Difference between revisions of "Piwik"
(Add PHP settings) |
(Debian Stretch) |
||
(9 intermediate revisions by the same user not shown) | |||
Line 19: | Line 19: | ||
=== Configure PHP === | === Configure PHP === | ||
− | + | {{PHP/open_basedir|folders=/usr/share/piwik/:/etc/piwik/:/var/lib/piwik/}} | |
− | + | === Install Package === | |
<syntaxhighlight lang="console"> | <syntaxhighlight lang="console"> | ||
− | $ sudo | + | $ sudo apt install piwik geoip-database geoip-database-extra |
</syntaxhighlight> | </syntaxhighlight> | ||
− | === | + | === DNS === |
− | < | + | Create a DNS entry for piwik. For this guide, we will use <code>piwik.example.org</code>. |
− | + | ||
− | </ | + | === Webserver === |
+ | {{Nginx/New Site|domain=piwik.example.org|config=server { | ||
+ | include snippets/listen-http.conf; | ||
+ | server_name piwik.example.org; | ||
+ | |||
+ | access_log /var/log/nginx/piwik.example.org.access.log; | ||
+ | error_log /var/log/nginx/piwik.example.org.error.log info; | ||
+ | |||
+ | include snippets/acme-challenge.conf; | ||
+ | include snippets/https-permanent-redirect.conf; | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | include snippets/listen-https.conf; | ||
+ | server_name piwik.example.org; | ||
+ | |||
+ | access_log /var/log/nginx/piwik.example.org.access.log; | ||
+ | error_log /var/log/nginx/piwik.example.org.error.log info; | ||
+ | |||
+ | include snippets/acme-challenge.conf; | ||
+ | |||
+ | #include snippets/ssl.conf; | ||
+ | #ssl_certificate /etc/letsencrypt/live/piwik.example.org/fullchain.pem; | ||
+ | #ssl_certificate_key /etc/letsencrypt/live/piwik.example.org/privkey.pem; | ||
+ | #include snippets/hsts.conf; | ||
+ | |||
+ | # Protect interface during initial setup | ||
+ | # To be removed once admin password is set | ||
+ | auth_basic "You shall not pass!"; | ||
+ | auth_basic_user_file /etc/nginx/generic.htpasswd; | ||
+ | |||
+ | include snippets/security-headers.conf; | ||
+ | include snippets/x-frame-options-deny.conf; | ||
+ | |||
+ | root /usr/share/piwik; | ||
+ | index index.php; | ||
+ | |||
+ | location / { | ||
+ | location ~* ^.+\.(?:css{{!}}gif{{!}}html?{{!}}jpe?g{{!}}js{{!}}png{{!}}swf)$ { | ||
+ | expires max; | ||
+ | } | ||
+ | |||
+ | ## Do not serve HTML files from the /tmp folder. | ||
+ | location ~* ^/tmp/.*\.html?$ { | ||
+ | return 404; | ||
+ | } | ||
+ | |||
+ | location ~* (?:DESIGN{{!}}(?:gpl{{!}}README{{!}}LICENSE)[^.]*{{!}}LEGALNOTICE)(?:\.txt)*$ { | ||
+ | return 404; | ||
+ | } | ||
+ | location ~* \.(?:bat{{!}}git{{!}}ini{{!}}sh{{!}}svn[^.]*{{!}}txt{{!}}tpl{{!}}xml{{!}}py)$ { | ||
+ | return 404; | ||
+ | } | ||
+ | |||
+ | try_files $uri /index.php?$query_string; | ||
+ | } | ||
+ | |||
+ | location = /index.php { | ||
+ | include fastcgi.conf; | ||
+ | fastcgi_pass php; | ||
+ | } | ||
+ | |||
+ | location = /piwik.php { | ||
+ | include fastcgi.conf; | ||
+ | fastcgi_pass php; | ||
+ | } | ||
+ | |||
+ | location ~* ^.+\.php$ { | ||
+ | return 404; | ||
+ | } | ||
+ | |||
+ | location = /robots.txt { | ||
+ | return 200 "User-agent: *\nAllow: /piwik.js\nAllow: /piwik.php\nDisallow: /\n"; | ||
+ | } | ||
+ | <nowiki>}</nowiki> | ||
+ | }} | ||
[[Category:Linux Server]] | [[Category:Linux Server]] | ||
[[Category:Debian Release]] | [[Category:Debian Release]] | ||
[[Category:TODO]] | [[Category:TODO]] | ||
+ | |||
+ | === Create Database === | ||
+ | For the rest of the guide, we will use a dedicated database and user named <code>piwik</code>. | ||
+ | |||
+ | You can [[PhpMyAdmin/New Database|create them using PhpMyAdmin]] or any other method. | ||
+ | |||
+ | == Configure == | ||
+ | |||
+ | === Initial Setup === | ||
+ | Open your browser to your piwik website (<nowiki>https://piwik.example.org</nowiki>) and follow the instructions. | ||
+ | |||
+ | You will need to enter the credentials for the database user that we just created. You will also create the first user of your website. | ||
+ | |||
+ | Once this is done and you can log into your website properly, time to remove the temporary password from nginx. | ||
