Thanks for this conf file - it has been very useful to me. You may want to include a blacklist.conf file in the sites-available directory, so that nginx does not give an error.

the README file says that the default configuration uses php-cgi, and

Note that the default socket type is UNIX and the config assumes it to be listening on unix:/tmp/php-cgi/php-cgi.socket, if using the php-cgi

However, this file sets it to unix:/var/run/php-fpm.sock, which means that the default configuration doesn't work.

I went through the documentation but getting the following error
nginx: [emerg] no port in upstream "phpcgi" in /etc/nginx/apps/piwik/piwik.conf:54
Can you please help me out in this?

I have a new installation of piwik on a nginx server, but im having a problem logging in with this error Error: Form security failed. Please reload the form and check that your cookies are enabled. If you use a proxy server, you must configure Piwik to accept the proxy header that forwards the Host header. Also, check that your Referer header is sent correctly. I tried on different browsers, cleared the cache,enabled cookies to no avail

I added these to my config.ini file:
[General]
assume_secure_protocol = 1
force_ssl=1
proxy_client_headers[] = HTTP_X_FORWARDED_FOR
proxy_client_headers[] = HTTP_CLIENT_IP

Please help

Just managed to install Matomo and found that, during the initial installation, the logo image at plugins/Morpheus/images/logo.png does not load.

The reason I've found is because it is being denied in the sites-available/matomo.conf.

Thanks.

Would like to see the recommended way to setup Piwik with HTTPS.

As there will be a matomo.js and matomo.php in the future, it would be good to allow access to them similar to eg piwik.php in https://github.com/perusio/piwik-nginx/blob/master/apps/piwik/piwik.conf#L66

For reference: https://matomo.org/blog/2018/01/piwik-is-now-matomo/

Installing Piwik on nginx is simply a pain. A configure script where the user types in a domain name would really help. Especially one that knew what dependencies to install (Amazon EC2 needs PHP 5.5, nginx, mysql, etc...)

The comment state # if your Nginx setup doesn't come with a default fastcgi-php config replace this with the one from this repository. But there is not fastcgi-php.conf file in this repository.

Would be nice to provide one (even if it is super obvious what you should put into it, it is not for me).

Looking at the proposed config, I'm wondering what the use of the piwik.php cache is? The piwik.php file is used for tracking, thus:

• You do not want to cache any requests, since that would interfere with tracking
• Every request carries a unique query string, so nothing is cached with the current config

So, why is the caching config there?

I have install the piwik with nginx complete, and when I view renew the webpage , then the chrome console come with the error like net::ERR_EMPTY_RESPONSE：The server closed the connection without sending any data." after check the config for a while , I found the solution.
the question is nothing to do with the piwik, but the nginx config. From the offical nginx conf, I found a line like this

location ~* ^.+\.(?:jpg|png|css|gif|jpeg|js|swf)$ {
  # Defining the valid referers.
                  valid_referers none blocked *.piwik.com   othersite.com;   //change this line to deal question
                  if ($invalid_referer)  {
                          return 444;
                  }
                  expires max;
                  break;
         }

when we add tracker to the other site for tracking . the application will get the piwik.js from piwik application. and if this conf doesn't contain the refering url . the nginx will reject this request and return http code 444. my solution is add the valid url here . and the error disappear.

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' http: https: data: blob: 'unsafe-inline'".

That's with the conf from this repo and no other changes, on a fresh install of Matomo :)

A CSP is required in some of the blocks:

add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:; base-uri 'self'; frame-src 'self'; object-src 'self'";

Another issue I see is that manifest.json is also 403'd by default with the configuration in this repo.

We, the Piwik team, released a new feature yesterday called Heatmap & Session Recording. In order for it to automatically work, it needs to make a request to a file "plugins/HeatmapSessionRecording/configs.php" when tracking. This file will for example decide if it is needed to record a visitors session or not.

It would be great to adjust piwik-nginx to make that file accessible.

Hi there,

It seems the project is not maintained anymore, although many people rely on it for Nginx Piwik configuration.

If someone is interested to maintain this repository under the official umbrella of Piwik we would love to collaborate. The goals are to merge & review pull requests, and ensure the project is maintained when changes are required to ensure compatibility with the latest Piwik, for example: #37

@perusio what do you think? Or maybe you'd still be keen to maintain the project?

Thanks all!

Matthieu
Piwik founder

Perhaps the install instructions are outdated and perhaps I've misread those instructions and have missed a step. You can see the steps I took in trying to install piwik on an nginx server here:

http://www.johnwhitmore.org/blog/2016/10/02/installing-piwik-analytics/

I've asked questions on piwik forum where the proposed solution is install Apache web server.

just upgraded to piwik 2.2 and this config seems not to work correctly anymore: the "All Websites" menu does not display any websites anymore...

is your nginx config compatible with piwik 2.2?

