u8sand/!matomo-nginx.md

## !matomo-nginx.md

      
    Raw
  

              !matomo-nginx.md
            
          
    matomo + nginx

Based off of the information here: https://github.com/matomo-org/docker/tree/master/.examples/nginx
But instead of running two separate containers (nginx+matomo), a single container is created to serve matomo with nginx,
this is more convenient in certain environments.
This is achieved simply by adding nginx and supervisord on top of the matomo image and serving nginx & php-fpm with supervsiord.

  
## .env.example
MYSQL_DATABASE=matomo
MYSQL_USERNAME=matomo
MYSQL_PASSWORD=

## docker-compose.yaml
version: '3'
services:
  matomo:
    build: .
    image: maayanlab/matomo:4.13.3
    ports:
      - 8080:80
    environment:
      - MATOMO_DATABASE_ADAPTER=mysql
      - MARIADB_AUTO_UPGRADE=1
      - MATOMO_DATABASE_TABLES_PREFIX=matomo_
      - MATOMO_DATABASE_HOST=mariadb
      - MATOMO_DATABASE_DBNAME=${MYSQL_DATABASE}
      - MATOMO_DATABASE_USERNAME=${MYSQL_USERNAME}
      - MATOMO_DATABASE_PASSWORD=${MYSQL_PASSWORD}
      - PHP_MEMORY_LIMIT=2048M
    volumes:
      - ./data/matomo:/var/www/html
  mariadb:
    image: mariadb
    environment:
      - MARIADB_DATABASE=${MYSQL_DATABASE}
      - MARIADB_USER=${MYSQL_USERNAME}
      - MARIADB_PASSWORD=${MYSQL_PASSWORD}
      - MARIADB_RANDOM_ROOT_PASSWORD=true
    volumes:
      - ./data/mariadb:/var/lib/mysql

## Dockerfile
FROM matomo:4.13.3-fpm-alpine

RUN apk add --no-cache nginx supervisor
ADD matomo.nginx.conf /etc/nginx/http.d/default.conf
ADD supervisord.conf /etc/supervisord.conf
VOLUME ["/var/www/html"]
EXPOSE 80

CMD ["supervisord", "-n", "-c", "/etc/supervisord.conf"]

## matomo.nginx.conf
upstream php-handler {
	server 127.0.0.1:9000;
}

server {
	listen 80;

	add_header Referrer-Policy origin; # make sure outgoing links don't show the URL to the Matomo instance
	root /var/www/html; # replace with path to your matomo instance
	index index.php;
	try_files $uri $uri/ =404;

	## only allow accessing the following php files
	location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs).php {
		# regex to split $uri to $fastcgi_script_name and $fastcgi_path
		fastcgi_split_path_info ^(.+\.php)(/.+)$;

		# Check that the PHP script exists before passing it
		try_files $fastcgi_script_name =404;

		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
		fastcgi_pass php-handler;
	}

	## deny access to all other .php files
	location ~* ^.+\.php$ {
		deny all;
		return 403;
	}

	## disable all access to the following directories
	location ~ /(config|tmp|core|lang) {
		deny all;
		return 403; # replace with 404 to not show these directories exist
	}
	location ~ /\.ht {
		deny all;
		return 403;
	}

	location ~ js/container_.*_preview\.js$ {
		expires off;
		add_header Cache-Control 'private, no-cache, no-store';
	}

	location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
		allow all;
		## Cache images,CSS,JS and webfonts for an hour
		## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
		expires 1h;
		add_header Pragma public;
		add_header Cache-Control "public";
	}

	location ~ /(libs|vendor|plugins|misc/user) {
		deny all;
		return 403;
	}

	## properly display textfiles in root directory
	location ~/(.*\.md|LEGALNOTICE|LICENSE) {
		default_type text/plain;
	}
}

## supervisord.conf
[supervisord]
user = root
pidfile = /tmp/supervisord.pid
logfile = /dev/stderr
logfile_maxbytes=0

[program:nginx]
process_name=%(program_name)s_%(process_num)d
numprocs=1
startsecs=1
startretries=3
autostart=true
command=/usr/sbin/nginx -g 'daemon off;'
autorestart=true
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0

[program:php-fpm]
process_name=%(program_name)s_%(process_num)d
numprocs=1
numprocs_start=1
startsecs=1
startretries=3
autostart=true
autorestart=true
command=/usr/local/sbin/php-fpm -F
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0

