This is a small nginx configuration that should help you get your own Matomo instance running and start collecting your own analytics. 这是一个小的nginx配置,可以帮助您运行自己的Matomo实例并开始收集自己的分析。
I already know nginx
已经知道nginx了
In this case it should be enough to just take the sites-available/matomo.conf, check if everything is configured as you like it and enable the config. 在这种情况下,只需要获取sites-available/matomo.conf,检查是否一切都按照您喜欢的方式配置,并启用配置就足够了。
I want to get started
我想开始了
- clone this repostitory or download it as a zip then move its content to /etc/nginx/ (or wherever you store your nginx-config) 克隆这个仓库或者下载一个zip文件,然后把它的内容移动到/etc/nginx/(或者你保存nginx-config的地方)
- read through the 通读 sites-available/matomo.conf and modify the settings to fit your use case: 并修改设置以适合您的使用情形:
- set server_name to the domain(s) of your Matomo instance 将 server_name设置为Matomo实例的域
- set the path to your SSL certificate (I really recommend you to make sure your Matomo instance is only reachable via HTTPS. If you don't have an SSL certificate for your domain yet, check out Let's Encrypt.) 设置SSL证书的路径(我强烈建议您确保您的Matomo实例只能通过HTTPS访问。如果您的域名还没有SSL证书,请查看Let's Encrypt。
- do you want to support old browsers? Then you'll need to modify ssl.conf according to your need. (the Mozilla SSL Config Generator will help you) 你想支持旧的浏览器吗?那你就需要修改 ssl.conf根据您的需要。(the Mozilla SSL配置生成器 会帮助你)
- replace /var/www/matomo/ with the path to your Matomo instance 将 /var/www/matomo/替换为Matomo实例的路径
- configure PHP (this depends on your OS and PHP setup) 配置PHP(这取决于您的操作系统和PHP设置)
- if you are using fastcgi (which is probably the case) set fastcgi_pass to the path of your PHP socket file 如果您正在使用fastcgi(很可能就是这种情况),请将fastcgi_pass设置为PHP套接字文件的路径
- you can also specify a TCP port也可以指定TCP端口
- go to the sites-enabled folder of your nginx config directory 转到 站点启用nginx配置目录的文件夹
- enable the Matomo config by creating a symlink: sudo ln -s ../sites-available/matomo.conf 通过创建符号链接启用Matomo配置:sudoln -s../ sites-available/matomo.conf
- test if there is a syntax error in your config: sudo nginx -t 测试配置中是否存在语法错误:sudonginx -t
- restart nginx: sudo systemctl restart nginx 重启nginx:sudosystemctl restart nginx
If you need to check the legacy nginx Matomo configuration, you can find it here: https://github.com/matomo-org/matomo-nginx/tree/1.0.99 如果您需要检查遗留的nginx Matomo配置,您可以在这里找到它:https://github.com/matomo—org/matomo—nginx/tree/1.0.99
Tips
- never use Matomo without HTTPS不要在没有HTTPS的情况下使用Matomo
- make sure you have configured Nginx to only accept modern and secure cryptography 请确保您已将Nginx配置为仅接受现代和安全的加密
- check your website with https://www.ssllabs.com/ssltest/ 检查您的网站https://www.ssllabs.com/ssltest/
- compare your Nginx config with the "modern" template from https://mozilla.github.io/server-side-tls/ssl-config-generator/ 将您的Nginx配置与来自“现代”模板进行比较 https://mozilla.github.io/server-side-tls/ssl-config-generator/
- this template is used by default in the ssl.conf file 默认情况下,此模板用于 ssl.conf锉
- decide if keeping outdated chiphers and TLS protocolls enabled to be able to track ancient browser is worth the risk of a downgrade attack for all your vistors (and admins) 决定是否保持过时的芯片和TLS协议启用,以便能够跟踪旧的浏览器是值得的风险降级攻击为您的所有访问者(和管理员)
- never support SSLv3 and think about disabling TLSv1 and TLSv1.1 我从不支持SSLv3,并考虑禁用TLSv1和TLSv1.1
- add server_tokens off; to your config to disable the server: nginx header on all requests and the nginx version on error pages 添加 server_tokens off;到您的配置中以禁用所有请求上的server:nginx头和错误页面上的nginx版本
- if you have enabled gzip compression (which improves performance greatly), be aware of the BREACH vulnerability 如果您启用了gzip压缩(这可以大大提高性能),请注意BREACH漏洞
- think about enabling the Strict-Transport-Security header, but keep in mind the implications 考虑启用 Strict-Transport-Security报头,但要记住其含义
- keep HTTP/2 enabled as it brings performance benifits with many small files (e.g. icons) 保持HTTP/2启用,因为它可以为许多小文件(如图标)带来性能优势
You know how to improve this config? Open a pull request or GitHub issue! 你知道如何改进这个配置吗?打开pull request或GitHub issue!
