preview URL when the preview mode is enabled. Depending on which URL was used last, the preview URL will use that trusted host. However, you may want to enforce loading the preview file from a specific trusted host for a specific site. Like you want to configure: ``` idSite = 1 use foo.example.com idSite = 3 use bar.example.com idSite = 8 use analytics.example.com ``` something like this could be done for example in the `config.ini.php` or in `config.php` or it could be even simpler that we configure it in the `options` DB . Basically we would need a new parameter like `SettingsPiwik::getMatomoUrl($idsite = false)` and when a specific idSite is given, then we first look if there's a matomo URL for the specific site and if not, behave as usual where we return the last used URL. Internally this could look like: check `option_name=piwikUrl_$idSite`. If it exists, use that URL.... if it doesn't exist, check `piwikUrl`. A user could configure it by setting the correct entry in the option table. As this would be rarely used, a setting in the config might be too much. Note: if the stored URL in `piwikUrl_$idSite (eg piwikUrl_3)` is not a trusted host, we would also fallback to `piwikUrl`. I reckon with tests this can be done in like 4-8 hours as not too much logic needs to be changed. We would also change a few usages of `SettingsPiwik::getMatomoUrl()` to pass the `idSite` as an argument when the idSite is available.

It would be amazing if somone coud contribute a fix for this for Matomo 4, but as long as you don’t care too much about which URL you see in the sent reports, it should be okay.

faebe · February 5, 2020, 10:51am

Hi Lukas, thanks for the reassurance

I’ve seen this Github issue before but since I only actively (daily) use one Matomo URL this doesn’t bother me that much personally. As long as everything on the visitor’s end is going through the specific subdomain / trusted host.

I also noticed that using the matching subdomain was relevant when generating URLs in the Matomo backend:

Generating the javascript tracking code: Will be generated using the current URL
Generating an opt-out embed: Opt out will be specific to that subdomain and URL has to match the URL of the tracking code
Setting ‘Exclude your visits using a cookie’ cookie: Same as opt-out embed

Being able to set a specific trusted host for each site would solve those inconveniences. It’s in the backlog, so let’s see what happens…

joeworkman · January 7, 2022, 9:03am

I am working on setting up this same exact type of environment. Do you know if it is possible to configure which trusted hostname gets added to the snippet of a website?