Skip to content

Instantly share code, notes, and snippets.

@javierguzman

javierguzman/matomo-server-config.yml

Created September 7, 2021 07:38
Show Gist options
  • Save javierguzman/0914a7dda6f7454c0213b179e892d9e3 to your computer and use it in GitHub Desktop.
Save javierguzman/0914a7dda6f7454c0213b179e892d9e3 to your computer and use it in GitHub Desktop.
Download ZIP
Matomo in Kubernetes
Raw
matomo-server-config.yml
kind: ConfigMap
apiVersion: v1
metadata:
name: matomo-server-configmap-$VERSION
data:
matomo-php-config: |
memory_limit=1536M
max_execution_time=1440
matomo-nginx-fastcgi: |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
matomo-nginx-config: |
server {
listen [::]:5005; # remove this if you don't want Matomo to be reachable from IPv6
listen 5005;
server_name analytics.blabla.com;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
location / {
return 301 https://$host$request_uri;
}
}
server {
listen [::]:443 ssl http2; # remove this if you don't want Matomo to be reachable from IPv6
listen 443 ssl http2;
server_name analytics.blabla.com; # list all domains Matomo should be reachable from
access_log /var/log/nginx/matomo.access.log;
error_log /var/log/nginx/matomo.error.log;
## uncomment if you want to enable HSTS with 6 months cache
## ATTENTION: Be sure you know the implications of this change (you won't be able to disable HTTPS anymore)
#add_header Strict-Transport-Security max-age=15768000 always;
## replace with your SSL certificate
# ssl_certificate /etc/letsencrypt/live/analytics.blabla.com/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/analytics.blabla.com/privkey.pem;
# include ssl.conf; # if you want to support older browsers, please read through this file
add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
root /var/www/html/; # replace with path to your matomo instance
index index.php;
## only allow accessing the following php files
location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$ {
include fastcgi-php.conf; # if your Nginx setup doesn't come with a default fastcgi-php config, you can fetch it from https://github.com/nginx/nginx/blob/master/conf/fastcgi.conf
try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here.
fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
#fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; #replace with the path to your PHP socket file
fastcgi_pass 127.0.0.1:9000; # uncomment if you are using PHP via TCP sockets (e.g. Docker container)
}
## deny access to all other .php files
location ~* ^.+\.php$ {
deny all;
return 403;
}
## serve all other files normally
location / {
try_files $uri $uri/ =404;
}
## disable all access to the following directories
location ~ ^/(config|tmp|core|lang) {
deny all;
return 403; # replace with 404 to not show these directories exist
}
location ~ /\.ht {
deny all;
return 403;
}
location ~ js/container_.*_preview\.js$ {
expires off;
add_header Cache-Control 'private, no-cache, no-store';
}
location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
allow all;
## Cache images,CSS,JS and webfonts for an hour
## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
expires 1h;
add_header Pragma public;
add_header Cache-Control "public";
}
location ~ ^/(libs|vendor|plugins|misc|node_modules) {
deny all;
return 403;
}
## properly display textfiles in root directory
location ~/(.*\.md|LEGALNOTICE|LICENSE) {
default_type text/plain;
}
}
# vim: filetype=nginx
Raw
matomo-server-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: matomo-server-deployment-$VERSION
annotations:
app.gitlab.com/app: ${CI_PROJECT_PATH_SLUG}
app.gitlab.com/env: ${CI_ENVIRONMENT_SLUG}
spec:
replicas: 1
selector:
matchLabels:
subsystem: matomo-server-$VERSION
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 50%
maxUnavailable: 50%
template:
metadata:
labels:
subsystem: matomo-server-$VERSION
annotations:
app.gitlab.com/app: ${CI_PROJECT_PATH_SLUG}
app.gitlab.com/env: ${CI_ENVIRONMENT_SLUG}
spec:
initContainers:
- name: wait-for-database
image: busybox:1.32
command: ['sh', '-c', 'until nslookup matomo-database-service-$VERSION; do echo waiting for database; sleep 2; done;']
volumes:
- name: matomo-config-volume-$VERSION
configMap:
name: matomo-server-configmap-$VERSION
- name: matomo-server-storage-$VERSION
persistentVolumeClaim:
claimName: matomo-server-persistent-volume-claim-$VERSION
containers:
- name: matomo-server-$VERSION
image: matomo:4.4-fpm-alpine
ports:
- containerPort: 9000
volumeMounts:
- name: matomo-config-volume-$VERSION
mountPath: /usr/local/etc/php/conf.d/php-configuration.ini
subPath: matomo-php-config
- name: matomo-server-storage-$VERSION
mountPath: /var/www/html
env:
- name: MATOMO_DATABASE_USERNAME
valueFrom:
secretKeyRef:
name: blabla
key: blabla
- name: MATOMO_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: blabla
key: blabla
- name: MATOMO_DATABASE_DBNAME
value: blabla
- name: MATOMO_DATABASE_TABLES_PREFIX
value: matomo_
- name: MATOMO_DATABASE_ADAPTER
value: mysql
- name: MATOMO_DATABASE_HOST
value: blabla
livenessProbe:
tcpSocket:
port: 9000
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
tcpSocket:
port: 9000
initialDelaySeconds: 30
periodSeconds: 10
- name: matomo-nginx-$VERSION
image: bitnami/nginx:latest
ports:
- containerPort: 5005
livenessProbe:
tcpSocket:
port: 5005
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
tcpSocket:
port: 5005
initialDelaySeconds: 30
periodSeconds: 10
volumeMounts:
- name: matomo-config-volume-$VERSION
mountPath: /opt/bitnami/nginx/conf/server_blocks/matomo_nginx.conf
subPath: matomo-nginx-config
- name: matomo-config-volume-$VERSION
mountPath: /opt/bitnami/nginx/conf/fastcgi-php.conf
subPath: matomo-nginx-fastcgi
- name: matomo-server-storage-$VERSION
mountPath: /var/www/html
Raw
matomo-server-service.yml
apiVersion: v1
kind: Service
metadata:
name: matomo-server-service-$VERSION
annotations:
app.gitlab.com/app: ${CI_PROJECT_PATH_SLUG}
app.gitlab.com/env: ${CI_ENVIRONMENT_SLUG}
spec:
type: ClusterIP
selector:
subsystem: matomo-server-$VERSION
ports:
- port: 5005
targetPort: 5005
- port: 9000
targetPort: 9000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment