Michel Memeteau · Michel Memeteau · Michel Memeteau · Michel Memeteau · Michel Memeteau · Michel Memeteau
--- a/docker-compose.yml
+++ b/docker-compose.yml
-version: '2'
+version: '2.4'
 networks:
  lb_web:
    external: true
  back:
    driver: bridge
+    ipam:
+      driver: default
+      config:
+      - subnet: 10.0.${SUBNET}.0/24
 services:
-  db:
-    image: mysql:5.7
-    volumes:
-      - ./mysql/runtime:/var/lib/mysql
-    environment:
-      - MYSQL_ROOT_PASSWORD
-    networks:
-    - back
-  app:
-    image: piwik:fpm
-    links:
-      - db
-    volumes:
-      - ./config:/var/www/html/config
-    networks:
-    - back
  web:
    image: nginx
    volumes:
-      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf
    links:
      - app
    volumes_from:
@@ -32,21 +20,30 @@ services:
    environment:
      - VIRTUAL_HOST
    networks:
-    - back
+      - back
-    - lb_web
+      - lb_web
-  cron:
+  app:
-    image: piwik:fpm
+    image: matomo:${MATOMO_VERSION}
+    volumes:
+      - ./data/html:/var/www/html/
    links:
-      - db
+        - db
-    volumes_from:
+    environment:
-      - app
+      - MATOMO_DATABASE_ADAPTER
-    entrypoint: |
+      - MATOMO_DATABASE_TABLES_PREFIX
-      bash -c 'bash -s <<EOF
+      - MATOMO_DATABASE_USERNAME
-      trap "break;exit" SIGHUP SIGINT SIGTERM
+      - MATOMO_DATABASE_PASSWORD
-      while /bin/true; do
+      - MATOMO_DATABASE_DBNAME
-        su -s "/bin/bash" -c "/usr/local/bin/php /var/www/html/console core:archive" www-data
+    networks:
-        sleep 3600
+      - back
-      done
+  db:
-      EOF'
+    image: mariadb:${MYSQL_VERSION}
+    volumes:
+      - ./mysql/runtime:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD
+      - MYSQL_PASSWORD
+      - MYSQL_DATABASE
+      - MYSQL_USER
    networks:
-    - back
+      - back
\ No newline at end of file
--- a/nginx.conf
+++ b/nginx.conf
-user www-data;
+upstream php-handler {
+	server app:9000;
-events {
-  worker_connections 768;
 }
-http {
+server {
-  upstream backend {
+	listen 80;
-    server app:9000;
-  }
+	add_header Referrer-Policy origin; # make sure outgoing links don't show the URL to the Matomo instance
+	root /var/www/html; # replace with path to your matomo instance
-  include /etc/nginx/mime.types;
+	index index.php;
-  default_type application/octet-stream;
+	try_files $uri $uri/ =404;
-  gzip on;
-  gzip_disable "msie6";
+	## only allow accessing the following php files
+	location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs).php {
-  server {
+		# regex to split $uri to $fastcgi_script_name and $fastcgi_path
-    listen 80;
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    root /var/www/html/;
+		# Check that the PHP script exists before passing it
-    index index.php index.html index.htm;
+		try_files $fastcgi_script_name =404;
-    location / {
+		include fastcgi_params;
-      try_files $uri $uri/ =404;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    }
+		fastcgi_param PATH_INFO $fastcgi_path_info;
+		fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
-    error_page 404 /404.html;
+		fastcgi_pass php-handler;
-    error_page 500 502 503 504 /50x.html;
+	}
-    location = /50x.html {
-      root /usr/share/nginx/html;
+	## deny access to all other .php files
-    }
+	location ~* ^.+\.php$ {
+		deny all;
-    location = /favicon.ico {
+		return 403;
-      log_not_found off;
+	}
-      access_log off;
-    }
+	## disable all access to the following directories
+	location ~ /(config|tmp|core|lang) {
-    location ~ \.php$ {
+		deny all;
