Skip to content

Instantly share code, notes, and snippets.

@xenithorb

xenithorb/piwik-nginx.conf

Last active August 22, 2018 11:52
Show Gist options
  • Save xenithorb/aa4252d1a43dc7c6660091df6189a948 to your computer and use it in GitHub Desktop.
Save xenithorb/aa4252d1a43dc7c6660091df6189a948 to your computer and use it in GitHub Desktop.
Download ZIP
Piwik flat-file nginx configuration
Raw
piwik-nginx.conf
#-*- mode: nginx; mode: flyspell-prog; mode: autopair; ispell-local-dictionary: "american" -*-
## Define a zone for limiting the number of simultaneous
## connections nginx accepts. 1m means 32000 simultaneous
## sessions. We need to define for each server the limit_conn
## value refering to this or other zones.
## ** This syntax requires nginx version >=
## ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older
## ** version then use the limit_zone directive below
## ** instead. Comment out this
## ** one if not using nginx version >= 1.1.8.
limit_conn_zone $binary_remote_addr zone=arbeit:10m;
## Hide the Nginx version number.
server_tokens off;
fastcgi_cache_path /var/cache/nginx/fcgicache levels=1:2 keys_zone=fcgicache:100k max_size=10M inactive=3h loader_threshold=2592000000 loader_sleep=1 loader_files=100000;
### Conditions for not caching in Piwik.
## When we go through installation or when we're on the dashboard for
## specific tasks.
map $arg_module $no_cache {
default 0;
Installation 1; # when invoking the installation module.
~[^\&]*(?:Dashboard|Live|Goals|Admin|Manager) 1; # some tasks
}
## The first installation steps don't invoke the installation module.
map $arg_action $no_cache {
default 0;
systemCheck 1;
databaseSetup 1;
}
## Testing for the session cookie being present. If there is then no
## caching is to be done.
map $http_cookie $no_cache {
default 0;
~PIWIK_SESSID 1; # Piwik session cookie
}
## Add here all user agents that are to be blocked.
map $http_user_agent $bad_bot {
default 0;
libwww-perl 1;
~(?i)(httrack|htmlparser|libwww) 1;
}
## Add here all referrers that are to blocked.
map $http_referer $bad_referer {
default 0;
~(?i)(babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|webcam|zippo|casino|replica) 1;
}
upstream phpcgi {
server unix:/var/run/php-fpm/www.sock;
}
### Nginx configuration for Piwik.
server {
listen 80;
server_name host.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name host.example.com;
include inc.d/ssl.inc;
ssl_certificate /etc/letsencrypt/live/host.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/host.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/host.example.com/chain.pem;
ssl_dhparam /etc/letsencrypt/live/host.example.com/dh2048.pem;
## Use a SSL/TLS cache for SSL session resume. This needs to be
## here (in this context, for session resumption to work. See this
## thread on the Nginx mailing list:
## http://nginx.org/pipermail/nginx/2010-November/023736.html.
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
limit_conn arbeit 64;
## Access and error log files.
access_log /var/log/nginx/host.example.com_access.log;
error_log /var/log/nginx/host.example.com_error.log;
## See the blacklist.conf file at the parent dir: /etc/nginx.
## Deny access based on the User-Agent header.
#
# -> Uncomment the lines below to enable bad bot blocking based
# on UA string.
if ($bad_bot) {
return 444;
}
# -> Uncomment the lines below to enable bad bot blocking based
# on referer header.
# Deny access based on the Referer header.
if ($bad_referer) {
return 444;
}
root /var/www/sites/host.example.com;
index index.php;
### fastcgi configuration.
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_buffers 256 4k;
fastcgi_intercept_errors on;
## allow 4 hrs - pass timeout responsibility to upstrea
fastcgi_read_timeout 14400;
fastcgi_index index.php;
## Handling of IPs in proxied and load balancing situations.
set_real_ip_from 0.0.0.0/32; # all addresses get a real IP.