+ | |||
+ | Edit file <code>/etc/nginx/sites-available/piwik.example.org</code> and remove the two lines that start with <code>auth_basic</code>. | ||
+ | |||
+ | Reload Nginx with<syntaxhighlight lang="console"> | ||
+ | $ sudo systemctl reload nginx.service | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Cron === | ||
+ | By default, Piwik will preprocess data when you see it in the browser. This can give a slow UI depending on the data that you have. To process can be replaced by a cron job for better performance. | ||
+ | |||
+ | To set the cron job, edit file <code>/etc/cron.d/piwik-archive</code> to uncomment the line and replace the URL<syntaxhighlight lang="text"> | ||
+ | 5 * * * * www-data [ -e /usr/share/piwik/console ] && [ -x /usr/bin/php ] && nice /usr/bin/php /usr/share/piwik/console core:archive --url="https://piwik.example.org/" >>/var/log/piwik/piwik-archive.log 2>&1 | ||
+ | </syntaxhighlight>Once the cron is set, you can disable the reports in the UI. Open administration pages, go to section Settings / General and disable archiving in the UI | ||
+ | |||
+ | [[File:PiwikArchivingSetting.png|border|609x609px]] | ||
+ | |||
+ | == Transfer Existing Installation == | ||
+ | |||
+ | === Preparation === | ||
+ | A few days before the actual migration change the TTL of your DNS entry to something short like 1 minute. This will ensure that when you switch your DNS record to the new server, users start using your new server as fast as possible. | ||
+ | |||
+ | === Installation === | ||
+ | On the new server, follow the normal installation steps. You will just need the following modifications: | ||
+ | * Do not point the DNS record to your new server yet. | ||
+ | * From the Nginx config, remove the two lines that start with <code>auth_basic</code> | ||
+ | * You cannot get your ssl certificate yet. Do not run certmanage and do not uncomment ssl related lines. | ||
+ | |||
+ | === Configuration === | ||
+ | Transfer file <code>/etc/piwik/config.ini.php</code> to your new server. | ||
+ | |||
+ | Edit the database section and change the database password. | ||
+ | |||
+ | === Copy Database === | ||
+ | {{Warning|msg=}} | ||
+ | Run this step and the next one as fast as possible. | ||
+ | |||
+ | On the old server, backup you database using<syntaxhighlight lang="console"> | ||
+ | $ mysqldump -u root -aqp piwik | gzip > piwik.sql.gz | ||
+ | </syntaxhighlight>Copy the file <code>piwik.sql.gz</code> to the new server. | ||
+ | |||
+ | And restore it on the new server using<syntaxhighlight lang="console"> | ||
+ | $ zcat piwik.sql.gz | mysql -u root -p piwik | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | === Switch server === | ||
+ | * Switch the DNS entry to the new server | ||
+ | * Run the command | ||
+ | {{Let’s Encrypt/New Cert Command|domain=piwik.example.org|command=systemctl reload nginx.service}} | ||
+ | * Uncomment the ssl related lines in <code>/etc/nginx/sites-available/piwik.example.org</code> and run<syntaxhighlight lang="console"> | ||
+ | $ sudo systemctl reload nginx.service | ||
+ | </syntaxhighlight> |
Latest revision as of 10:52, 24 June 2017
Prerequisite
Install
Add Repository
Piwik is not present in Debian repositories. However they provide their own repository. You can add it using
$ wget https://debian.piwik.org/repository.gpg -qO piwik-repository.gpg
$ sha256sum --binary piwik-repository.gpg
0d7c880f6c838bba2d02817dcacfc97fc538b1ebcdb41c3106595265c0d371d4 *piwik-repository.gpg
$ cat piwik-repository.gpg | sudo apt-key add -
OK
$ echo "deb https://debian.piwik.org/ piwik main" | sudo tee /etc/apt/sources.list.d/piwik.list > /dev/null
$ sudo apt update
Configure PHP
Edit file /etc/php/7.0/mods-available/local-common.ini
and add /usr/share/piwik/:/etc/piwik/:/var/lib/piwik/
to the open_basedir
setting.
Reload PHP:
$ sudo systemctl reload php7.0-fpm.service
Install Package
$ sudo apt install piwik geoip-database geoip-database-extra
DNS
Create a DNS entry for piwik. For this guide, we will use piwik.example.org
.