Hi,

I m trying to move piwik from apache to Nginx using below mentioned code. but after shifting traffic to Nginx getting load-balancer internal ip on Piwik dashboard.

https://github.com/perusio/piwik-nginx

• In piwik config.ini.php
  proxy_client_headers[] = "HTTP_X_FORWARDED_FOR"

I m not getting any clue to resolve this issue.

Please let me know if other information is required.

Shouldn't access to .md files be denied, considering the CHANGELOG.md file contains (possibly) sensitive version information?

Hi,

I am encountering a really weird problem. I am using nginx 1.0.10 with PHP 5.3.8 running as PHP FPM and using your config files for piwik (v1.6) with having changed the bare minimum (server_name and things like that but nothing much more).

Now the problem I get is that somehow the caching of index.php gets totally messed up: for example I logout of Piwik and login with a another user then I would see the stuff of the previous user. For me this is a real security issue. So somehow the new user which I login get the data cached from the previous user. Totally weird...

Now I noticed that if I uncomment the following two lines, as you can see below, in the "location = /index.php" in server{}:

    ## FastCGI cache.
    ## cache ui for 5m (set the same interval of your crontab)
   include sites-available/fcgi_cache.conf;
   fastcgi_cache_valid 5m;

I don't get this problem anymore. So it is pretty much related with caching... Now I still would like to be able to use caching but without this big problem.

Do you have any clues where this problem could come from? is it your config files? is it my piwik setup? or anything else?

Thanks in advance for your feedback.

nginx: [warn] server name "$scheme://stats.example.com$request_uri" has suspicious symbols in /etc/nginx/sites-enabled/stats.example.com:15
nginx: [emerg] "expires" directive is duplicate in /etc/nginx/apps/piwik/proxy_piwik_cache.conf:30
nginx: configuration file /etc/nginx/nginx.conf test failed

*Note: I put stats.example back in for privacy reasons.

Hello Perusio,

does your config authorise the geoip location for Piwik or do I have to modify it a little bit ?

Some lines gives configuration errors, such as:

The reason is obvious .. the lines point to a non-existing file. The purpose of these lines is that they should be edited manually. I would like to ask that all lines that yield invalid configuration that need to be edited manually to be commented out or remove and place a description instead.

Right now i can not install the matomo nginx script and then run let's encrypt certbot because it will choke on these configuration errors. The two lines in the link in particularly don't need to be there because certbot will offer to add them (with nginx flag) if the conf file can be found.

I'm making an unattended install script and like as little manual intervention as possible.

misc/cron/archive.php should be allowed here, so web cron can be triggered externally as described in FAQ.

Thanks!

git clone https://github.com/perusio/piwik-nginx.git /etc/nginx

seems a bit crazy to advice to replace the current nginx.conf with the one from the repo just like that ...

yes ok you make a backup with nginx.old which should then be deleted later on??

Is there a configuration available that concentrate on just making piwik work and not mess around with all the fastcgi configuration and other not directly related piwik configs ??

Can't start it, I could comment this out, but don't know what this is?

One other item that you may want to consider: referer blocking js files by default. People who blindly install your Piwik nginx config (and do not set up the referer blocking domains correctly) may be confused when one of their sites does not work.

Seems like you should allow it by default, and then if someone wants to harden his install, to uncomment a line that has the added JS referer blocking.

Not too important, but may make it easier to use for newbies.

To make sure always the newest version of a preview container in tag manager is served, we should prevent the caching in the browser. For the apache version see matomo-org/matomo#13977
Header set Cache-Control "Cache-Control: private, no-cache, no-store" for ^js/container_.*_preview\.js$

Otherwise the user will need to use ctrl+r or something to reload a page that includes a preview file to make sure the cache is ignored and many users would not know that.

Is php7.2-fpm required for this to work? I'm using 7.0 and Matomo's PHP files don't get executed

I want to use the microcaching system.

So I have include fcgi_cache.conf for my piwik.php (in my site conf).

And I can't start because of the $no_cache variable missing.

in fastcgi_cache_zone.conf, i have added this :
map $http_cookie $no_cache {
default 0;
~_mcnc 1;
}

It auto set no_cache depending on the presence of _mcnc in http_cookie. But this part is still not set.

If I take a look at this : http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n

I see the _mcnc is set by a way, I can try to copy that but I'm not sure is ok for piwik.

Could you take a look and may be you have already a solution on this. I would love have the full conf for piwik.

Thanks

A comment in the main config says:

# if your Nginx setup doesn't come with a default fastcgi-php config replace this with the one from this repository

There is no fastcgi-php config file in the repo though (anymore).

Required Private Directories | https://xxxxxxx/.git/config

We found that the above URLs are accessible via the browser, but they should NOT be. Allowing them to be accessed can pose a potential security risk since the contents can provide information about your server and potentially your users. Please restrict access to them.

It would be good to prevent package-lock.json from being served since they expose the exact versions of packages running on a server.

For example: https://demo.matomo.cloud/package-lock.json

Hi,

I think there might be an error with the syntax of line 86 of https://github.com/matomo-org/matomo-nginx/blob/master/sites-available/matomo.conf.

I had to change it from:

location ~/(.*\.md|LEGALNOTICE|LICENSE) {`

To:

location ~ /(.*\.md|LEGALNOTICE|LICENSE) {

The difference is the space after the tilde character.

Then these files were served correctly by Nginx.

This rule:

location ~ ^/(libs|vendor|plugins|misc|node_modules) {
    deny all;
    return 403;
}

breaks my site completely. I have not narrowed it down yet because I don't want the site to be down while trying configs, but it seems like that rules denies JS files that are needed for Matomo to work.

hi !
I have create a new topic, tell me your point on this.
I use a generic piwik conf, people should be able to not change it.

they is no default nor upstream anymore,

I have add a piwik_vars.conf, and set root / host and sock or proxy in this. So all the conf use it,

I have make piwik a default conf and auto enable it

the readme need to be adapted,

could you take a look and tell me what do you think on it ?

I can't use the vars to set the path of the fcgi root dir, too bad, but well everything else should be good.

I have check the host and www.hostname and made the same kind of error.

I can't use it to invalidate bad hostname, valid_referrer don't support vars.

all conf are relative now, and all conf are in the root dir of nginx, not in piwik subdir.

I create a piwik.conf in site-available and site-enable (as a symlink) because this conf is really made for this, and the name seems good like this.

give me your point, so we can merge it to master.

piwik.conf
As far as I understand your helper files regex should be modified to something like this:

(.*) for any filename; Exclude .md files as well:
location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml)$
location ~* (.*)\.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml|md)$

What do you think?

We are having problems running Matomo 4.6.2 in Azure App Service (Linux based) with PHP 8 and Nginx server. If we run Matomo from the App Service's /home/site/wwwroot/ directory the problems occurs. If we copy the Matomo files over to different directory (/var/www/html owned by the same user running the Nginx) it works just fine. /home directory should be used for apps deployed in App Service.

Is this some kind of permission issue? It is not possible to modify /home permission in Azure App Service. We used https://github.com/matomo-org/matomo-nginx as base config for our Nginx configuration.

Expected Behavior

Matomo works with the Azure App Service + PHP8 + Nginx combination as it is working with Azure App Service with PHP7 and Apache from the default App Service directory.

Current Behavior

Matomo loads very slow, resources (CSS, images) not getting loaded and nothing works. No errors in logs though.

Possible Solution

Temporary workaround is to run the Matomo from different directory (/var/www/html). In this case Matomo works just fine.

Steps to Reproduce (for Bugs)

1. Set up an Azure Linux-based App Service with PHP8 and Nginx and deploy Matomo
2. Use Nginx config from https://github.com/matomo-org/matomo-nginx

Context

Your Environment

• Matomo Version: 4.6.2
• PHP Version: 8.0.11
• Server Operating System: Azure App Service (Linux)
• Additionally installed plugins:

• Browser:
• Operating System:

I have 50+ sites that are connected to piwik instance, and it is not very convenient to add each of them to nginx referer validation. The only file that is needed to be excluded from this validation rule is "piwik.js"

I looked through your changes and have some additional hints:

Combine these two locations:

Do not serve .ht files:

        location ~ /\.ht {
                deny  all;
        }

Serve .well-known:

        location ^~ /.well-known {
                allow all;
                default_type "text/plain";
        }

Make sure httpoxy is prohibited:

                fastcgi_param HTTP_PROXY "";

You did not provide a nginx.conf, but there are some more important configs to consider. Are you sure, you do not want to provide one?

Hello,

on my nginx 1.13.1 the deny of /config/config.ini.php does not work, i can access (download) it as octet/stream

I noticed that when I put the referrer as *.example.com (substituting my domain of course) visits are not getting tracked. However, if I put it as example.com visits are tracked but images are not loaded in piwik. I have piwik in a subdomain.

I disabled the referrer check and everything works great.

Suggestions?

