Difference between revisions of "Piwik"
From wiki
(Add PHP settings) |
(DNS + Nginx) |
||
| Line 30: | Line 30: | ||
$ sudo apt install piwik geoip-database/jessie-backports geoip-database-extra/jessie-backports | $ sudo apt install piwik geoip-database/jessie-backports geoip-database-extra/jessie-backports | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |||
| + | === DNS === | ||
| + | Create a DNS entry for piwik. For this guide, we will use <code>piwik.example.org</code>. | ||
| + | |||
| + | === Webserver === | ||
| + | {{Nginx/New Site|domain=piwik.example.org|config=server { | ||
| + | include snippets/listen-http.conf; | ||
| + | server_name piwik.example.org; | ||
| + | |||
| + | access_log /var/log/nginx/piwik.example.org.access.log; | ||
| + | error_log /var/log/nginx/piwik.example.org.error.log info; | ||
| + | |||
| + | include snippets/acme-challenge.conf; | ||
| + | include snippets/https-permanent-redirect.conf; | ||
| + | } | ||
| + | |||
| + | server { | ||
| + | include snippets/listen-https.conf; | ||
| + | server_name piwik.example.org; | ||
| + | |||
| + | access_log /var/log/nginx/piwik.example.org.access.log; | ||
| + | error_log /var/log/nginx/piwik.example.org.error.log info; | ||
| + | |||
| + | include snippets/acme-challenge.conf; | ||
| + | |||
| + | #include snippets/ssl.conf; | ||
| + | #ssl_certificate /etc/letsencrypt/live/piwik.example.org/fullchain.pem; | ||
| + | #ssl_certificate_key /etc/letsencrypt/live/piwik.example.org/privkey.pem; | ||
| + | #include snippets/hsts.conf; | ||
| + | |||
| + | # Protect interface during initial setup | ||
| + | # To be removed once admin password is set | ||
| + | auth_basic "You shall not pass!"; | ||
| + | auth_basic_user_file /etc/nginx/generic.htpasswd; | ||
| + | |||
| + | include snippets/security-headers.conf; | ||
| + | include snippets/x-frame-options-deny.conf; | ||
| + | |||
| + | root /usr/share/piwik; | ||
| + | index index.php; | ||
| + | |||
| + | location / { | ||
| + | location ~* ^.+\.(?:css{{!}}gif{{!}}html?{{!}}jpe?g{{!}}js{{!}}png{{!}}swf)$ { | ||
| + | expires max; | ||
| + | } | ||
| + | |||
| + | ## Do not serve HTML files from the /tmp folder. | ||
| + | location ~* ^/tmp/.*\.html?$ { | ||
| + | return 404; | ||
| + | } | ||
| + | |||
| + | location ~* (?:DESIGN{{!}}(?:gpl{{!}}README{{!}}LICENSE)[^.]*{{!}}LEGALNOTICE)(?:\.txt)*$ { | ||
| + | return 404; | ||
| + | } | ||
| + | location ~* \.(?:bat{{!}}git{{!}}ini{{!}}sh{{!}}svn[^.]*{{!}}txt{{!}}tpl{{!}}xml{{!}}py)$ { | ||
| + | return 404; | ||
| + | } | ||
| + | |||
| + | try_files $uri /index.php?$query_string; | ||
| + | } | ||
| + | |||
| + | location = /index.php { | ||
| + | include fastcgi.conf; | ||
| + | fastcgi_pass php5; | ||
| + | } | ||
| + | |||
| + | location = /piwik.php { | ||
| + | include fastcgi.conf; | ||
| + | fastcgi_pass php5; | ||
| + | } | ||
| + | |||
| + | location ~* ^.+\.php$ { | ||
| + | return 404; | ||
| + | } | ||
| + | |||
| + | location = /robots.txt { | ||
| + | return 200 "User-agent: *\nAllow: /piwik.js\nAllow: /piwik.php\nDisallow: /\n"; | ||
| + | } | ||
| + | } | ||
| + | }} | ||
[[Category:Linux Server]] | [[Category:Linux Server]] | ||
[[Category:Debian Release]] | [[Category:Debian Release]] | ||
[[Category:TODO]] | [[Category:TODO]] | ||
Revision as of 11:18, 10 September 2016
Prerequisite
Install
Add Repository
Piwik is not present in Debian repositories. However they provide their own repository. You can add it using
$ wget https://debian.piwik.org/repository.gpg -qO piwik-repository.gpg
$ sha256sum --binary piwik-repository.gpg
0d7c880f6c838bba2d02817dcacfc97fc538b1ebcdb41c3106595265c0d371d4 *piwik-repository.gpg
$ cat piwik-repository.gpg | sudo apt-key add -
OK
$ echo "deb https://debian.piwik.org/ piwik main" | sudo tee /etc/apt/sources.list.d/piwik.list > /dev/null
$ sudo apt update
Configure PHP
Edit file /etc/php5/mods-available/local-common.ini and add /usr/share/piwik/:/etc/piwik/:/var/lib/piwik/ to the open_basedir setting.