-      fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+		return 403; # replace with 404 to not show these directories exist
-      fastcgi_param  SERVER_SOFTWARE    nginx;
+	}
-      fastcgi_param  QUERY_STRING       $query_string;
+	location ~ /\.ht {
-      fastcgi_param  REQUEST_METHOD     $request_method;
+		deny all;
-      fastcgi_param  CONTENT_TYPE       $content_type;
+		return 403;
-      fastcgi_param  CONTENT_LENGTH     $content_length;
+	}
-      fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
-      fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+	location ~ js/container_.*_preview\.js$ {
-      fastcgi_param  REQUEST_URI        $request_uri;
+		expires off;
-      fastcgi_param  DOCUMENT_URI       $document_uri;
+		add_header Cache-Control 'private, no-cache, no-store';
-      fastcgi_param  DOCUMENT_ROOT      $document_root;
+	}
-      fastcgi_param  SERVER_PROTOCOL    $server_protocol;
-      fastcgi_param  REMOTE_ADDR        $remote_addr;
+	location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
-      fastcgi_param  REMOTE_PORT        $remote_port;
+		allow all;
-      fastcgi_param  SERVER_ADDR        $server_addr;
+		## Cache images,CSS,JS and webfonts for an hour
-      fastcgi_param  SERVER_PORT        $server_port;
+		## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
-      fastcgi_param  SERVER_NAME        $server_name;
+		expires 1h;
-      fastcgi_intercept_errors on;
+		add_header Pragma public;
-      fastcgi_pass backend;
+		add_header Cache-Control "public";
-    }
+	}
-  }
+	location ~ /(libs|vendor|plugins|misc/user) {
+		deny all;
+		return 403;
+	}
+	## properly display textfiles in root directory
+	location ~/(.*\.md|LEGALNOTICE|LICENSE) {
+		default_type text/plain;
+	}
 }
+# vim: filetype=nginx
--- a/scripts/install
+++ b/scripts/install
+#!/bin/bash -eux
+#Versions
+source /etc/environment
+MATOMO_VERSION=4.8-fpm
+#Mariadb
+MYSQL_VERSION=10.5
+#Passwords 
+MYSQL_ROOT_PASSWORD=`tr -dc A-Za-z0-9_ < /dev/urandom | head -c 20 | xargs`
+MYSQL_PASSWORD=`tr -dc A-Za-z0-9_ < /dev/urandom | head -c 20 | xargs`
+MATOMO_DATABASE_PASSWORD=$MYSQL_PASSWORD
+#app
+MATOMO_DATABASE_HOST=db
+var=$(for folder in `ls /data/domains`; do cat /data/domains/$folder/.env | grep SUBNET | cut -d"=" -f2; done | sort | tail -n1)
+SUBNET=$(($var +1))
+# vars
+echo "SUBNET=${SUBNET}" >> .env
+echo "URL=${URL}" >> .env
+#echo "VIRTUAL_HOST=${URL}" >> .env
+echo "MAIL_DOMAIN=${MAIL_DOMAIN}" >> .env
+echo "SMTP_HOST=${MAIL_HOST}" >> .env
+echo "SMTP_PORT=${MAIL_PORT}" >> .env
+echo "SMTP_PASSWORD=${MAIL_PASS}" >> .env
+echo "MAIL_FROM_ADDRESS=${MAIL_USER}" >> .env
+echo "SMTP_NAME=${MAIL_USER}" >> .env
+#APP specific 
+MATOMO_DATABASE_ADAPTER=mysql
+MATOMO_DATABASE_TABLES_PREFIX=matomo_
+MATOMO_DATABASE_USERNAME=matomo
+MATOMO_DATABASE_DBNAME=matomo
+#Db specific 
+MYSQL_DATABASE=matomo
+MYSQL_USER=matomo
+#APP specific 
+echo "MATOMO_VERSION=${MATOMO_VERSION}" >> .env
+echo "MATOMO_DATABASE_ADAPTER=${MATOMO_DATABASE_ADAPTER}" >> .env
+echo "MATOMO_DATABASE_TABLES_PREFIX=${MATOMO_DATABASE_TABLES_PREFIX}" >> .env
+echo "MATOMO_DATABASE_USERNAME=${MATOMO_DATABASE_USERNAME}" >> .env
+echo "MATOMO_DATABASE_HOST=${MATOMO_DATABASE_HOST}" >> .env
+echo "MATOMO_DATABASE_DBNAME=${MATOMO_DATABASE_DBNAME}" >> .env
+echo "MATOMO_DATABASE_PASSWORD=${MATOMO_DATABASE_PASSWORD}" >> .env
+#DB specific
+echo "MYSQL_DATABASE=${MYSQL_DATABASE}" >> .env
+echo "MYSQL_USER=${MYSQL_USER}" >> .env
+echo "MYSQL_PASSWORD=${MYSQL_PASSWORD}" >> .env
+echo "MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}" >> .env
+echo "MYSQL_VERSION=${MYSQL_VERSION}" >> .env