Differenze tra le versioni di "Matomo/Technical documentation"

Da Wikimedia Italia.
Jump to navigation Jump to search
(+tech info)
 
(aggiorno)
 
(10 versioni intermedie di uno stesso utente non sono mostrate)
Riga 1: Riga 1:
Brief documentation for system administrators of the [[Matomo]] instance in [https://www.wikimedia.it/ Wikimedia Italia].
+
{{Server|intreccio}}
 +
Brief documentation for system administrators of the [[Matomo]] instance in [https://www.wikimedia.it/ Wikimedia Italia]. Any contribution is welcome.
  
 
== Server access ==
 
== Server access ==
  
 
<pre>
 
<pre>
ssh fabula.wikimedia.it
+
ssh name-surname@intreccio.wikimedia.it
 
</pre>
 
</pre>
  
Riga 10: Riga 11:
  
 
* [[Infrastruttura#Contatti]]
 
* [[Infrastruttura#Contatti]]
 +
 +
== Version ==
 +
 +
Current Matomo version is <code>4.1.0</code>.
 +
 +
List of pending security issues to be applied
 +
 +
* 4.2.0
 +
*:A SuperUser (and only a SuperUser) is able to do remote-code-execution. Currently our Super-Users are very-trusted so no huge to update.
 +
*:https://matomo.org/changelog/matomo-4-2-0/
  
 
== Overview ==
 
== Overview ==
Riga 31: Riga 42:
 
== Filesystem ==
 
== Filesystem ==
  
The whole application is in read-only (writable only by <code>root</code>) apart from <code>piwik.js</code>, <code>matomo.js</code>, <code>tmp/</code>, and <code>config/</code>.
+
The whole application is in read-only (writable only by <code>root</code>) but some files. See [[#Hardening]].
 +
 
 +
Here a quick overview:
  
 
<pre>
 
<pre>
Riga 95: Riga 108:
 
Apache configuration:
 
Apache configuration:
  
  nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/matomo/apache2/it-wikimedia-matomo-ssl.conf|/etc/httpd/sites-enabled/it-wikimedia-matomo-ssl.conf]]
+
  nano [[phabricator:diffusion/WIIN/browse/master/servers/intreccio/conf/apache2/it-wikimedia-matomo-ssl.conf|/etc/apache2/sites-enabled/it-wikimedia-matomo-ssl.conf]]
  nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/matomo/apache2/it-wikimedia-matomo-txt.conf|/etc/httpd/sites-enabled/it-wikimedia-matomo-txt.conf]]
+
  nano [[phabricator:diffusion/WIIN/browse/master/servers/intreccio/conf/apache2/it-wikimedia-matomo-txt.conf|/etc/apache2/sites-enabled/it-wikimedia-matomo-txt.conf]]
  
 
PHP-FPM configuration:
 
PHP-FPM configuration:
  
  nano [[phabricator:diffusion/WIIN/browse/master/servers/fabula/conf/rh-php73/php-fpm.d/9000-matomo.conf|/etc/opt/rh/rh-php73/php-fpm.d/9000-matomo.conf]]
+
  nano [[phabricator:diffusion/WIIN/browse/master/servers/intreccio/conf/rh-php73/php-fpm.d/9000-matomo.conf|/etc/opt/rh/rh-php73/php-fpm.d/9000-matomo.conf]]
 
 
To publish whatever change in Wikimedia Phabricator please run this:
 
 
 
<pre>
 
/root/scripts/commit.sh
 
</pre>
 
  
 
== Log ==
 
== Log ==
  
Generic Apache error log:
+
Check in.
 
 
tail -f /var/log/httpd/error_log
 
 
 
Generic Apache access log:
 
  
  tail -f /var/log/httpd/access_log
+
  tail -f /var/log/apache2
  
 
== Service ==
 
== Service ==
Riga 185: Riga 188:
 
