Differenze tra le versioni di "Matomo/Technical documentation"

Da Wikimedia Italia.
Jump to navigation Jump to search
(+template)
Riga 11: Riga 11:
  
 
* [[Infrastruttura#Contatti]]
 
* [[Infrastruttura#Contatti]]
 +
 +
== Version ==
 +
 +
Current Matomo version is <code>4.1.0</code>.
 +
 +
List of pending security issues to be applied
 +
 +
* 4.2.0
 +
*:A SuperUser (and only a SuperUser) is able to do remote-code-execution. Currently our Super-Users are very-trusted so no huge to update.
 +
*:https://matomo.org/changelog/matomo-4-2-0/
  
 
== Overview ==
 
== Overview ==
Riga 212: Riga 222:
  
 
https://matomo.org/docs/update/#the-manual-three-step-update
 
https://matomo.org/docs/update/#the-manual-three-step-update
 +
 +
== Security ==
 +
 +
List of volunteers that are subscribed in the [https://matomo.org/newsletter/ official Matomo newsletter] that also provides security info:
 +
* [[User:Valerio Bozzolan]]
 +
* ...
 +
 +
See [[#Update]] and [[#Version]].
  
 
== Phabricator ==
 
== Phabricator ==

Versione delle 09:58, 23 feb 2021

Pagina legata al server ⚙️ fabula

Brief documentation for system administrators of the Matomo instance in Wikimedia Italia.

Server access

ssh fabula.wikimedia.it

To request access:

Version

Current Matomo version is 4.1.0.

List of pending security issues to be applied

Overview

     ┌─────┐          ┌─────────────────┐          ┌───────────────┐
     │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9000)│
     └──┬──┘          └────────┬────────┘          └───────┬───────┘
        │       request        │                           │        
        │<────────────────────>│                           │        
        │                      │                           │        
        │                      │         request           │        
        │                      │<─────────────────────────>│        
     ┌──┴──┐          ┌────────┴────────┐          ┌───────┴───────┐
     │Alice│          │Apache (:80 :443)│          │PHP-FPM (:9000)│
     └─────┘          └─────────────────┘          └───────────────┘

(refresh)

Filesystem

The whole application is in read-only (writable only by root) apart from piwik.js, matomo.js, tmp/, and config/.

# ls -l /var/www/matomo/
total 12
drwxrwx---  2 apache-matomo apache-matomo 4096 30 gen 09.36 session
drwxrwx---  2 apache-matomo apache-matomo 4096 23 dic 13.39 tmp
lrwxrwxrwx  1 root          root            16 24 gen 22.24 www -> www-matomo.4.1.0
drwxrwxr-x 13 apache-matomo apache-matomo 4096 30 dic 11.24 www-matomo.4.1.0

Here an overview of the parent directory.

# ls -l /var/www/matomo/www/
total 380
-rw-r--r--  1 root          root          91119 22 dic 06.05 CHANGELOG.md
drwxr-xr-x  3 apache-matomo apache-matomo  4096 29 dic 21.27 config
-rwxr-xr-x  1 root          root            753 22 dic 06.05 console
-rw-r--r--  1 root          root            929 22 dic 06.05 CONTRIBUTING.md
drwxr-xr-x 51 root          root           4096 29 dic 21.27 core
-rw-r--r--  1 root          root            578 22 dic 06.05 DIObject.php
-rw-r--r--  1 root          root              0 29 dic 21.26 favicon.ico
-rw-r--r--  1 root          root            712 22 dic 06.05 index.php
drwxr-xr-x  2 root          root           4096 29 dic 21.27 js
drwxr-xr-x  2 root          root           4096 29 dic 21.27 lang
-rw-r--r--  1 root          root            828 22 dic 06.05 LegacyAutoloader.php
-rw-r--r--  1 root          root           8620 22 dic 06.05 LEGALNOTICE
drwxr-xr-x  9 root          root           4096 29 dic 21.27 libs
-rw-r--r--  1 root          root          35146 22 dic 06.05 LICENSE
-rw-r--r--  1 apache-matomo apache-matomo 61980 22 dic 06.05 matomo.js
-rw-r--r--  1 root          root            328 22 dic 06.05 matomo.php
drwxr-xr-x  8 root          root           4096  6 gen 02.44 misc
drwxr-xr-x 21 root          root           4096 29 dic 21.27 node_modules
-rw-r--r--  1 root          root           6381 22 dic 06.05 offline-service-worker.js
-rw-r--r--  1 root          root           4601 22 dic 06.05 package-lock.json
-rw-r--r--  1 apache-matomo apache-matomo 61980 22 dic 06.05 piwik.js
-rw-r--r--  1 root          root           2685 22 dic 06.05 piwik.php
drwxr-xr-x 69 root          root           4096 29 dic 21.27 plugins
-rw-r--r--  1 root          root           4617 22 dic 06.05 PRIVACY.md
-rw-r--r--  1 root          root           5688 22 dic 06.05 README.md
-rw-r--r--  1 root          root            744 22 dic 06.05 robots.txt
-rw-r--r--  1 root          root           1174 22 dic 06.05 SECURITY.md
drwxr-xr-x  2 root          root           4096 22 dic 06.06 tests
drwxrwx--- 10 apache-matomo apache-matomo  4096 29 dic 21.27 tmp
drwxr-xr-x 23 root          root           4096 29 dic 21.27 vendor

Admin

This is the admin panel:

The enabled users are listed in Matomo#Amministratori.

Configuration

Matomo configuration:

nano /var/www/matomo/www/config/config.ini.php

Apache configuration:

nano /etc/httpd/sites-enabled/it-wikimedia-matomo-ssl.conf
nano /etc/httpd/sites-enabled/it-wikimedia-matomo-txt.conf

PHP-FPM configuration:

nano /etc/opt/rh/rh-php73/php-fpm.d/9000-matomo.conf

To publish whatever change in Wikimedia Phabricator please run this:

/root/scripts/commit.sh

Log

Generic Apache error log:

tail -f /var/log/httpd/error_log

Generic Apache access log:

tail -f /var/log/httpd/access_log

Service

To apply your changes you need to restart the services.

Service of the apache frontend webserver:

apache2ctl configtest
apache2ctl graceful

Service of the PHP-FPM backend webserver:

systemctl status  rh-php73-php-fpm
systemctl restart rh-php73-php-fpm

Database

$ mysql matomo
> SHOW TABLES;
+---------------------------------------+
| Tables_in_matomo                      |
+---------------------------------------+
| matomo_access                         |
| matomo_archive_blob_2020_01           |
| matomo_archive_blob_2020_12           |
| matomo_archive_blob_2021_01           |
| matomo_archive_blob_2021_02           |
| matomo_archive_invalidations          |
| matomo_archive_numeric_2020_01        |
| matomo_archive_numeric_2020_12        |
| matomo_archive_numeric_2021_01        |
| matomo_archive_numeric_2021_02        |
| matomo_brute_force_log                |
| matomo_custom_dimensions              |
| matomo_goal                           |
| matomo_locks                          |
| matomo_log_action                     |
| matomo_log_conversion                 |
| matomo_log_conversion_item            |
| matomo_log_link_visit_action          |
| matomo_log_profiling                  |
| matomo_log_visit                      |
| matomo_logger_message                 |
| matomo_option                         |
| matomo_plugin_setting                 |
| matomo_privacy_logdata_anonymizations |
| matomo_report                         |
| matomo_report_subscriptions           |
| matomo_segment                        |
| matomo_sequence                       |
| matomo_session                        |
| matomo_site                           |
| matomo_site_setting                   |
| matomo_site_url                       |
| matomo_tracking_failure               |
| matomo_twofactor_recovery_code        |
| matomo_user                           |
| matomo_user_dashboard                 |
| matomo_user_language                  |
| matomo_user_token_auth                |
+---------------------------------------+
38 rows in set (0.00 sec)ch

Unix

There is a dedicated Unix user able to read secret configurations and write some logs.

# id apache-matomo
uid=1435(apache-matomo) gid=1435(apache-matomo) groups=1435(apache-matomo),48(apache)

E-mail

Matomo uses an SMTP account @wikimedia.it with username noreply.

See #Configuration.

See technical addresses.

Update

During an update try to do not use the web interface (because the application is in read-only on the filesystem) and download instead the new version in /var/www/matomo.

To see it online just replace the /var/www/matomo/www symbolic link.

Remember to copy the /config inside your new Matomo.

Then follow the official guide.

https://matomo.org/docs/update/#the-manual-three-step-update

Security

List of volunteers that are subscribed in the official Matomo newsletter that also provides security info:

See #Update and #Version.

Phabricator