Piwik
From wiki
Prerequisite
Install
Add Repository
Piwik is not present in Debian repositories. However they provide their own repository. You can add it using
$ wget https://debian.piwik.org/repository.gpg -qO piwik-repository.gpg
$ sha256sum --binary piwik-repository.gpg
0d7c880f6c838bba2d02817dcacfc97fc538b1ebcdb41c3106595265c0d371d4 *piwik-repository.gpg
$ cat piwik-repository.gpg | sudo apt-key add -
OK
$ echo "deb https://debian.piwik.org/ piwik main" | sudo tee /etc/apt/sources.list.d/piwik.list > /dev/null
$ sudo apt update
Configure PHP
Edit file /etc/php5/mods-available/local-common.ini
and add /usr/share/piwik/:/etc/piwik/:/var/lib/piwik/
to the open_basedir
setting.
Reload PHP:
$ sudo service php5-fpm reload
Install Package
$ sudo apt install piwik geoip-database/jessie-backports geoip-database-extra/jessie-backports
DNS
Create a DNS entry for piwik. For this guide, we will use piwik.example.org
.
Webserver
- Create the config file
/etc/nginx/sites-available/piwik.example.org
server { include snippets/listen-http.conf; server_name piwik.example.org; access_log /var/log/nginx/piwik.example.org.access.log; error_log /var/log/nginx/piwik.example.org.error.log info; include snippets/acme-challenge.conf; include snippets/https-permanent-redirect.conf; } server { include snippets/listen-https.conf; server_name piwik.example.org; access_log /var/log/nginx/piwik.example.org.access.log; error_log /var/log/nginx/piwik.example.org.error.log info; include snippets/acme-challenge.conf; #include snippets/ssl.conf; #ssl_certificate /etc/letsencrypt/live/piwik.example.org/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/piwik.example.org/privkey.pem; #include snippets/hsts.conf; # Protect interface during initial setup # To be removed once admin password is set auth_basic "You shall not pass!"; auth_basic_user_file /etc/nginx/generic.htpasswd; include snippets/security-headers.conf; include snippets/x-frame-options-deny.conf; root /usr/share/piwik; index index.php; location / { location ~* ^.+\.(?:css|gif|html?|jpe?g|js|png|swf)$ { expires max; } ## Do not serve HTML files from the /tmp folder. location ~* ^/tmp/.*\.html?$ { return 404; } location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ { return 404; } location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml|py)$ { return 404; } try_files $uri /index.php?$query_string; } location = /index.php { include fastcgi.conf; fastcgi_pass php5; } location = /piwik.php { include fastcgi.conf; fastcgi_pass php5; } location ~* ^.+\.php$ { return 404; } location = /robots.txt { return 200 "User-agent: *\nAllow: /piwik.js\nAllow: /piwik.php\nDisallow: /\n"; } }
- Activate the configuration with
$ sudo nginx_modsite -e piwik.example.org Would you like to reload the Nginx configuration now? (Y/n) Y
- Edit file
/usr/local/etc/certmanage/main.json
and add the following to the list{ "domains": ["piwik.example.org"], "reload": [["/bin/systemctl", "reload", "nginx.service"]] }
- Get your certificate
$ sudo /usr/local/sbin/certmanage Renewing certificate for piwik.example.org that will expire on 0001-01-01 Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for piwik.example.org Using the webroot path /var/www/acme-challenge for all unmatched domains. Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/piwik.example.org/fullchain.pem. Your cert will expire on 2025-02-20. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Restarting services: systemctl reload nginx.service
- Uncomment the ssl related lines in
/etc/nginx/sites-available/piwik.example.org
and run$ sudo systemctl reload nginx.service