</pre>
 
</pre>
  
== Unix ==
+
== Maintenance ==
 +
 
 +
Enable maintenance:
 +
 
 +
<pre>
 +
a2ensite  z_it-wikimedia-matomo-maintenance
 +
a2dissite  it-wikimedia-matomo-txt
 +
a2dissite  it-wikimedia-matomo-ssl
 +
apachectl graceful
 +
</pre>
  
There is a dedicated Unix user able to read secret configurations and write some logs.
+
Disable maintenance:
  
# id apache-matomo
+
<pre>
uid=1435(apache-matomo) gid=1435(apache-matomo) groups=1435(apache-matomo),48(apache)
+
a2dissite z_it-wikimedia-matomo-maintenance
 +
a2ensite    it-wikimedia-matomo-txt
 +
a2ensite    it-wikimedia-matomo-ssl
 +
apachectl graceful
 +
</pre>
  
 
== E-mail ==
 
== E-mail ==
Riga 199: Riga 215:
  
 
See [[Associazione:Mail/Caselle tecniche|technical addresses]].
 
See [[Associazione:Mail/Caselle tecniche|technical addresses]].
 +
 +
You can change that from here:
 +
 +
https://matomo.wikimedia.it/index.php?module=CoreAdminHome&action=generalSettings
  
 
== Update ==
 
== Update ==
Riga 212: Riga 232:
 
https://matomo.org/docs/update/#the-manual-three-step-update
 
https://matomo.org/docs/update/#the-manual-three-step-update
  
== Phabricator ==
+
== Security ==
 +
 
 +
List of volunteers that are subscribed in the [https://matomo.org/newsletter/ official Matomo newsletter] that also provides security info:
 +
* [[User:Valerio Bozzolan]]
 +
* ...
 +
 
 +
See [[#Update]] and [[#Version]].
 +
 
 +
== Hardening ==
 +
 
 +
Before any update you may have to restore write-mode:
 +
 
 +
<pre>
 +
# allow to write
 +
chown www-data: -R /var/www/matomo/www
 +
</pre>
 +
 
 +
After any update you should restore read-only mode:
 +
 
 +
<pre>
 +
# make read-only for everyone
 +
chown root: -R /var/www/matomo/www
 +
 
 +
# make some directories writable by webserver
 +
chown www-data: -R /var/www/matomo/www/{js,config,tmp}
 +
 
 +
# make some files writable by webserver
 +
chown www-data: /var/www/matomo/www/{piwik,matomo}.js
 +
</pre>
 +
 
 +
== Cron ==
 +
 
 +
In <code>/etc/cron.d/matomo-archive</code> there is a cron for the Archive process of Matomo:
 +
 
 +
<pre>
 +
10 * * * * www-data /usr/bin/php /var/www/matomo/www/console core:archive --url=https://matomo.wikimedia.it/ > /var/www/matomo/log/matomo-archive.log
 +
</pre>
 +
 
 +
== Backups ==
 +
 
 +
The filesystem and the database are both covered by the standard backups of the server {{Server link|intreccio}}. See its documentation.
  
* [[phabricator:search/query/4R0ZoqC1TUGP/#R|phabricator:search]] - search recent activity
+
[[Categoria:Documentazione tecnica|Matomo]]
* [[phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/matomo/]] - public configuration
 

Versione attuale delle 13:41, 8 mar 2022

Pagina legata al server ⚙️ intreccio

Brief documentation for system administrators of the Matomo instance in Wikimedia Italia. Any contribution is welcome.

Server access

ssh name-surname@intreccio.wikimedia.it

To request access:

Version

Current Matomo version is 4.1.0.

