Matomo

From ArchWiki

Matomo, formerly Piwik, is an open source web analysis tool licensed under the GNU General Public License 3. The software is written in php and is accessed over the web browser. The core idea of the project is privacy as when using third party website analysis providers website owners are giving all of their users' data away for them to sell them to advertisers.

With one running instance multiple websites can be analysed by loading some JavaScript on the target websites.

Installation

Install the package matomoAUR or matomo-gitAUR. The git package already configures the php-fpm daemon for you. Additionally, it downloads and installs the most recent GeoIP database for you. By default, Matomo guesses the visitor's location by their set browser language.

Configuration

php configuration

php needs to be configured properly for Matomo to work.

First, enable MySQL support as described in PHP#MySQL/MariaDB. Do so by editing /etc/php/php.ini. Uncomment ;extension=pdo_mysql and ;extension=mysqli by removing the preceding semicolon.

In general, comments are indicated by preceding semicolons.

;extension=iconv needs to be enabled and ;extension=gd is optional for Matomo. Uncomment at least iconv.

Allow Matomo access to needed files

Note: The changes here are only needed for the matomoAUR package and not matomo-gitAUR.

Because of new restrictions on php-fpm.service since version 7.4, where ProtectSystem is set to prevent Matomo to function correctly (unable to installing plugins, changing configuration, etc), the ability to access certain files needs to be set manually.

The file /etc/systemd/system/php-fpm.service.d/override_matomo.conf below fixes the issue while not exposing more than necessary and still allow the user to change ACL as described in the installation manifest, if this is not desired. 

[Service]
ReadWritePaths = /usr/share/webapps/matomo/config
ReadWritePaths = /usr/share/webapps/matomo/matomo.js
ReadWritePaths = /usr/share/webapps/matomo/misc/user/
ReadWritePaths = /usr/share/webapps/matomo/plugins/

Server setup (nginx)

In order to enable php websites, install the php-fpm package and start/enable php-fpm.service (See Nginx#PHP implementation). Create the server by modifying /etc/nginx/nginx.conf. Add the following template to the "http" context. Alternatively, take a look at matomo's GitHub instructions. 

include /etc/nginx/mime.types;

server
{
    listen      443 ssl;
    listen      [::]:443 ssl;
    server_name matomo.example.com;
    root        /usr/share/webapps/matomo/;
    index       index.php;

    location ~ ^/(\.git/|config/|core/|lang/|tmp/)
    {
        return  403;
    }

    location ~ \.php$
    {
        try_files   $uri =404;

        # FastCGI
        include         fastcgi.conf;
        fastcgi_pass    unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index   index.php;
    }

    location ~ \.(avi|css|eot|gif|htm|html|ico|jpg|js|json|mp3|mp4|ogg|png|svg|ttf|wav|woff|woff2)$
    {
        try_files   $uri =404;
    }

    location ~ ^/(libs/|misc/|node_modules/|plugins/|vendor/)
    {
        return  403;
    }
}

To use encryption, you can get free certificates from letsencrypt. After requesting and installing your certificates, use them by adding the following code to the "http" or "server" context: 

include             /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain.domain.me/privkey.pem;
ssl_certificate     /etc/letsencrypt/live/subdomain.domain.me/fullchain.pem;

Run the nginx server by starting/enabling nginx.service.

Note: mariadb.service and php-fpm.service are required.

Final steps

All major settings are done. Call your Matomo website in your browser and complete the small installation guide which is not more than checking that everything needed is available and set up and writing your configuration file.