Update the piwik nginx config to matomo

This commit is contained in:
Kevin MacMartin 2019-10-28 18:46:08 -04:00
parent 5f4d69373b
commit d236d0bed6

View file

@ -1,16 +1,21 @@
# PIWIK CONFIGURATION
# MATOMO CONFIGURATION
server {
listen [::]:80;
listen 80;
server_name stats.REPLACEME.TLD;
return 301 https://stats.REPLACEME.TLD$request_uri;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name stats.REPLACEME.TLD;
root /srv/http/stats.REPLACEME.TLD;
access_log /var/log/nginx/matomo.access.log;
error_log /var/log/nginx/matomo.error.log;
ssl_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/REPLACEME.TLD/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
@ -31,9 +36,9 @@ server {
ssl_stapling on;
ssl_stapling_verify on;
# Protect against XSS and clickjacking
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy origin always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
@ -41,29 +46,49 @@ server {
index index.php;
charset utf-8;
include /etc/nginx/h5bp/basic.conf;
location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php {
include fastcgi.conf;
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
}
location ~* ^.+\.php$ {
deny all;
return 403;
}
location / {
location ~* ^/tmp/.*\.html?$ { return 404; }
location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ { return 404; }
location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml)$ { return 404; }
try_files $uri /index.php?$query_string;
try_files $uri $uri/ =404;
}
location = /favicon.ico { try_files /favicon.ico @empty; }
location @empty { empty_gif; }
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_hide_header X-Powered-By;
location ~ /(config|tmp|core|lang) {
deny all;
return 404;
}
location ~* ^.+\.php$ { return 404; }
location = /robots.txt { return 200 "User-agent: *\nDisallow: /\n"; }
location ~ /\.ht {
deny all;
return 403;
}
location ~ js/container_.*_preview\.js$ {
expires off;
add_header Cache-Control 'private, no-cache, no-store';
}
location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
allow all;
expires 1h;
add_header Pragma public;
add_header Cache-Control "public";
}
location ~ /(libs|vendor|plugins|misc/user) {
deny all;
return 403;
}
location ~/(.*\.md|LEGALNOTICE|LICENSE) {
default_type text/plain;
}
}