List of pending security issues to be applied

Overview

     ┌─────┐          ┌─────────────────┐          ┌───────────────┐
     │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9000)│
     └──┬──┘          └────────┬────────┘          └───────┬───────┘
        │       request        │                           │        
        │<────────────────────>│                           │        
        │                      │                           │        
        │                      │         request           │        
        │                      │<─────────────────────────>│        
     ┌──┴──┐          ┌────────┴────────┐          ┌───────┴───────┐
     │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9000)│
     └─────┘          └─────────────────┘          └───────────────┘

(refresh)

Filesystem

The whole application is in read-only (writable only by root) but some files. See #Hardening.

Here a quick overview:

# ls -l /var/www/matomo/
total 12
drwxrwx---  2 apache-matomo apache-matomo 4096 30 gen 09.36 session
drwxrwx---  2 apache-matomo apache-matomo 4096 23 dic 13.39 tmp
lrwxrwxrwx  1 root          root            16 24 gen 22.24 www -> www-matomo.4.1.0
drwxrwxr-x 13 apache-matomo apache-matomo 4096 30 dic 11.24 www-matomo.4.1.0

Here an overview of the parent directory.

# ls -l /var/www/matomo/www/
total 380
-rw-r--r--  1 root          root          91119 22 dic 06.05 CHANGELOG.md
drwxr-xr-x  3 apache-matomo apache-matomo  4096 29 dic 21.27 config
-rwxr-xr-x  1 root          root            753 22 dic 06.05 console
-rw-r--r--  1 root          root            929 22 dic 06.05 CONTRIBUTING.md
drwxr-xr-x 51 root          root           4096 29 dic 21.27 core
-rw-r--r--  1 root          root            578 22 dic 06.05 DIObject.php
-rw-r--r--  1 root          root              0 29 dic 21.26 favicon.ico
-rw-r--r--  1 root          root            712 22 dic 06.05 index.php
drwxr-xr-x  2 root          root           4096 29 dic 21.27 js
drwxr-xr-x  2 root          root           4096 29 dic 21.27 lang
-rw-r--r--  1 root          root            828 22 dic 06.05 LegacyAutoloader.php
-rw-r--r--  1 root          root           8620 22 dic 06.05 LEGALNOTICE
drwxr-xr-x  9 root          root           4096 29 dic 21.27 libs
-rw-r--r--  1 root          root          35146 22 dic 06.05 LICENSE
-rw-r--r--  1 apache-matomo apache-matomo 61980 22 dic 06.05 matomo.js
-rw-r--r--  1 root          root            328 22 dic 06.05 matomo.php
drwxr-xr-x  8 root          root           4096  6 gen 02.44 misc
drwxr-xr-x 21 root          root           4096 29 dic 21.27 node_modules
-rw-r--r--  1 root          root           6381 22 dic 06.05 offline-service-worker.js
-rw-r--r--  1 root          root           4601 22 dic 06.05 package-lock.json
-rw-r--r--  1 apache-matomo apache-matomo 61980 22 dic 06.05 piwik.js
-rw-r--r--  1 root          root           2685 22 dic 06.05 piwik.php
drwxr-xr-x 69 root          root           4096 29 dic 21.27 plugins
-rw-r--r--  1 root          root           4617 22 dic 06.05 PRIVACY.md
-rw-r--r--  1 root          root           5688 22 dic 06.05 README.md
-rw-r--r--  1 root          root            744 22 dic 06.05 robots.txt
-rw-r--r--  1 root          root           1174 22 dic 06.05 SECURITY.md
drwxr-xr-x  2 root          root           4096 22 dic 06.06 tests
drwxrwx--- 10 apache-matomo apache-matomo  4096 29 dic 21.27 tmp
drwxr-xr-x 23 root          root           4096 29 dic 21.27 vendor

Admin

This is the admin panel:

The enabled users are listed in Matomo#Amministratori.

Configuration

Matomo configuration:

nano /var/www/matomo/www/config/config.ini.php

Apache configuration:

nano /etc/apache2/sites-enabled/it-wikimedia-matomo-ssl.conf
nano /etc/apache2/sites-enabled/it-wikimedia-matomo-txt.conf

PHP-FPM configuration:

nano /etc/opt/rh/rh-php73/php-fpm.d/9000-matomo.conf

Log

Check in.

tail -f /var/log/apache2

Service

To apply your changes you need to restart the services.

