Requesting nginx conf
ambroiseRabier opened this issue · 4 comments
It would be nice to have an example of nginx config working with https://github.com/matomo-org/docker/blob/master/.examples/nginx/docker-compose.yml.
I already have an nginx config running and I found this example: https://github.com/libresh/compose-matomo/blob/master/nginx.conf
But I do not know what is necessary for matomo and what is not. (not starting from an new nginx).
Hi,
Please take a look at https://github.com/matomo-org/matomo-nginx which is not especially for Docker, but should be helpful as a starting point
Tried:
location ^~ /matomo {
index index.php;
alias /var/www/html/matomo;
rewrite ^/matomo(.*)$ $1 break;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_intercept_errors on;
fastcgi_pass matomo:9000;
#proxy_set_header Host $host;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Host $host;
}
for mywebsite.com/matomo
.
and with a subdomain and your link :
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ambroise-rabier.fr analytics.ambroise-rabier.fr;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/ambroise-rabier.fr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ambroise-rabier.fr/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;
root /var/www/html/matomo;
index index.php;
# make sure outgoing links don't show the URL to the Matomo instance
add_header Referrer-Policy origin;
## only allow accessing the following php files
location ~ ^/(index|matomo|piwik|js/index).php {
include fastcgi_params;
fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
fastcgi_pass matomo:9000;
}
## needed for HeatmapSessionRecording plugin
location = /plugins/HeatmapSessionRecording/configs.php {
include fastcgi_params;
fastcgi_param HTTP_PROXY "";
fastcgi_pass matomo:9000;
}
## deny access to all other .php files
location ~* ^.+\.php$ {
deny all;
return 403;
}
## serve all other files normally
location / {
try_files $uri $uri/ =404;
}
## disable all access to the following directories
location ~ /(config|tmp|core|lang) {
deny all;
return 403; # replace with 404 to not show these directories exist
}
location ~ /\.ht {
deny all;
return 403;
}
location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
allow all;
## Cache images,CSS,JS and webfonts for an hour
## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
expires 1h;
add_header Pragma public;
add_header Cache-Control "public";
}
location ~ /(libs|vendor|plugins|misc/user) {
deny all;
return 403;
}
## properly display textfiles in root directory
location ~/(.*\.md|LEGALNOTICE|LICENSE) {
default_type text/plain;
}
}
Matomo logs:
matomo | [16-Jun-2019 10:40:01] NOTICE: fpm is running, pid 1
matomo | [16-Jun-2019 10:40:01] NOTICE: ready to handle connections
matomo | 172.20.0.6 - 16/Jun/2019:10:40:08 +0000 "- " 200
matomo | NOTICE: Access to the script '' has been denied (see security.limit_extensions)
matomo | 172.20.0.6 - 16/Jun/2019:10:40:10 +0000 "GET /" 403
matomo | NOTICE: Access to the script '' has been denied (see security.limit_extensions)
Also tried to add -that was missing- config.ini.php with stuff from https://matomo.org/faq/how-to-install/faq_98/ .
Why is it not working?
I found a part of the solution:
root /var/www/html/matomo;
should correspond to the path given in the docker-compose.yml, mine was /var/www/html/
as given in the example docker-compose file. BUT the static files are served by nginx, so for static files root /var/www/html/matomo;
is the correct path...
Since I won't modify the matomo DockerFile, I will have to use an alias for static files, if I am lucky maybe that's all.
Whoever made this docker-compose.yml should put the associated nginx conf aside (I hope he still have it).
Using docker compose with :
- a custom path for matomo,
/var/www/matomo
- preserving files in this folder with
./html:/var/www/html
on /var/www/matomo/docker-compose.yml - a custom domain
matomo.example.com
pointing to this - a local nginx using the example configuration updated to use my
server_name
androot /var/www/matomo/html
to serve static files
I had 404 on FPM files only, the static files were properly served.
I had to hardcode the path used by FPM to serve files inside the container, which is not subject to any change, rather than using the incorrect $document_root
that equals to /var/www/matomo/html
in my case.
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param SCRIPT_FILENAME /var/www/html/$fastcgi_script_name;
Setting root /var/www/html
inside the location block didn't helped (as seen in another github discussion, can't find it back).
Hope this helps someone!