real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy
## Enable clickjacking protection in modern browsers. Available in
## IE8 also. See
## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
add_header X-Frame-Options SAMEORIGIN;
## Try all locations and relay to index.php as a fallback.
location / {
## Disallow any usage of piwik assets if referer is non valid.
location ~* ^.+\.(?:css|gif|html?|jpe?g|js|png|swf)$ {
## Defining the valid referers.
valid_referers none blocked *.opsech.io;
if ($invalid_referer) {
return 444;
}
expires max;
## No need to bleed constant updates. Send the all shebang in one
## fell swoop.
tcp_nodelay off;
## Set the OS file cache.
open_file_cache max=500 inactive=120s;
open_file_cache_valid 45s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
}
## Do not serve HTML files from the /tmp folder.
location ~* ^/tmp/.*\.html?$ {
return 404;
}
## Redirect to the root if attempting to access a txt file.
location ~* (?:DESIGN|(?:gpl|README|LICENSE)[^.]*|LEGALNOTICE)(?:\.txt)*$ {
return 404;
}
## Disallow access to several helper files.
location ~* \.(?:bat|git|ini|sh|svn[^.]*|txt|tpl|xml)$ {
return 404;
}
try_files $uri /index.php?$query_string;
}
## Support for favicon. Return a 1x1 transparent GIF it it doesn't
## exist. doesn't exist.
location = /favicon.ico {
try_files /favicon.ico @empty;
}
location @empty {
empty_gif;
}
## Relay all index.php requests to fastcgi.
location = /index.php {
fastcgi_pass phpcgi;
## The cache zone referenced.
fastcgi_cache fcgicache;
## The cache key.
fastcgi_cache_key $host$request_uri;
## For 200 and 301 make the cache valid for 5 minutes.
fastcgi_cache_valid 200 301 5m;
## For 302 make it valid for 3 minutes.
fastcgi_cache_valid 302 3m;
## For 404 make it valid 1 minute.
fastcgi_cache_valid 404 1m;
## If there are any upstream errors or the item has expired use
## whatever it is available.
fastcgi_cache_use_stale error timeout invalid_header updating http_500;
## The Cache-Control and Expires headers should be delivered untouched
## from the upstream to the client.
fastcgi_ignore_headers Cache-Control Expires;
## If we have a cookie we should bypass the cache. The same if we have a
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;
## Add a cache miss/hit status header.
add_header X-Piwik-Cache $upstream_cache_status;
## To avoid any interaction with the cache control headers we expire
## everything on this location immediately.
expires epoch;
}
## Relay all piwik.php requests to fastcgi.
# # location = /piwik.php {
location ~* /(piwik\.php|js) {
fastcgi_pass phpcgi;
## The cache zone referenced.
fastcgi_cache fcgicache;
## The cache key.
fastcgi_cache_key $host$request_uri;
## For 200 and 301 make the cache valid for 2 hours.
fastcgi_cache_valid 200 301 2h;
## For 302 make it valid for 30 minutes.
fastcgi_cache_valid 302 30m;
## For 404 make it valid 10 minutes.
fastcgi_cache_valid 404 10m;
## If there are any upstream errors or the item has expired use
## whatever it is available.
fastcgi_cache_use_stale error timeout invalid_header updating http_500;
## The Cache-Control and Expires headers should be delivered untouched
## from the upstream to the client.
fastcgi_ignore_headers Cache-Control Expires;
## If we have a cookie we should bypass the cache. The same if we have a
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;
## Add a cache miss/hit status header.
add_header X-Piwik-Long-Cache $upstream_cache_status;
## To avoid any interaction with the cache control headers we expire
## everything on this location immediately.
expires epoch;
}
## Any other attempt to access PHP files returns a 404.
location ~* ^.+\.php$ {
return 404;
}
## No crawling of this site for bots that obey robots.txt.
location = /robots.txt {
return 200 "User-agent: *\nDisallow: /\n";
}
} # server
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment