Differenze tra le versioni di "Matomo/Technical documentation"
(+tech info) |
(aggiorno) |
||
(10 versioni intermedie di uno stesso utente non sono mostrate) | |||
Riga 1: | Riga 1: | ||
− | Brief documentation for system administrators of the [[Matomo]] instance in [https://www.wikimedia.it/ Wikimedia Italia]. | + | {{Server|intreccio}} |
+ | Brief documentation for system administrators of the [[Matomo]] instance in [https://www.wikimedia.it/ Wikimedia Italia]. Any contribution is welcome. | ||
== Server access == | == Server access == | ||
<pre> | <pre> | ||
− | ssh | + | ssh name-surname@intreccio.wikimedia.it |
</pre> | </pre> | ||
Riga 10: | Riga 11: | ||
* [[Infrastruttura#Contatti]] | * [[Infrastruttura#Contatti]] | ||
+ | |||
+ | == Version == | ||
+ | |||
+ | Current Matomo version is <code>4.1.0</code>. | ||
+ | |||
+ | List of pending security issues to be applied | ||
+ | |||
+ | * 4.2.0 | ||
+ | *:A SuperUser (and only a SuperUser) is able to do remote-code-execution. Currently our Super-Users are very-trusted so no huge to update. | ||
+ | *:https://matomo.org/changelog/matomo-4-2-0/ | ||
== Overview == | == Overview == | ||
Riga 31: | Riga 42: | ||
== Filesystem == | == Filesystem == | ||
− | The whole application is in read-only (writable only by <code>root</code>) | + | The whole application is in read-only (writable only by <code>root</code>) but some files. See [[#Hardening]]. |
+ | |||
+ | Here a quick overview: | ||
<pre> | <pre> | ||
Riga 95: | Riga 108: | ||
Apache configuration: | Apache configuration: | ||
− | nano [[phabricator:diffusion/WIIN/browse/master/servers/ | + | nano [[phabricator:diffusion/WIIN/browse/master/servers/intreccio/conf/apache2/it-wikimedia-matomo-ssl.conf|/etc/apache2/sites-enabled/it-wikimedia-matomo-ssl.conf]] |
− | nano [[phabricator:diffusion/WIIN/browse/master/servers/ | + | nano [[phabricator:diffusion/WIIN/browse/master/servers/intreccio/conf/apache2/it-wikimedia-matomo-txt.conf|/etc/apache2/sites-enabled/it-wikimedia-matomo-txt.conf]] |
PHP-FPM configuration: | PHP-FPM configuration: | ||
− | nano [[phabricator:diffusion/WIIN/browse/master/servers/ | + | nano [[phabricator:diffusion/WIIN/browse/master/servers/intreccio/conf/rh-php73/php-fpm.d/9000-matomo.conf|/etc/opt/rh/rh-php73/php-fpm.d/9000-matomo.conf]] |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Log == | == Log == | ||
− | + | Check in. | |
− | |||
− | |||
− | |||
− | |||
− | tail -f /var/log/ | + | tail -f /var/log/apache2 |
== Service == | == Service == | ||
Riga 185: | Riga 188: | ||
</pre> | </pre> | ||
− | == | + | == Maintenance == |
+ | |||
+ | Enable maintenance: | ||
+ | |||
+ | <pre> | ||
+ | a2ensite z_it-wikimedia-matomo-maintenance | ||
+ | a2dissite it-wikimedia-matomo-txt | ||
+ | a2dissite it-wikimedia-matomo-ssl | ||
+ | apachectl graceful | ||
+ | </pre> | ||
− | + | Disable maintenance: | |
− | + | <pre> | |
− | + | a2dissite z_it-wikimedia-matomo-maintenance | |
+ | a2ensite it-wikimedia-matomo-txt | ||
+ | a2ensite it-wikimedia-matomo-ssl | ||
+ | apachectl graceful | ||
+ | </pre> | ||
== E-mail == | == E-mail == | ||
Riga 199: | Riga 215: | ||
See [[Associazione:Mail/Caselle tecniche|technical addresses]]. | See [[Associazione:Mail/Caselle tecniche|technical addresses]]. | ||
+ | |||
+ | You can change that from here: | ||
+ | |||
+ | https://matomo.wikimedia.it/index.php?module=CoreAdminHome&action=generalSettings | ||
== Update == | == Update == | ||
Riga 212: | Riga 232: | ||
https://matomo.org/docs/update/#the-manual-three-step-update | https://matomo.org/docs/update/#the-manual-three-step-update | ||
− | == | + | == Security == |
+ | |||
+ | List of volunteers that are subscribed in the [https://matomo.org/newsletter/ official Matomo newsletter] that also provides security info: | ||
+ | * [[User:Valerio Bozzolan]] | ||
+ | * ... | ||
+ | |||
+ | See [[#Update]] and [[#Version]]. | ||
+ | |||
+ | == Hardening == | ||
+ | |||
+ | Before any update you may have to restore write-mode: | ||
+ | |||
+ | <pre> | ||
+ | # allow to write | ||
+ | chown www-data: -R /var/www/matomo/www | ||
+ | </pre> | ||
+ | |||
+ | After any update you should restore read-only mode: | ||
+ | |||
+ | <pre> | ||
+ | # make read-only for everyone | ||
+ | chown root: -R /var/www/matomo/www | ||
+ | |||
+ | # make some directories writable by webserver | ||
+ | chown www-data: -R /var/www/matomo/www/{js,config,tmp} | ||
+ | |||
+ | # make some files writable by webserver | ||
+ | chown www-data: /var/www/matomo/www/{piwik,matomo}.js | ||
+ | </pre> | ||
+ | |||
+ | == Cron == | ||
+ | |||
+ | In <code>/etc/cron.d/matomo-archive</code> there is a cron for the Archive process of Matomo: | ||
+ | |||
+ | <pre> | ||
+ | 10 * * * * www-data /usr/bin/php /var/www/matomo/www/console core:archive --url=https://matomo.wikimedia.it/ > /var/www/matomo/log/matomo-archive.log | ||
+ | </pre> | ||
+ | |||
+ | == Backups == | ||
+ | |||
+ | The filesystem and the database are both covered by the standard backups of the server {{Server link|intreccio}}. See its documentation. | ||
− | + | [[Categoria:Documentazione tecnica|Matomo]] | |
− |
Versione attuale delle 13:41, 8 mar 2022
Brief documentation for system administrators of the Matomo instance in Wikimedia Italia. Any contribution is welcome.
Server access
ssh name-surname@intreccio.wikimedia.it
To request access:
Version
Current Matomo version is 4.1.0
.
List of pending security issues to be applied
- 4.2.0
- A SuperUser (and only a SuperUser) is able to do remote-code-execution. Currently our Super-Users are very-trusted so no huge to update.
- https://matomo.org/changelog/matomo-4-2-0/
Overview
┌─────┐ ┌─────────────────┐ ┌───────────────┐ │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9000)│ └──┬──┘ └────────┬────────┘ └───────┬───────┘ │ request │ │ │<────────────────────>│ │ │ │ │ │ │ request │ │ │<─────────────────────────>│ ┌──┴──┐ ┌────────┴────────┐ ┌───────┴───────┐ │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9000)│ └─────┘ └─────────────────┘ └───────────────┘
(refresh)
Filesystem
The whole application is in read-only (writable only by root
) but some files. See #Hardening.
Here a quick overview:
# ls -l /var/www/matomo/ total 12 drwxrwx--- 2 apache-matomo apache-matomo 4096 30 gen 09.36 session drwxrwx--- 2 apache-matomo apache-matomo 4096 23 dic 13.39 tmp lrwxrwxrwx 1 root root 16 24 gen 22.24 www -> www-matomo.4.1.0 drwxrwxr-x 13 apache-matomo apache-matomo 4096 30 dic 11.24 www-matomo.4.1.0
Here an overview of the parent directory.
# ls -l /var/www/matomo/www/ total 380 -rw-r--r-- 1 root root 91119 22 dic 06.05 CHANGELOG.md drwxr-xr-x 3 apache-matomo apache-matomo 4096 29 dic 21.27 config -rwxr-xr-x 1 root root 753 22 dic 06.05 console -rw-r--r-- 1 root root 929 22 dic 06.05 CONTRIBUTING.md drwxr-xr-x 51 root root 4096 29 dic 21.27 core -rw-r--r-- 1 root root 578 22 dic 06.05 DIObject.php -rw-r--r-- 1 root root 0 29 dic 21.26 favicon.ico -rw-r--r-- 1 root root 712 22 dic 06.05 index.php drwxr-xr-x 2 root root 4096 29 dic 21.27 js drwxr-xr-x 2 root root 4096 29 dic 21.27 lang -rw-r--r-- 1 root root 828 22 dic 06.05 LegacyAutoloader.php -rw-r--r-- 1 root root 8620 22 dic 06.05 LEGALNOTICE drwxr-xr-x 9 root root 4096 29 dic 21.27 libs -rw-r--r-- 1 root root 35146 22 dic 06.05 LICENSE -rw-r--r-- 1 apache-matomo apache-matomo 61980 22 dic 06.05 matomo.js -rw-r--r-- 1 root root 328 22 dic 06.05 matomo.php drwxr-xr-x 8 root root 4096 6 gen 02.44 misc drwxr-xr-x 21 root root 4096 29 dic 21.27 node_modules -rw-r--r-- 1 root root 6381 22 dic 06.05 offline-service-worker.js -rw-r--r-- 1 root root 4601 22 dic 06.05 package-lock.json -rw-r--r-- 1 apache-matomo apache-matomo 61980 22 dic 06.05 piwik.js -rw-r--r-- 1 root root 2685 22 dic 06.05 piwik.php drwxr-xr-x 69 root root 4096 29 dic 21.27 plugins -rw-r--r-- 1 root root 4617 22 dic 06.05 PRIVACY.md -rw-r--r-- 1 root root 5688 22 dic 06.05 README.md -rw-r--r-- 1 root root 744 22 dic 06.05 robots.txt -rw-r--r-- 1 root root 1174 22 dic 06.05 SECURITY.md drwxr-xr-x 2 root root 4096 22 dic 06.06 tests drwxrwx--- 10 apache-matomo apache-matomo 4096 29 dic 21.27 tmp drwxr-xr-x 23 root root 4096 29 dic 21.27 vendor
Admin
This is the admin panel:
The enabled users are listed in Matomo#Amministratori.
Configuration
Matomo configuration:
nano /var/www/matomo/www/config/config.ini.php
Apache configuration:
nano /etc/apache2/sites-enabled/it-wikimedia-matomo-ssl.conf nano /etc/apache2/sites-enabled/it-wikimedia-matomo-txt.conf
PHP-FPM configuration:
nano /etc/opt/rh/rh-php73/php-fpm.d/9000-matomo.conf
Log
Check in.
tail -f /var/log/apache2
Service
To apply your changes you need to restart the services.
Service of the apache frontend webserver:
apache2ctl configtest apache2ctl graceful
Service of the PHP-FPM backend webserver:
systemctl status rh-php73-php-fpm systemctl restart rh-php73-php-fpm
Database
$ mysql matomo > SHOW TABLES; +---------------------------------------+ | Tables_in_matomo | +---------------------------------------+ | matomo_access | | matomo_archive_blob_2020_01 | | matomo_archive_blob_2020_12 | | matomo_archive_blob_2021_01 | | matomo_archive_blob_2021_02 | | matomo_archive_invalidations | | matomo_archive_numeric_2020_01 | | matomo_archive_numeric_2020_12 | | matomo_archive_numeric_2021_01 | | matomo_archive_numeric_2021_02 | | matomo_brute_force_log | | matomo_custom_dimensions | | matomo_goal | | matomo_locks | | matomo_log_action | | matomo_log_conversion | | matomo_log_conversion_item | | matomo_log_link_visit_action | | matomo_log_profiling | | matomo_log_visit | | matomo_logger_message | | matomo_option | | matomo_plugin_setting | | matomo_privacy_logdata_anonymizations | | matomo_report | | matomo_report_subscriptions | | matomo_segment | | matomo_sequence | | matomo_session | | matomo_site | | matomo_site_setting | | matomo_site_url | | matomo_tracking_failure | | matomo_twofactor_recovery_code | | matomo_user | | matomo_user_dashboard | | matomo_user_language | | matomo_user_token_auth | +---------------------------------------+ 38 rows in set (0.00 sec)ch
Maintenance
Enable maintenance:
a2ensite z_it-wikimedia-matomo-maintenance a2dissite it-wikimedia-matomo-txt a2dissite it-wikimedia-matomo-ssl apachectl graceful
Disable maintenance:
a2dissite z_it-wikimedia-matomo-maintenance a2ensite it-wikimedia-matomo-txt a2ensite it-wikimedia-matomo-ssl apachectl graceful
Matomo uses an SMTP account @wikimedia.it
with username noreply
.
See #Configuration.
See technical addresses.
You can change that from here:
https://matomo.wikimedia.it/index.php?module=CoreAdminHome&action=generalSettings
Update
During an update try to do not use the web interface (because the application is in read-only on the filesystem) and download instead the new version in /var/www/matomo
.
To see it online just replace the /var/www/matomo/www
symbolic link.
Remember to copy the /config
inside your new Matomo.
Then follow the official guide.
https://matomo.org/docs/update/#the-manual-three-step-update
Security
List of volunteers that are subscribed in the official Matomo newsletter that also provides security info:
Hardening
Before any update you may have to restore write-mode:
# allow to write chown www-data: -R /var/www/matomo/www
After any update you should restore read-only mode:
# make read-only for everyone chown root: -R /var/www/matomo/www # make some directories writable by webserver chown www-data: -R /var/www/matomo/www/{js,config,tmp} # make some files writable by webserver chown www-data: /var/www/matomo/www/{piwik,matomo}.js
Cron
In /etc/cron.d/matomo-archive
there is a cron for the Archive process of Matomo:
10 * * * * www-data /usr/bin/php /var/www/matomo/www/console core:archive --url=https://matomo.wikimedia.it/ > /var/www/matomo/log/matomo-archive.log
Backups
The filesystem and the database are both covered by the standard backups of the server ⚙️ intreccio
. See its documentation.