Nginx Configuration for Matomo
This is a small nginx configuration that should help you get your own Matomo instance running and start collecting your own analytics.
I already know nginx
In this case it should be enough to just take the sites-available/matomo.conf
, check if everything is configured as you like it and enable the config.
I want to get started
- clone this repostitory or download it as a zip then move its content to
/etc/nginx/
(or wherever you store your nginx-config) - read through the
sites-available/matomo.conf
and modify the settings to fit your use case:- set
server_name
to the domain(s) of your Matomo instance - set the path to your SSL certificate (I really recommend you to make sure your Matomo instance is only reachable via HTTPS. If you don't have an SSL certificate for your domain yet, check out Let's Encrypt.)
- do you want to support old browsers? Then you'll need to modify
ssl.conf
according to your need. (the Mozilla SSL Config Generator will help you) - replace
/var/www/matomo/
with the path to your Matomo instance
- set
- configure PHP (this depends on your OS and PHP setup)
- if you are using fastcgi (which is probably the case) set
fastcgi_pass
to the path of your PHP socket file - you can also specify a TCP port
- if you are using fastcgi (which is probably the case) set
- go to the
sites-enabled
folder of your nginx config directory - enable the Matomo config by creating a symlink:
sudo ln -s ../sites-available/matomo.conf
- test if there is a syntax error in your config:
sudo nginx -t
- restart nginx:
sudo systemctl restart nginx
If you need to check the legacy nginx Matomo configuration, you can find it here: https://github.com/matomo-org/matomo-nginx/tree/1.0.99
Tips
- never use Matomo without HTTPS
- make sure you have configured Nginx to only accept modern and secure cryptography
- check your website with https://www.ssllabs.com/ssltest/
- compare your Nginx config with the "modern" template from https://mozilla.github.io/server-side-tls/ssl-config-generator/
- this template is used by default in the
ssl.conf
file - decide if keeping outdated chiphers and TLS protocolls enabled to be able to track ancient browser is worth the risk of a downgrade attack for all your vistors (and admins)
- never support SSLv3 and think about disabling TLSv1 and TLSv1.1
- add
server_tokens off;
to your config to disable theserver: nginx
header on all requests and the nginx version on error pages - if you have enabled gzip compression (which improves performance greatly), be aware of the BREACH vulnerability
- think about enabling the
Strict-Transport-Security
header, but keep in mind the implications - keep HTTP/2 enabled as it brings performance benifits with many small files (e.g. icons)
You know how to improve this config? Open a pull request or GitHub issue!