Obviously there's a lot of overlap between your various configs, so I've tried to take that into account. I've had a solid drupal + piwik config combination working previously, but after updating both Piwik and the Drupal site, enabling SSL with SPDY, the Piwik end 'dropped off' (I'm getting 404s at the moment, but also had bad gateway 502 errors with a few tweaks...).

I'm having trouble piecing the right config back together. I have a piwik.conf in sites-enabled, as per your example, which includes the apps/piwik/piwik.conf file also. The latter seems to have no effect on a TLS/SSL setup. I've done the following with the former (sites-enabled/piwik.conf):

server {
    listen 80;
    server_name piwik;
    return 301 https://www.domainname.com/piwik/$request_uri;
}

server {
    listen 443 ssl spdy;

    limit_conn arbeit 32;
    server_name piwik1;
    keepalive_timeout 75 75;

    ssl_certificate /etc/ssl/certs/acme.pem;
    ssl_certificate_key /etc/ssl/private/acme.key;

    ## Access and error log files.
    access_log /var/log/nginx/stats.domainname.com_access.log;
    error_log /var/log/nginx/stats.domainname.com_error.log;

    root /usr/share/nginx/www/piwik;
    index index.php;

    ## Include the piwik configuration.
    include apps/piwik/piwik.conf;
}

I'll admit having a weak grasp on server_names when used with sub-directories and, well, nginx in general at times.

In the apps/piwik/piwik.conf file I did try to adjust the location blocks to include /piwik before each location (ie. /piwik/favicon.ico etc.) but that didn't seem to do it either, esp. given that the root is given in the sites-enabled config.

Any idea where I'm going wrong, and what others have done to fix this?

Thanks in advance.

There is a try_files in the first defined location and one in location /. This prevents nginx from loading as it's complaining about duplicate try_files. How can I fix this?

Hi, thanks for the over patch, but I have suggestion :

for piwik.php the no_cache should be always set to 0.
for ui, we can have another directory of cache, with all module except POST and Real TIME cache.
All setting should no be cache too.

I run the crontab (archive.sh) every 5 min, or anything,
when the archive run, we can delete the cache directory to force a refresh.
another way, is to set the time of cache equal to the frequency you run the archive.sh.

So 2 vars could be add :

time_of_cache
subdir_for_cache

for piwiki.php
no_cache=0
time_of_cache = 2h
subdir_for_cache = stats

for index.php
time_of_cache = 5m (or anything we set for the crontab)
subdir_for_cache = ui (may be autodelete by crontab, but if time_of_cache is set the same skip the delete)
no_cache = 1 by default
except : module for stats

or no_cache = 0 by default
except POST, configuration module

I will setup this, and purpose a patch

The current suggestion is to render a 403 forbidden response to requests for /plugins/..., with the following rule (see https://github.com/matomo-org/matomo-nginx/blob/5b232af8ec1fd9d033f1c4ab9343f4073df64644/sites-available/matomo.conf#L80C1-L83C6):

    location ~ ^/(libs|vendor|plugins|misc|node_modules) {
        deny all;
        return 403;
    }

This results in e.g. the Matomo Logo on top left corner of the Matomo GUI to be unavailable: https://your.webserver.tld/plugins/Morpheus/images/logo.svg?matomo

Suggested solution: add a more specific location matcher so that requests to images are still possible, but not neccessarily everything unter /plugins/ is reachable.

Hi, because of your Ubuntu release maze ;)

Nginx offers their packages in own repositories now:
http://nginx.org/en/linux_packages.html
(also "Mainline" = testing packages with actual e.g. HTTP/2 support).

And there is a DotDeb variant for Debian with much more compiled in modules:
https://www.dotdeb.org/category/nginx/
(also newer PHP packets)

Bests

I have this setting :

http://stats.example.com/

so, it try this :

http://stats.example.com/?account...

and you conf say to redirect to index.php (without the query string)

here the fix :

instead of this :
## Try all locations and relay to index.php as a fallback.
location / {
try_files $uri /index.php;
}

we need this :

## Try all locations and relay to index.php as a fallback.
location / {
    try_files $uri /index.php?$query_string;
}

While running through the current 4.11.0 setup and using the files in the repository, I still get

PHP FPM will ignore .htaccess rules for .php files. To ensure that sensitive files cannot be accessed directly it is recommended to exclude certain directories from being handled by PHP FPM. For more information please see the official nginx server configuration

To ensure that sensitive files cannot be accessed directly it is recommended to configure your web server to restrict access to certain directories. For more information please see the official nginx server configuration

in PHP SAPI and Server info.

Isn't the solution to these errors to utilize the files in this repository?