From b50715b7f2c859e611de22511e1e82d7847cd819 Mon Sep 17 00:00:00 2001 From: Giles Bradshaw Date: Tue, 5 May 2020 09:31:25 +0100 Subject: [PATCH] matomo-service --- docker-compose.yml | 41 +++++++++++++++++++++++++++ matomo/matomo.conf | 69 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 matomo/matomo.conf diff --git a/docker-compose.yml b/docker-compose.yml index 5f2120e..0b7b641 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -310,6 +310,46 @@ services: - guacamole-postgresql-data:/var/lib/postgresql/data networks: - appnet + matomo: + image: matomo:fpm-alpine + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack-data == yes] + replicas: 1 + restart_policy: + condition: any + volumes: +# - ./config:/var/www/html/config:rw +# - ./logs:/var/www/html/logs + - matomo:/var/www/html + environment: + - MATOMO_DATABASE_HOST=matomo-mariadb + - MYSQL_PASSWORD=${MATOMO_MYSQL_PASSWORD} + - MYSQL_DATABASE=matomo + - MYSQL_USER=matomo + - MATOMO_DATABASE_ADAPTER=mysql + - MATOMO_DATABASE_TABLES_PREFIX=matomo_ + - MATOMO_DATABASE_USERNAME=matomo + - MATOMO_DATABASE_PASSWORD=${MATOMO_MYSQL_PASSWORD} + - MATOMO_DATABASE_DBNAME=matomo + networks: + - appnet + matomo-web: + image: nginx:alpine + deploy: + placement: + constraints: [node.labels.com.sigyl.git-stack == yes] + replicas: 1 + restart_policy: + condition: any + volumes: + - matomo:/var/www/html:ro + # see https://github.com/matomo-org/matomo-nginx + - ./matomo/matomo.conf:/etc/nginx/conf.d/default.conf:ro + ports: + - 8080:80 + networks: + - appnet matomo-mariadb: deploy: placement: @@ -439,6 +479,7 @@ volumes: mongo-chat: chat-uploads: portainer-data: + matomo: matomo-mariadb: networks: diff --git a/matomo/matomo.conf b/matomo/matomo.conf new file mode 100644 index 0000000..15d6f15 --- /dev/null +++ b/matomo/matomo.conf @@ -0,0 +1,69 @@ +upstream php-handler { + server matomo:9000; +} + +server { + listen 80; + + add_header Referrer-Policy origin; # make sure outgoing links don't show the URL to the Matomo instance + root /var/www/html; # replace with path to your matomo instance + index index.php; + try_files $uri $uri/ =404; + + ## only allow accessing the following php files + location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs).php { + # regex to split $uri to $fastcgi_script_name and $fastcgi_path + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + # Check that the PHP script exists before passing it + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/ + fastcgi_pass php-handler; + } + + ## deny access to all other .php files + location ~* ^.+\.php$ { + deny all; + return 403; + } + + ## disable all access to the following directories + location ~ /(config|tmp|core|lang) { + deny all; + return 403; # replace with 404 to not show these directories exist + } + location ~ /\.ht { + deny all; + return 403; + } + + location ~ js/container_.*_preview\.js$ { + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + } + + location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~ /(libs|vendor|plugins|misc/user) { + deny all; + return 403; + } + + ## properly display textfiles in root directory + location ~/(.*\.md|LEGALNOTICE|LICENSE) { + default_type text/plain; + } +} + +# vim: filetype=nginx \ No newline at end of file