Nginx Configuration for Matomo
This is a small nginx configuration that should help you get your own Matomo instance running and start collecting your own analytics.
I already know nginx
In this case it should be enough to just take the sites-available/matomo.conf, check if everything is configured as you like it and enable the config.
I want to get started
- clone this repostitory or download it as a zip then move its content to
/etc/nginx/(or wherever you store your nginx-config) - read through the
sites-available/matomo.confand modify the settings to fit your use case:- set
server_nameto the domain(s) of your Matomo instance - set the path to your SSL certificate (I really recommend you to make sure your Matomo instance is only reachable via HTTPS. If you don't have an SSL certificate for your domain yet, check out Let's Encrypt.)
- do you want to support old browsers? Then you'll need to modify
ssl.confaccording to your need. (the Mozilla SSL Config Generator will help you) - replace
/var/www/matomo/with the path to your Matomo instance
- set
- configure PHP (this depends on your OS and PHP setup)
- if you are using fastcgi (which is probably the case) set
fastcgi_passto the path of your PHP socket file - you can also specify a TCP port
- if you are using fastcgi (which is probably the case) set
- go to the
sites-enabledfolder of your nginx config directory - enable the Matomo config by creating a symlink:
sudo ln -s ../sites-available/matomo.conf - test if there is a syntax error in your config:
sudo nginx -t - restart nginx:
sudo systemctl restart
If you need to check the legacy nginx Matomo configuration, you can find it here: https://github.com/matomo-org/matomo-nginx/tree/1.0.99
Tips
- never use Matomo without HTTPS
- make sure you have configured Nginx to only accept modern and secure cryptography
- check your website with https://www.ssllabs.com/ssltest/
- compare your Nginx config with the "modern" template from https://mozilla.github.io/server-side-tls/ssl-config-generator/
- this template is used by default in the
ssl.conffile - decide if keeping outdated chiphers and TLS protocolls enabled to be able to track ancient browser is worth the risk of a downgrade attack for all your vistors (and admins)
- never support SSLv3 and think about disabling TLSv1 and TLSv1.1
- add
server_tokens off;to your config to disable theserver: nginxheader on all requests and the nginx version on error pages - if you have enabled gzip compression (which improves performance greatly), be aware of the BREACH vulnerability
- think about enabling the
Strict-Transport-Securityheader, but keep in mind the implications - keep HTTP/2 enabled as it brings performance benifits with many small files (e.g. icons)
You know how to improve this config? Open a pull request or GitHub issue!
