Running Piwik behind Nginx

README

Explanation of the setup:

- a frontend server runs Nginx
- a backend server runs the PHP application

In the original setup, both are virtual machines on the same host, and we can mount parts of the piwik to the frontend. YMMV (the security.limit_extensions would include also .js and .css without that possibility)

piwik.conf

; That's a PHP5-FPM Pool configuration
; The Piwik-specific information is commented
;
; /etc/php5/fpm/pool.d/piwik.conf
;; 
;; Piwik pool
;;

[piwik]

; IP of the PHP app
listen = 192.0.2.123:9000
listen.backlog = -1
; IP of the Nginx frontend
listen.allowed_clients = 192.0.2.321

; Unix user/group of processes
; adduser --system --home /srv/php/piwik --no-create-home piwik
user = piwik
group = nogroup

; Choose how the process manager will control the number of child processes.
pm = dynamic
pm.max_children = 32
pm.start_servers = 8
pm.min_spare_servers = 4
pm.max_spare_servers = 16
pm.max_requests = 500

; logging
; mkdir -p -m 0750 /var/log/piwik
; chown piwik /var/log/piwik
log = /var/log/piwik/php-fpm_$pool.log
;slowlog = /var/log/piwik/php-fpm_$pool.slow.log
;request_slowlog_timeout = 30s

; Pass environment variables
env[HOSTNAME] = piwik.example.net
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /srv/php/piwik/tmp
env[TMPDIR] = /srv/php/piwik/tmp
env[TEMP] = /srv/php/piwik/tmp

; host-specific php ini settings here
; these will make all security audits of piwik go green
php_admin_value[open_basedir] = /srv/php/piwik:/srv/php/piwik/tmp
php_admin_value[file_uploads] = Off
php_admin_value[upload_tmp_dir] = /srv/php/piwik/tmp/uploads
php_admin_value[session.save_path] = /srv/php/piwik/tmp/sessions
php_admin_value[save_path] = /srv/php/piwik/tmp/sessions

; piwik insists on serving images via the PHP engine. Gaaaa
security.limit_extensions = .php .png .gif .js .css .ico

;; Note that modifying security.limit_extensions means that a carefully crafted
;; image will be able to run arbitrary PHP code. So make sure nobody can write
;; to your piwik directories.

piwik.example.net

#
## /etc/nginc/sites-available/piwik.example.net
#
# admin:        hellekin
# type:         php
# backend:      app0.example.net:9000
#
server {
        listen          80;
        server_name     piwik.example.net;
        access_log      off;
        error_log       /var/log/nginx/piwik.example.net_error.log;
    
        server_name_in_redirect off;

        root    /srv/php/piwik;

        location / {
                try_files $uri @piwik;
        }

        location @piwik {
                include         fastcgi_params;
                # This points to the backend IP
                fastcgi_pass    192.0.2.123:9000;

                # Example settings for FastCGI
                fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param   PATH_INFO       $fastcgi_script_name;
                fastcgi_index                   index.php;
                fastcgi_connect_timeout         60;
                fastcgi_send_timeout            180;
                fastcgi_read_timeout            180;
                fastcgi_buffer_size             128k;
                fastcgi_buffers                 4 256k;
                fastcgi_busy_buffers_size       256k;
                fastcgi_temp_file_write_size    256k;
                fastcgi_intercept_errors        on;

                client_max_body_size            12M;
                client_body_buffer_size         256k;

        }

        # Optional: you need to create this
        error_page 404 /error/404.html;
        location /error/ {
                root /var/www/_/error;
        }
}