From 60569568d1196462fec768d4bc6e23e4afe52cc5 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 3 Mar 2020 04:04:38 +0100 Subject: matomo/graphite/grafana work now --- contrib/k8s-emc/matomo-cm.yml | 90 +++++++++++++++++++++++++++++++++---------- 1 file changed, 70 insertions(+), 20 deletions(-) (limited to 'contrib/k8s-emc/matomo-cm.yml') diff --git a/contrib/k8s-emc/matomo-cm.yml b/contrib/k8s-emc/matomo-cm.yml index f8ce063..60af25b 100644 --- a/contrib/k8s-emc/matomo-cm.yml +++ b/contrib/k8s-emc/matomo-cm.yml @@ -37,46 +37,96 @@ data: server_name _; - root /var/www/html; - - index index.php index.html index.htm; + add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; - location / { - try_files $uri $uri/ =404; - } + root /var/www/html; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } + index index.php; - location = /favicon.ico { - log_not_found off; - access_log off; - } + ## only allow accessing the following php files + location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php { + try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here. - location ~ \.php$ { - fastcgi_param GATEWAY_INTERFACE CGI/1.1; - fastcgi_param SERVER_SOFTWARE nginx; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; + fastcgi_param REQUEST_SCHEME $scheme; + fastcgi_param HTTPS $https if_not_empty; + + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; - fastcgi_param HTTP_X_FORWARDED_URI /matomo; + + # PHP only, required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; + + fastcgi_param HTTP_PROXY ""; + #fastcgi_param HTTP_X_FORWARDED_URI /matomo; fastcgi_intercept_errors on; fastcgi_pass 127.0.0.1:9000; } + + ## deny access to all other .php files + location ~* ^.+\.php$ { + deny all; + return 403; + } + + location / { + try_files $uri $uri/ =404; + } + + ## disable all access to the following directories + location ~ /(config|tmp|core|lang) { + deny all; + return 403; # replace with 404 to not show these directories exist + } + + location ~ /\.ht { + deny all; + return 403; + } + + location ~ js/container_.*_preview\.js$ { + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + } + + location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~ /(libs|vendor|plugins|misc/user) { + deny all; + return 403; + } + + ## properly display textfiles in root directory + location ~/(.*\.md|LEGALNOTICE|LICENSE) { + default_type text/plain; + } + + location ~ \.php$ { + } } } -- cgit v1.2.3