File matomo-nginx.conf of Package matomo
# If you run matomo stand alone, please redirect all traffix on port 80
# to an SSL encrypted setup on port 443.
# In this case, uncomment the following server section.
#server {
# listen [::]:80 fastopen=500; # remove this if you don't want Matomo to be reachable from IPv6
# listen 80 fastopen=500;
# server_name matomo.example.com;
# # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
# location / {
# return 301 https://$host$request_uri;
# }
#}
server {
# If you run matomo behind a load balancer like haproxy, let haproxy handle the SSL offloading
# for you. If no, please comment the two lines below and uncomment the lines above and below
# for SSL encrypted traffic
listen [::]:80 fastopen=500; # remove this if you don't want Matomo to be reachable from IPv6
listen 80 fastopen=500;
# If you run nginx with SSL, please adjust and uncomment the lines below
# listen 443 ssl http2 fastopen=500;
# listen [::]:443 ssl http2 fastopen=500; # remove this if you don't want Matomo to be reachable from IPv6
# include ssl.conf; # if you want to support older browsers, please read through this file
# add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
# add_header X-Content-Type-Options "nosniff" always;
# add_header X-XSS-Protection "1; mode=block" always;
# ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
# ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;
# Please insert the correct FQDN of your server below:
server_name matomo.example.com;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
log_not_found off;
# If you run nginx behind a reverse proxy like haproxy, please
# adjust and uncomment the lines below:
# set_real_ip_from 192.168.0.1;
# real_ip_header X-Forwarded-For;
root __matomo_web___;
index index.php;
# only allow accessing the following php files
location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs).php {
include /etc/nginx/fastcgi.conf;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $fastcgi_script_name =404; # protects against CVE-2019-11043
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
fastcgi_pass 127.0.0.1:9000;
}
# deny access to all other .php files
location ~* ^.+\.php$ {
deny all;
return 403;
}
# serve all other files normally
location / {
try_files $uri $uri/ =404;
}
# disable all access to the following directories
location ~ /(config|tmp|core|lang) {
deny all;
return 403;
}
# disable all access to files starting with .ht (apache)
location ~ /\.ht {
deny all;
return 403;
}
# Cache images,CSS,JS and webfonts for an hour
# Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
allow all;
expires 1h;
add_header Pragma public;
add_header Cache-Control "public";
}
# disable all access to the following directories
location ~ /(libs|vendor|plugins|misc/user) {
deny all;
return 403;
}
}