Reload PHP:
$ sudo service php5-fpm reload
Install Package
$ sudo apt install piwik geoip-database/jessie-backports geoip-database-extra/jessie-backports
DNS
Create a DNS entry for piwik. For this guide, we will use piwik.example.org.
Webserver
- Create the config file
/etc/nginx/sites-available/piwik.example.orgserver { include snippets/listen-http.conf; server_name piwik.example.org; access_log /var/log/nginx/piwik.example.org.access.log; error_log /var/log/nginx/piwik.example.org.error.log info; include snippets/acme-challenge.conf; include snippets/https-permanent-redirect.conf; } server { include snippets/listen-https.conf; server_name piwik.example.org; access_log /var/log/nginx/piwik.example.org.access.log; error_log /var/log/nginx/piwik.example.org.error.log info; include snippets/acme-challenge.conf; #include snippets/ssl.conf; #ssl_certificate /etc/letsencrypt/live/piwik.example.org/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/piwik.example.org/privkey.pem; #include snippets/hsts.conf; # Protect interface during initial setup # To be removed once admin password is set auth_basic "You shall not pass!"; auth_basic_user_file /etc/nginx/generic.htpasswd; include snippets/security-headers.conf; include snippets/x-frame-options-deny.conf; root /usr/share/piwik; index index.php; location / { location ~* ^.+\.(?:css|gif|html?|jpe?g|js|png|swf)$ { expires max; } ## Do not serve HTML files from the /tmp folder. location ~* ^/tmp/.*\.html?$ { return 404; } location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ { return 404; } location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml|py)$ { return 404; } try_files $uri /index.php?$query_string; } location = /index.php { include fastcgi.conf; fastcgi_pass php5; } location = /piwik.php { include fastcgi.conf; fastcgi_pass php5; } location ~* ^.+\.php$ { return 404; } location = /robots.txt { return 200 "User-agent: *\nAllow: /piwik.js\nAllow: /piwik.php\nDisallow: /\n"; } }
- Activate the configuration with
$ sudo nginx_modsite -e piwik.example.org Would you like to reload the Nginx configuration now? (Y/n) Y
- Edit file
/usr/local/etc/certmanage/main.jsonand add the following to the list{ "domains": ["piwik.example.org"], "reload": [["/bin/systemctl", "reload", "nginx.service"]] }
- Get your certificate
$ sudo /usr/local/sbin/certmanage Renewing certificate for piwik.example.org that will expire on 0001-01-01 Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for piwik.example.org Using the webroot path /var/www/acme-challenge for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/piwik.example.org/fullchain.pem. Your cert will expire on 2025-02-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Restarting services: systemctl reload nginx.service
- Uncomment the ssl related lines in
/etc/nginx/sites-available/piwik.example.organd run$ sudo systemctl reload nginx.service
