summaryrefslogtreecommitdiff
path: root/contrib/k8s-emc/_graveyard_/matomo-cm.yml
blob: 60af25bb0f48680913fd6b1b2d96ed2f591edd1e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: emc
  name: stats-matomo
  labels:
    app: matomo
    tier: stats
data:
  nginx.conf: |
    worker_processes 4;
    pid /srv/nginx.pid;
    error_log /dev/stderr notice;

    events {
      worker_connections 768;
      # multi_accept on;
    }

    http {
      sendfile on;
      tcp_nopush on;
      tcp_nodelay on;
      keepalive_timeout 65;
      types_hash_max_size 2048;

      server_names_hash_bucket_size 64;

      include /etc/nginx/mime.types;
      default_type application/octet-stream;

      access_log /dev/null;

      server {
        listen 8080 default_server;
        listen [::]:8080 default_server;

        server_name _;

        add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;

        root /var/www/html;

        index index.php;

        ## only allow accessing the following php files
        location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php {
          try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here.

          fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
          fastcgi_param  QUERY_STRING       $query_string;
          fastcgi_param  REQUEST_METHOD     $request_method;
          fastcgi_param  CONTENT_TYPE       $content_type;
          fastcgi_param  CONTENT_LENGTH     $content_length;

          fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
          fastcgi_param  REQUEST_URI        $request_uri;
          fastcgi_param  DOCUMENT_URI       $document_uri;
          fastcgi_param  DOCUMENT_ROOT      $document_root;
          fastcgi_param  SERVER_PROTOCOL    $server_protocol;
          fastcgi_param  REQUEST_SCHEME     $scheme;
          fastcgi_param  HTTPS              $https if_not_empty;

          fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
          fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

          fastcgi_param  REMOTE_ADDR        $remote_addr;
          fastcgi_param  REMOTE_PORT        $remote_port;
          fastcgi_param  SERVER_ADDR        $server_addr;
          fastcgi_param  SERVER_PORT        $server_port;
          fastcgi_param  SERVER_NAME        $server_name;

          # PHP only, required if PHP was built with --enable-force-cgi-redirect
          fastcgi_param  REDIRECT_STATUS    200;

          fastcgi_param  HTTP_PROXY         "";
          #fastcgi_param  HTTP_X_FORWARDED_URI    /matomo;
          fastcgi_intercept_errors on;
          fastcgi_pass 127.0.0.1:9000;
        }

        ## deny access to all other .php files
        location ~* ^.+\.php$ {
          deny all;
          return 403;
        }

        location / {
          try_files $uri $uri/ =404;
        }

        ## disable all access to the following directories
        location ~ /(config|tmp|core|lang) {
          deny all;
          return 403; # replace with 404 to not show these directories exist
        }

        location ~ /\.ht {
          deny  all;
          return 403;
        }

        location ~ js/container_.*_preview\.js$ {
          expires off;
          add_header Cache-Control 'private, no-cache, no-store';
        }

        location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
          allow all;
          ## Cache images,CSS,JS and webfonts for an hour
          ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
          expires 1h;
          add_header Pragma public;
          add_header Cache-Control "public";
        }

        location ~ /(libs|vendor|plugins|misc/user) {
          deny all;
          return 403;
        }

        ## properly display textfiles in root directory
        location ~/(.*\.md|LEGALNOTICE|LICENSE) {
          default_type text/plain;
        }

        location ~ \.php$ {
        }
      }
    }