Piwik

From wiki
Revision as of 09:14, 11 December 2016 by Vincent (talk | contribs) (Initial setup)

Prerequisite

Install

Add Repository

Piwik is not present in Debian repositories. However they provide their own repository. You can add it using

$ wget https://debian.piwik.org/repository.gpg -qO piwik-repository.gpg
$ sha256sum --binary piwik-repository.gpg
0d7c880f6c838bba2d02817dcacfc97fc538b1ebcdb41c3106595265c0d371d4 *piwik-repository.gpg
$ cat piwik-repository.gpg | sudo apt-key add -
OK
$ echo "deb https://debian.piwik.org/ piwik main" | sudo tee /etc/apt/sources.list.d/piwik.list > /dev/null
$ sudo apt update

Configure PHP

Edit file /etc/php5/mods-available/local-common.ini and add /usr/share/piwik/:/etc/piwik/:/var/lib/piwik/ to the open_basedir setting.

Reload PHP:

$ sudo service php5-fpm reload

Install Package

$ sudo apt install piwik geoip-database/jessie-backports geoip-database-extra/jessie-backports

DNS

Create a DNS entry for piwik. For this guide, we will use piwik.example.org.

Webserver

  1. Create the config file /etc/nginx/sites-available/piwik.example.org
    server {
        include snippets/listen-http.conf;
        server_name piwik.example.org;
    
        access_log /var/log/nginx/piwik.example.org.access.log;
        error_log /var/log/nginx/piwik.example.org.error.log info;
    
        include snippets/acme-challenge.conf;
        include snippets/https-permanent-redirect.conf;
    }
    
    server {
        include snippets/listen-https.conf;
        server_name piwik.example.org;
    
        access_log /var/log/nginx/piwik.example.org.access.log;
        error_log /var/log/nginx/piwik.example.org.error.log info;
    
        include snippets/acme-challenge.conf;
    
        #include snippets/ssl.conf;
        #ssl_certificate      /etc/letsencrypt/live/piwik.example.org/fullchain.pem;
        #ssl_certificate_key  /etc/letsencrypt/live/piwik.example.org/privkey.pem;
        #include snippets/hsts.conf;
    
        # Protect interface during initial setup
        # To be removed once admin password is set
        auth_basic            "You shall not pass!";
        auth_basic_user_file  /etc/nginx/generic.htpasswd;
        
        include snippets/security-headers.conf;
        include snippets/x-frame-options-deny.conf;
    
        root /usr/share/piwik;
        index index.php;
    
        location / {
            location ~* ^.+\.(?:css|gif|html?|jpe?g|js|png|swf)$ {
                expires max;
            }
    
            ## Do not serve HTML files from the /tmp folder.
            location ~* ^/tmp/.*\.html?$ {
                return 404;
            }
    
            location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
                return 404;
            }   
            location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml|py)$ {
                return 404;
            }   
    
            try_files $uri /index.php?$query_string;
        }   
    
        location = /index.php {
            include fastcgi.conf;
            fastcgi_pass php5;
        }   
    
        location = /piwik.php {
            include fastcgi.conf;
            fastcgi_pass php5;
        }   
    
        location ~* ^.+\.php$ {
            return 404;
        }   
    
        location = /robots.txt {
            return 200 "User-agent: *\nAllow: /piwik.js\nAllow: /piwik.php\nDisallow: /\n";
        }   
    }
    
  2. Activate the configuration with
    $ sudo nginx_modsite -e piwik.example.org
    Would you like to reload the Nginx configuration now? (Y/n) Y
    
  3. Edit file /usr/local/etc/certmanage/main.json and add the following to the list
    {
        "domains": ["piwik.example.org"],
        "reload": [["/bin/systemctl", "reload", "nginx.service"]]
    }
    
  4. Get your certificate
    $ sudo /usr/local/sbin/certmanage
    Renewing certificate for piwik.example.org that will expire on 0001-01-01
    
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for piwik.example.org
    Using the webroot path /var/www/acme-challenge for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/1764_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/1764_csr-certbot.pem
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/piwik.example.org/fullchain.pem. Your cert
       will expire on 2025-02-20. To obtain a new or tweaked version of
       this certificate in the future, simply run certbot again. To
       non-interactively renew *all* of your certificates, run "certbot
       renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    Restarting services:
    systemctl reload nginx.service
    
  5. Uncomment the ssl related lines in /etc/nginx/sites-available/piwik.example.org and run
    $ sudo systemctl reload nginx.service
    

Create Database

For the rest of the guide, we will use a dedicated database and user named piwik.

You can create them using PhpMyAdmin or any other method.

Configure

Initial Setup

Open your browser to your piwik website (https://piwik.example.org) and follow the instructions.

You will need to enter the credentials for the database user that we just created. You will also create the first user of your website.

Once this is done and you can log into your website properly, time to remove the temporary password from nginx.

Edit file /etc/nginx/sites-available/piwik.example.org and remove the two lines that start with auth_basic.

Reload Nginx with

$ sudo systemctl reload nginx.service

Cron

By default, Piwik will preprocess data when you see it in the browser. This can give a slow UI depending on the data that you have. To process can be replaced by a cron job for better performance.

To set the cron job, edit file /etc/cron.d/piwik-archive to uncomment the line and replace the URL

5 *   * * *   www-data        [ -e /usr/share/piwik/console ] && [ -x /usr/bin/php ] && nice /usr/bin/php /usr/share/piwik/console core:archive --url="https://piwik.example.org/" >>/var/log/piwik/piwik-archive.log 2>&1

Once the cron is set, you can disable the reports in the UI. Open administration pages, go to section Settings / General and disable archiving in the UI

PiwikArchivingSetting.png

Transfer Existing Installation

Copy Database

On the old server, backup you database using

$ mysqldump -u root -aqp piwik | gzip > piwik.sql.gz

And restore it on the new server using

$ zcat piwik.sql.gz | mysql -u root -p piwik