[eventlistener:quit_on_failure]
command=sh -c "printf 'READY\n' && while read line; do kill -SIGQUIT $PPID; done < /dev/stdin"
events=PROCESS_STATE_FATAL
	version: '3'
	services:
	matomo:
	build: .
	image: maayanlab/matomo:4.13.3
	ports:
	- 8080:80
	environment:
	- MATOMO_DATABASE_ADAPTER=mysql
	- MARIADB_AUTO_UPGRADE=1
	- MATOMO_DATABASE_TABLES_PREFIX=matomo_
	- MATOMO_DATABASE_HOST=mariadb
	- MATOMO_DATABASE_DBNAME=${MYSQL_DATABASE}
	- MATOMO_DATABASE_USERNAME=${MYSQL_USERNAME}
	- MATOMO_DATABASE_PASSWORD=${MYSQL_PASSWORD}
	- PHP_MEMORY_LIMIT=2048M
	volumes:
	- ./data/matomo:/var/www/html
	mariadb:
	image: mariadb
	environment:
	- MARIADB_DATABASE=${MYSQL_DATABASE}
	- MARIADB_USER=${MYSQL_USERNAME}
	- MARIADB_PASSWORD=${MYSQL_PASSWORD}
	- MARIADB_RANDOM_ROOT_PASSWORD=true
	volumes:
	- ./data/mariadb:/var/lib/mysql
	FROM matomo:4.13.3-fpm-alpine

	RUN apk add --no-cache nginx supervisor
	ADD matomo.nginx.conf /etc/nginx/http.d/default.conf
	ADD supervisord.conf /etc/supervisord.conf
	VOLUME ["/var/www/html"]
	EXPOSE 80

	CMD ["supervisord", "-n", "-c", "/etc/supervisord.conf"]
	upstream php-handler {
	server 127.0.0.1:9000;
	}

	server {
	listen 80;

	add_header Referrer-Policy origin; # make sure outgoing links don't show the URL to the Matomo instance
	root /var/www/html; # replace with path to your matomo instance
	index index.php;
	try_files $uri $uri/ =404;

	## only allow accessing the following php files
	location ~ ^/(index\|matomo\|piwik\|js/index\|plugins/HeatmapSessionRecording/configs).php {
	# regex to split $uri to $fastcgi_script_name and $fastcgi_path
	fastcgi_split_path_info ^(.+\.php)(/.+)$;

	# Check that the PHP script exists before passing it
	try_files $fastcgi_script_name =404;

	include fastcgi_params;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;
	fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
	fastcgi_pass php-handler;
	}

	## deny access to all other .php files
	location ~* ^.+\.php$ {
	deny all;
	return 403;
	}

	## disable all access to the following directories
	location ~ /(config\|tmp\|core\|lang) {
	deny all;
	return 403; # replace with 404 to not show these directories exist
	}
	location ~ /\.ht {
	deny all;
	return 403;
	}

	location ~ js/container_.*_preview\.js$ {
	expires off;
	add_header Cache-Control 'private, no-cache, no-store';
	}

	location ~ \.(gif\|ico\|jpg\|png\|svg\|js\|css\|htm\|html\|mp3\|mp4\|wav\|ogg\|avi\|ttf\|eot\|woff\|woff2\|json)$ {
	allow all;
	## Cache images,CSS,JS and webfonts for an hour
	## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
	expires 1h;
	add_header Pragma public;
	add_header Cache-Control "public";
	}

	location ~ /(libs\|vendor\|plugins\|misc/user) {
	deny all;
	return 403;
	}

	## properly display textfiles in root directory
	location ~/(.*\.md\|LEGALNOTICE\|LICENSE) {
	default_type text/plain;
	}
	}
	[supervisord]
	user = root
	pidfile = /tmp/supervisord.pid
	logfile = /dev/stderr
	logfile_maxbytes=0

	[program:nginx]
	process_name=%(program_name)s_%(process_num)d
	numprocs=1
	startsecs=1
	startretries=3
	autostart=true
	command=/usr/sbin/nginx -g 'daemon off;'
	autorestart=true
	stderr_logfile=/dev/stderr
	stderr_logfile_maxbytes=0
	stdout_logfile=/dev/stdout
	stdout_logfile_maxbytes=0

	[program:php-fpm]
	process_name=%(program_name)s_%(process_num)d
	numprocs=1
	numprocs_start=1
	startsecs=1
	startretries=3
	autostart=true
	autorestart=true
	command=/usr/local/sbin/php-fpm -F
	stderr_logfile=/dev/stderr
	stderr_logfile_maxbytes=0
	stdout_logfile=/dev/stdout
	stdout_logfile_maxbytes=0

	[eventlistener:quit_on_failure]
	command=sh -c "printf 'READY\n' && while read line; do kill -SIGQUIT $PPID; done < /dev/stdin"
	events=PROCESS_STATE_FATAL