Update the piwik nginx config to matomo
This commit is contained in:
parent
5f4d69373b
commit
d236d0bed6
1 changed files with 50 additions and 25 deletions
|
@ -1,16 +1,21 @@
|
||||||
# PIWIK CONFIGURATION
|
# MATOMO CONFIGURATION
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
listen [::]:80;
|
||||||
listen 80;
|
listen 80;
|
||||||
server_name stats.REPLACEME.TLD;
|
server_name stats.REPLACEME.TLD;
|
||||||
return 301 https://stats.REPLACEME.TLD$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen [::]:443 ssl http2;
|
||||||
|
listen 443 ssl http2;
|
||||||
server_name stats.REPLACEME.TLD;
|
server_name stats.REPLACEME.TLD;
|
||||||
root /srv/http/stats.REPLACEME.TLD;
|
root /srv/http/stats.REPLACEME.TLD;
|
||||||
|
|
||||||
|
access_log /var/log/nginx/matomo.access.log;
|
||||||
|
error_log /var/log/nginx/matomo.error.log;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/REPLACEME.TLD/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/REPLACEME.TLD/privkey.pem;
|
||||||
ssl_trusted_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
|
ssl_trusted_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
|
||||||
|
@ -31,9 +36,9 @@ server {
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
# Protect against XSS and clickjacking
|
add_header Referrer-Policy origin always;
|
||||||
add_header X-Frame-Options "SAMEORIGIN";
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
add_header X-XSS-Protection "1; mode=block" always;
|
||||||
|
|
||||||
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
||||||
add_header Strict-Transport-Security max-age=15768000;
|
add_header Strict-Transport-Security max-age=15768000;
|
||||||
|
@ -41,29 +46,49 @@ server {
|
||||||
index index.php;
|
index index.php;
|
||||||
charset utf-8;
|
charset utf-8;
|
||||||
|
|
||||||
include /etc/nginx/h5bp/basic.conf;
|
location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php {
|
||||||
|
include fastcgi.conf;
|
||||||
|
fastcgi_param HTTP_PROXY "";
|
||||||
|
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~* ^.+\.php$ {
|
||||||
|
deny all;
|
||||||
|
return 403;
|
||||||
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
location ~* ^/tmp/.*\.html?$ { return 404; }
|
try_files $uri $uri/ =404;
|
||||||
location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ { return 404; }
|
|
||||||
location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml)$ { return 404; }
|
|
||||||
try_files $uri /index.php?$query_string;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
location = /favicon.ico { try_files /favicon.ico @empty; }
|
location ~ /(config|tmp|core|lang) {
|
||||||
location @empty { empty_gif; }
|
deny all;
|
||||||
|
return 404;
|
||||||
location ~ \.php$ {
|
|
||||||
try_files $uri =404;
|
|
||||||
include fastcgi_params;
|
|
||||||
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
|
|
||||||
fastcgi_index index.php;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
||||||
fastcgi_intercept_errors on;
|
|
||||||
fastcgi_split_path_info ^(.+\.php)(.*)$;
|
|
||||||
fastcgi_hide_header X-Powered-By;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~* ^.+\.php$ { return 404; }
|
location ~ /\.ht {
|
||||||
location = /robots.txt { return 200 "User-agent: *\nDisallow: /\n"; }
|
deny all;
|
||||||
|
return 403;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ js/container_.*_preview\.js$ {
|
||||||
|
expires off;
|
||||||
|
add_header Cache-Control 'private, no-cache, no-store';
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
|
||||||
|
allow all;
|
||||||
|
expires 1h;
|
||||||
|
add_header Pragma public;
|
||||||
|
add_header Cache-Control "public";
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ /(libs|vendor|plugins|misc/user) {
|
||||||
|
deny all;
|
||||||
|
return 403;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~/(.*\.md|LEGALNOTICE|LICENSE) {
|
||||||
|
default_type text/plain;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue