Differenze tra le versioni di "Matomo/Technical documentation"

Da Wikimedia Italia.
Jump to navigation Jump to search
(→‎Hardening: Before any update)
(+#Cron)
Riga 270: Riga 270:
 
# make some files writable by webserver
 
# make some files writable by webserver
 
chown www-data: /var/www/matomo/www/{piwik,matomo}.js
 
chown www-data: /var/www/matomo/www/{piwik,matomo}.js
 +
</pre>
 +
 +
== Cron ==
 +
 +
In <code>/etc/cron.d/matomo-archive</code> there is a cron for the Archive process of Matomo:
 +
 +
<pre>
 +
10 * * * * www-data /usr/bin/php /var/www/matomo/www/console core:archive --url=https://matomo.wikimedia.it/ > /var/www/matomo/log/matomo-archive.log
 
</pre>
 
</pre>
  

Versione delle 10:14, 20 mag 2021

Pagina legata al server ⚙️ fabula

Brief documentation for system administrators of the Matomo instance in Wikimedia Italia.

Server access

ssh fabula.wikimedia.it

To request access:

Version

Current Matomo version is 4.1.0.

List of pending security issues to be applied

Overview

     ┌─────┐          ┌─────────────────┐          ┌───────────────┐
     │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9000)│
     └──┬──┘          └────────┬────────┘          └───────┬───────┘
        │       request        │                           │        
        │<────────────────────>│                           │        
        │                      │                           │        
        │                      │         request           │        
        │                      │<─────────────────────────>│        
     ┌──┴──┐          ┌────────┴────────┐          ┌───────┴───────┐
     │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9000)│
     └─────┘          └─────────────────┘          └───────────────┘

(refresh)

Filesystem

The whole application is in read-only (writable only by root) but some files. See #Hardening.

Here a quick overview:

# ls -l /var/www/matomo/
total 12
drwxrwx---  2 apache-matomo apache-matomo 4096 30 gen 09.36 session
drwxrwx---  2 apache-matomo apache-matomo 4096 23 dic 13.39 tmp
lrwxrwxrwx  1 root          root            16 24 gen 22.24 www -> www-matomo.4.1.0
drwxrwxr-x 13 apache-matomo apache-matomo 4096 30 dic 11.24 www-matomo.4.1.0

Here an overview of the parent directory.

# ls -l /var/www/matomo/www/
total 380
-rw-r--r--  1 root          root          91119 22 dic 06.05 CHANGELOG.md
drwxr-xr-x  3 apache-matomo apache-matomo  4096 29 dic 21.27 config
-rwxr-xr-x  1 root          root            753 22 dic 06.05 console
-rw-r--r--  1 root          root            929 22 dic 06.05 CONTRIBUTING.md
drwxr-xr-x 51 root          root           4096 29 dic 21.27 core
-rw-r--r--  1 root          root            578 22 dic 06.05 DIObject.php
-rw-r--r--  1 root          root              0 29 dic 21.26 favicon.ico
-rw-r--r--  1 root          root            712 22 dic 06.05 index.php
drwxr-xr-x  2 root          root           4096 29 dic 21.27 js
drwxr-xr-x  2 root          root           4096 29 dic 21.27 lang
-rw-r--r--  1 root          root            828 22 dic 06.05 LegacyAutoloader.php
-rw-r--r--  1 root          root           8620 22 dic 06.05 LEGALNOTICE
drwxr-xr-x  9 root          root           4096 29 dic 21.27 libs
-rw-r--r--  1 root          root          35146 22 dic 06.05 LICENSE
-rw-r--r--  1 apache-matomo apache-matomo 61980 22 dic 06.05 matomo.js
-rw-r--r--  1 root          root            328 22 dic 06.05 matomo.php
drwxr-xr-x  8 root          root           4096  6 gen 02.44 misc
drwxr-xr-x 21 root          root           4096 29 dic 21.27 node_modules
-rw-r--r--  1 root          root           6381 22 dic 06.05 offline-service-worker.js
-rw-r--r--  1 root          root           4601 22 dic 06.05 package-lock.json
-rw-r--r--  1 apache-matomo apache-matomo 61980 22 dic 06.05 piwik.js
-rw-r--r--  1 root          root           2685 22 dic 06.05 piwik.php
drwxr-xr-x 69 root          root           4096 29 dic 21.27 plugins
-rw-r--r--  1 root          root           4617 22 dic 06.05 PRIVACY.md
-rw-r--r--  1 root          root           5688 22 dic 06.05 README.md
-rw-r--r--  1 root          root            744 22 dic 06.05 robots.txt
-rw-r--r--  1 root          root           1174 22 dic 06.05 SECURITY.md
drwxr-xr-x  2 root          root           4096 22 dic 06.06 tests
drwxrwx--- 10 apache-matomo apache-matomo  4096 29 dic 21.27 tmp
drwxr-xr-x 23 root          root           4096 29 dic 21.27 vendor

Admin

This is the admin panel:

The enabled users are listed in Matomo#Amministratori.

Configuration

Matomo configuration:

nano /var/www/matomo/www/config/config.ini.php

Apache configuration:

nano /etc/httpd/sites-enabled/it-wikimedia-matomo-ssl.conf
nano /etc/httpd/sites-enabled/it-wikimedia-matomo-txt.conf

PHP-FPM configuration:

nano /etc/opt/rh/rh-php73/php-fpm.d/9000-matomo.conf

To publish whatever change in Wikimedia Phabricator please run this:

/root/scripts/commit.sh

Log

Generic Apache error log:

tail -f /var/log/httpd/error_log

Generic Apache access log:

tail -f /var/log/httpd/access_log

Service

To apply your changes you need to restart the services.

Service of the apache frontend webserver:

apache2ctl configtest
apache2ctl graceful

Service of the PHP-FPM backend webserver:

systemctl status  rh-php73-php-fpm
systemctl restart rh-php73-php-fpm

Database

$ mysql matomo
> SHOW TABLES;
+---------------------------------------+
| Tables_in_matomo                      |
+---------------------------------------+
| matomo_access                         |
| matomo_archive_blob_2020_01           |
| matomo_archive_blob_2020_12           |
| matomo_archive_blob_2021_01           |
| matomo_archive_blob_2021_02           |
| matomo_archive_invalidations          |
| matomo_archive_numeric_2020_01        |
| matomo_archive_numeric_2020_12        |
| matomo_archive_numeric_2021_01        |
| matomo_archive_numeric_2021_02        |
| matomo_brute_force_log                |
| matomo_custom_dimensions              |
| matomo_goal                           |
| matomo_locks                          |
| matomo_log_action                     |
| matomo_log_conversion                 |
| matomo_log_conversion_item            |
| matomo_log_link_visit_action          |
| matomo_log_profiling                  |
| matomo_log_visit                      |
| matomo_logger_message                 |
| matomo_option                         |
| matomo_plugin_setting                 |
| matomo_privacy_logdata_anonymizations |
| matomo_report                         |
| matomo_report_subscriptions           |
| matomo_segment                        |
| matomo_sequence                       |
| matomo_session                        |
| matomo_site                           |
| matomo_site_setting                   |
| matomo_site_url                       |
| matomo_tracking_failure               |
| matomo_twofactor_recovery_code        |
| matomo_user                           |
| matomo_user_dashboard                 |
| matomo_user_language                  |
| matomo_user_token_auth                |
+---------------------------------------+
38 rows in set (0.00 sec)ch

Maintenance

Enable maintenance:

a2ensite  z_it-wikimedia-matomo-maintenance
a2dissite   it-wikimedia-matomo-txt
a2dissite   it-wikimedia-matomo-ssl
apachectl graceful

Disable maintenance:

a2dissite z_it-wikimedia-matomo-maintenance
a2ensite    it-wikimedia-matomo-txt
a2ensite    it-wikimedia-matomo-ssl
apachectl graceful

E-mail

Matomo uses an SMTP account @wikimedia.it with username noreply.

See #Configuration.

See technical addresses.

You can change that from here:

https://matomo.wikimedia.it/index.php?module=CoreAdminHome&action=generalSettings

Update

During an update try to do not use the web interface (because the application is in read-only on the filesystem) and download instead the new version in /var/www/matomo.

To see it online just replace the /var/www/matomo/www symbolic link.

Remember to copy the /config inside your new Matomo.

Then follow the official guide.

https://matomo.org/docs/update/#the-manual-three-step-update

Security

List of volunteers that are subscribed in the official Matomo newsletter that also provides security info:

See #Update and #Version.

Hardening

Before any update you may have to restore write-mode:

# allow to write
chown www-data: -R /var/www/matomo/www

After any update you should restore read-only mode:

# make read-only for everyone
chown root: -R /var/www/matomo/www

# make some directories writable by webserver
chown www-data: -R /var/www/matomo/www/{js,config,tmp}

# make some files writable by webserver
chown www-data: /var/www/matomo/www/{piwik,matomo}.js

Cron

In /etc/cron.d/matomo-archive there is a cron for the Archive process of Matomo:

10 * * * * www-data /usr/bin/php /var/www/matomo/www/console core:archive --url=https://matomo.wikimedia.it/ > /var/www/matomo/log/matomo-archive.log

Phabricator