Piwik

From wiki
Revision as of 11:18, 10 September 2016 by Vincent (talk | contribs) (DNS + Nginx)

Prerequisite

Install

Add Repository

Piwik is not present in Debian repositories. However they provide their own repository. You can add it using

$ wget https://debian.piwik.org/repository.gpg -qO piwik-repository.gpg
$ sha256sum --binary piwik-repository.gpg
0d7c880f6c838bba2d02817dcacfc97fc538b1ebcdb41c3106595265c0d371d4 *piwik-repository.gpg
$ cat piwik-repository.gpg | sudo apt-key add -
OK
$ echo "deb https://debian.piwik.org/ piwik main" | sudo tee /etc/apt/sources.list.d/piwik.list > /dev/null
$ sudo apt update

Configure PHP

Edit file /etc/php5/mods-available/local-common.ini and add /usr/share/piwik/:/etc/piwik/:/var/lib/piwik/ to the open_basedir setting.

Reload PHP:

$ sudo service php5-fpm reload

Install Package

$ sudo apt install piwik geoip-database/jessie-backports geoip-database-extra/jessie-backports

DNS

Create a DNS entry for piwik. For this guide, we will use piwik.example.org.

Webserver

  1. Create the config file /etc/nginx/sites-available/piwik.example.org
    server {
        include snippets/listen-http.conf;
        server_name piwik.example.org;
    
        access_log /var/log/nginx/piwik.example.org.access.log;
        error_log /var/log/nginx/piwik.example.org.error.log info;
    
        include snippets/acme-challenge.conf;
        include snippets/https-permanent-redirect.conf;
    }
    
    server {
        include snippets/listen-https.conf;
        server_name piwik.example.org;
    
        access_log /var/log/nginx/piwik.example.org.access.log;
        error_log /var/log/nginx/piwik.example.org.error.log info;
    
        include snippets/acme-challenge.conf;
    
        #include snippets/ssl.conf;
        #ssl_certificate      /etc/letsencrypt/live/piwik.example.org/fullchain.pem;
        #ssl_certificate_key  /etc/letsencrypt/live/piwik.example.org/privkey.pem;
        #include snippets/hsts.conf;
    
        # Protect interface during initial setup
        # To be removed once admin password is set
        auth_basic            "You shall not pass!";
        auth_basic_user_file  /etc/nginx/generic.htpasswd;
        
        include snippets/security-headers.conf;
        include snippets/x-frame-options-deny.conf;
    
        root /usr/share/piwik;
        index index.php;
    
        location / {
            location ~* ^.+\.(?:css|gif|html?|jpe?g|js|png|swf)$ {
                expires max;
            }
    
            ## Do not serve HTML files from the /tmp folder.
            location ~* ^/tmp/.*\.html?$ {
                return 404;
            }
    
            location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
                return 404;
            }   
            location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml|py)$ {
                return 404;
            }   
    
            try_files $uri /index.php?$query_string;
        }   
    
        location = /index.php {
            include fastcgi.conf;
            fastcgi_pass php5;
        }   
    
        location = /piwik.php {
            include fastcgi.conf;
            fastcgi_pass php5;
        }   
    
        location ~* ^.+\.php$ {
            return 404;
        }   
    
        location = /robots.txt {
            return 200 "User-agent: *\nAllow: /piwik.js\nAllow: /piwik.php\nDisallow: /\n";
        }   
    }
    
  2. Activate the configuration with
    $ sudo nginx_modsite -e piwik.example.org
    Would you like to reload the Nginx configuration now? (Y/n) Y
    
  3. Edit file /usr/local/etc/certmanage/main.json and add the following to the list
    {
        "domains": ["piwik.example.org"],
        "reload": [["/bin/systemctl", "reload", "nginx.service"]]
    }
    
  4. Get your certificate
    $ sudo /usr/local/sbin/certmanage
    Renewing certificate for piwik.example.org that will expire on 0001-01-01
    
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for piwik.example.org
    Using the webroot path /var/www/acme-challenge for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/piwik.example.org/fullchain.pem. Your cert
       will expire on 2025-02-20. To obtain a new or tweaked version of
       this certificate in the future, simply run certbot again. To
       non-interactively renew *all* of your certificates, run "certbot
       renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    Restarting services:
    systemctl reload nginx.service
    
  5. Uncomment the ssl related lines in /etc/nginx/sites-available/piwik.example.org and run
    $ sudo systemctl reload nginx.service