diff options
Diffstat (limited to 'contrib/k8s-emc/_graveyard_/matomo-cm.yml')
| -rw-r--r-- | contrib/k8s-emc/_graveyard_/matomo-cm.yml | 132 |
1 files changed, 132 insertions, 0 deletions
diff --git a/contrib/k8s-emc/_graveyard_/matomo-cm.yml b/contrib/k8s-emc/_graveyard_/matomo-cm.yml new file mode 100644 index 0000000..60af25b --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/matomo-cm.yml @@ -0,0 +1,132 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: emc + name: stats-matomo + labels: + app: matomo + tier: stats +data: + nginx.conf: | + worker_processes 4; + pid /srv/nginx.pid; + error_log /dev/stderr notice; + + events { + worker_connections 768; + # multi_accept on; + } + + http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /dev/null; + + server { + listen 8080 default_server; + listen [::]:8080 default_server; + + server_name _; + + add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + root /var/www/html; + + index index.php; + + ## only allow accessing the following php files + location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php { + try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here. + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param REQUEST_URI $request_uri; + fastcgi_param DOCUMENT_URI $document_uri; + fastcgi_param DOCUMENT_ROOT $document_root; + fastcgi_param SERVER_PROTOCOL $server_protocol; + fastcgi_param REQUEST_SCHEME $scheme; + fastcgi_param HTTPS $https if_not_empty; + + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + + fastcgi_param REMOTE_ADDR $remote_addr; + fastcgi_param REMOTE_PORT $remote_port; + fastcgi_param SERVER_ADDR $server_addr; + fastcgi_param SERVER_PORT $server_port; + fastcgi_param SERVER_NAME $server_name; + + # PHP only, required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; + + fastcgi_param HTTP_PROXY ""; + #fastcgi_param HTTP_X_FORWARDED_URI /matomo; + fastcgi_intercept_errors on; + fastcgi_pass 127.0.0.1:9000; + } + + ## deny access to all other .php files + location ~* ^.+\.php$ { + deny all; + return 403; + } + + location / { + try_files $uri $uri/ =404; + } + + ## disable all access to the following directories + location ~ /(config|tmp|core|lang) { + deny all; + return 403; # replace with 404 to not show these directories exist + } + + location ~ /\.ht { + deny all; + return 403; + } + + location ~ js/container_.*_preview\.js$ { + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + } + + location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~ /(libs|vendor|plugins|misc/user) { + deny all; + return 403; + } + + ## properly display textfiles in root directory + location ~/(.*\.md|LEGALNOTICE|LICENSE) { + default_type text/plain; + } + + location ~ \.php$ { + } + } + } |