Webserver
- Create the config file
/etc/nginx/sites-available/piwik.example.org
server { include snippets/listen-http.conf; server_name piwik.example.org; access_log /var/log/nginx/piwik.example.org.access.log; error_log /var/log/nginx/piwik.example.org.error.log info; include snippets/acme-challenge.conf; include snippets/https-permanent-redirect.conf; } server { include snippets/listen-https.conf; server_name piwik.example.org; access_log /var/log/nginx/piwik.example.org.access.log; error_log /var/log/nginx/piwik.example.org.error.log info; include snippets/acme-challenge.conf; #include snippets/ssl.conf; #ssl_certificate /etc/letsencrypt/live/piwik.example.org/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/piwik.example.org/privkey.pem; #include snippets/hsts.conf; # Protect interface during initial setup # To be removed once admin password is set auth_basic "You shall not pass!"; auth_basic_user_file /etc/nginx/generic.htpasswd; include snippets/security-headers.conf; include snippets/x-frame-options-deny.conf; root /usr/share/piwik; index index.php; location / { location ~* ^.+\.(?:css|gif|html?|jpe?g|js|png|swf)$ { expires max; } ## Do not serve HTML files from the /tmp folder. location ~* ^/tmp/.*\.html?$ { return 404; } location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ { return 404; } location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml|py)$ { return 404; } try_files $uri /index.php?$query_string; } location = /index.php { include fastcgi.conf; fastcgi_pass php; } location = /piwik.php { include fastcgi.conf; fastcgi_pass php; } location ~* ^.+\.php$ { return 404; } location = /robots.txt { return 200 "User-agent: *\nAllow: /piwik.js\nAllow: /piwik.php\nDisallow: /\n"; } }
- Activate the configuration with
$ sudo nginx_modsite -e piwik.example.org Would you like to reload the Nginx configuration now? (Y/n) Y
- Edit file
/usr/local/etc/certmanage/main.json
and add the following to the list{ "domains": ["piwik.example.org"], "reload": [["/bin/systemctl", "reload", "nginx.service"]] }
- Get your certificate
$ sudo /usr/local/sbin/certmanage Renewing certificate for piwik.example.org that will expire on 0001-01-01 Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for piwik.example.org Using the webroot path /var/www/acme-challenge for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/piwik.example.org/fullchain.pem. Your cert will expire on 2025-03-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Restarting services: systemctl reload nginx.service
- Uncomment the ssl related lines in
/etc/nginx/sites-available/piwik.example.org
and run$ sudo systemctl reload nginx.service
Create Database
For the rest of the guide, we will use a dedicated database and user named piwik
.
You can create them using PhpMyAdmin or any other method.
Configure
Initial Setup
Open your browser to your piwik website (https://piwik.example.org) and follow the instructions.
You will need to enter the credentials for the database user that we just created. You will also create the first user of your website.
Once this is done and you can log into your website properly, time to remove the temporary password from nginx.
Edit file /etc/nginx/sites-available/piwik.example.org
and remove the two lines that start with auth_basic
.
Reload Nginx with
$ sudo systemctl reload nginx.service
Cron
By default, Piwik will preprocess data when you see it in the browser. This can give a slow UI depending on the data that you have. To process can be replaced by a cron job for better performance.
To set the cron job, edit file /etc/cron.d/piwik-archive
to uncomment the line and replace the URL
5 * * * * www-data [ -e /usr/share/piwik/console ] && [ -x /usr/bin/php ] && nice /usr/bin/php /usr/share/piwik/console core:archive --url="https://piwik.example.org/" >>/var/log/piwik/piwik-archive.log 2>&1
Once the cron is set, you can disable the reports in the UI. Open administration pages, go to section Settings / General and disable archiving in the UI
Transfer Existing Installation
Preparation
A few days before the actual migration change the TTL of your DNS entry to something short like 1 minute. This will ensure that when you switch your DNS record to the new server, users start using your new server as fast as possible.
Installation
On the new server, follow the normal installation steps. You will just need the following modifications:
- Do not point the DNS record to your new server yet.
- From the Nginx config, remove the two lines that start with
auth_basic
- You cannot get your ssl certificate yet. Do not run certmanage and do not uncomment ssl related lines.
Configuration
Transfer file /etc/piwik/config.ini.php
to your new server.
Edit the database section and change the database password.
Copy Database
Warning: Run this step and the next one as fast as possible.
On the old server, backup you database using
$ mysqldump -u root -aqp piwik | gzip > piwik.sql.gz
Copy the file piwik.sql.gz
to the new server.
And restore it on the new server using
$ zcat piwik.sql.gz | mysql -u root -p piwik
Switch server
- Switch the DNS entry to the new server
- Run the command
$ sudo /usr/local/sbin/certmanage
Renewing certificate for piwik.example.org that will expire on 0001-01-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for piwik.example.org
Using the webroot path /var/www/acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/piwik.example.org/fullchain.pem. Your cert
will expire on 2025-03-03. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Restarting services:
systemctl reload nginx.service
- Uncomment the ssl related lines in
/etc/nginx/sites-available/piwik.example.org
and run$ sudo systemctl reload nginx.service