Service of the apache frontend webserver:

apache2ctl configtest
apache2ctl graceful

Service of the PHP-FPM backend webserver:

systemctl status  rh-php73-php-fpm
systemctl restart rh-php73-php-fpm

Database

$ mysql matomo
> SHOW TABLES;
+---------------------------------------+
| Tables_in_matomo                      |
+---------------------------------------+
| matomo_access                         |
| matomo_archive_blob_2020_01           |
| matomo_archive_blob_2020_12           |
| matomo_archive_blob_2021_01           |
| matomo_archive_blob_2021_02           |
| matomo_archive_invalidations          |
| matomo_archive_numeric_2020_01        |
| matomo_archive_numeric_2020_12        |
| matomo_archive_numeric_2021_01        |
| matomo_archive_numeric_2021_02        |
| matomo_brute_force_log                |
| matomo_custom_dimensions              |
| matomo_goal                           |
| matomo_locks                          |
| matomo_log_action                     |
| matomo_log_conversion                 |
| matomo_log_conversion_item            |
| matomo_log_link_visit_action          |
| matomo_log_profiling                  |
| matomo_log_visit                      |
| matomo_logger_message                 |
| matomo_option                         |
| matomo_plugin_setting                 |
| matomo_privacy_logdata_anonymizations |
| matomo_report                         |
| matomo_report_subscriptions           |
| matomo_segment                        |
| matomo_sequence                       |
| matomo_session                        |
| matomo_site                           |
| matomo_site_setting                   |
| matomo_site_url                       |
| matomo_tracking_failure               |
| matomo_twofactor_recovery_code        |
| matomo_user                           |
| matomo_user_dashboard                 |
| matomo_user_language                  |
| matomo_user_token_auth                |
+---------------------------------------+
38 rows in set (0.00 sec)ch

Maintenance

Enable maintenance:

a2ensite  z_it-wikimedia-matomo-maintenance
a2dissite   it-wikimedia-matomo-txt
a2dissite   it-wikimedia-matomo-ssl
apachectl graceful

Disable maintenance:

a2dissite z_it-wikimedia-matomo-maintenance
a2ensite    it-wikimedia-matomo-txt
a2ensite    it-wikimedia-matomo-ssl
apachectl graceful

E-mail

Matomo uses an SMTP account @wikimedia.it with username noreply.

See #Configuration.

See technical addresses.

You can change that from here:

https://matomo.wikimedia.it/index.php?module=CoreAdminHome&action=generalSettings

Update

During an update try to do not use the web interface (because the application is in read-only on the filesystem) and download instead the new version in /var/www/matomo.

To see it online just replace the /var/www/matomo/www symbolic link.

Remember to copy the /config inside your new Matomo.

Then follow the official guide.

https://matomo.org/docs/update/#the-manual-three-step-update

Security

List of volunteers that are subscribed in the official Matomo newsletter that also provides security info:

See #Update and #Version.

Hardening

Before any update you may have to restore write-mode:

# allow to write
chown www-data: -R /var/www/matomo/www

After any update you should restore read-only mode:

# make read-only for everyone
chown root: -R /var/www/matomo/www

# make some directories writable by webserver
chown www-data: -R /var/www/matomo/www/{js,config,tmp}

# make some files writable by webserver
chown www-data: /var/www/matomo/www/{piwik,matomo}.js

Cron

In /etc/cron.d/matomo-archive there is a cron for the Archive process of Matomo:

10 * * * * www-data /usr/bin/php /var/www/matomo/www/console core:archive --url=https://matomo.wikimedia.it/ > /var/www/matomo/log/matomo-archive.log

Backups

The filesystem and the database are both covered by the standard backups of the server ⚙️ intreccio. See its documentation.