Differenze tra le versioni di "Matomo/Technical documentation"
(asd) |
m (asd) |
||
| Riga 1: | Riga 1: | ||
| + | This page needs an update. The server is not fabula anymore. | ||
{{Server|intreccio}} | {{Server|intreccio}} | ||
Brief documentation for system administrators of the [[Matomo]] instance in [https://www.wikimedia.it/ Wikimedia Italia]. | Brief documentation for system administrators of the [[Matomo]] instance in [https://www.wikimedia.it/ Wikimedia Italia]. | ||
Versione delle 15:13, 19 lug 2021
This page needs an update. The server is not fabula anymore.
_(4).jpg){kind=link}
⚙️ intreccioBrief documentation for system administrators of the Matomo instance in Wikimedia Italia.
Server access
ssh fabula.wikimedia.it
To request access:
Version
Current Matomo version is 4.1.0.
List of pending security issues to be applied
- 4.2.0
- A SuperUser (and only a SuperUser) is able to do remote-code-execution. Currently our Super-Users are very-trusted so no huge to update.
- https://matomo.org/changelog/matomo-4-2-0/
Overview
┌─────┐ ┌─────────────────┐ ┌───────────────┐
│Alice│ │Apache (:80 :443)│ │PHP-FPM (:9000)│
└──┬──┘ └────────┬────────┘ └───────┬───────┘
│ request │ │
│<────────────────────>│ │
│ │ │
│ │ request │
│ │<─────────────────────────>│
┌──┴──┐ ┌────────┴────────┐ ┌───────┴───────┐
│Alice│ │Apache (:80 :443)│ │PHP-FPM (:9000)│
└─────┘ └─────────────────┘ └───────────────┘
(refresh)
Filesystem
The whole application is in read-only (writable only by root) but some files. See #Hardening.
Here a quick overview:
# ls -l /var/www/matomo/ total 12 drwxrwx--- 2 apache-matomo apache-matomo 4096 30 gen 09.36 session drwxrwx--- 2 apache-matomo apache-matomo 4096 23 dic 13.39 tmp lrwxrwxrwx 1 root root 16 24 gen 22.24 www -> www-matomo.4.1.0 drwxrwxr-x 13 apache-matomo apache-matomo 4096 30 dic 11.24 www-matomo.4.1.0
Here an overview of the parent directory.
# ls -l /var/www/matomo/www/ total 380 -rw-r--r-- 1 root root 91119 22 dic 06.05 CHANGELOG.md drwxr-xr-x 3 apache-matomo apache-matomo 4096 29 dic 21.27 config -rwxr-xr-x 1 root root 753 22 dic 06.05 console -rw-r--r-- 1 root root 929 22 dic 06.05 CONTRIBUTING.md drwxr-xr-x 51 root root 4096 29 dic 21.27 core -rw-r--r-- 1 root root 578 22 dic 06.05 DIObject.php -rw-r--r-- 1 root root 0 29 dic 21.26 favicon.ico -rw-r--r-- 1 root root 712 22 dic 06.05 index.php drwxr-xr-x 2 root root 4096 29 dic 21.27 js drwxr-xr-x 2 root root 4096 29 dic 21.27 lang -rw-r--r-- 1 root root 828 22 dic 06.05 LegacyAutoloader.php -rw-r--r-- 1 root root 8620 22 dic 06.05 LEGALNOTICE drwxr-xr-x 9 root root 4096 29 dic 21.27 libs -rw-r--r-- 1 root root 35146 22 dic 06.05 LICENSE -rw-r--r-- 1 apache-matomo apache-matomo 61980 22 dic 06.05 matomo.js -rw-r--r-- 1 root root 328 22 dic 06.05 matomo.php drwxr-xr-x 8 root root 4096 6 gen 02.44 misc drwxr-xr-x 21 root root 4096 29 dic 21.27 node_modules -rw-r--r-- 1 root root 6381 22 dic 06.05 offline-service-worker.js -rw-r--r-- 1 root root 4601 22 dic 06.05 package-lock.json -rw-r--r-- 1 apache-matomo apache-matomo 61980 22 dic 06.05 piwik.js -rw-r--r-- 1 root root 2685 22 dic 06.05 piwik.php drwxr-xr-x 69 root root 4096 29 dic 21.27 plugins -rw-r--r-- 1 root root 4617 22 dic 06.05 PRIVACY.md -rw-r--r-- 1 root root 5688 22 dic 06.05 README.md -rw-r--r-- 1 root root 744 22 dic 06.05 robots.txt -rw-r--r-- 1 root root 1174 22 dic 06.05 SECURITY.md drwxr-xr-x 2 root root 4096 22 dic 06.06 tests drwxrwx--- 10 apache-matomo apache-matomo 4096 29 dic 21.27 tmp drwxr-xr-x 23 root root 4096 29 dic 21.27 vendor
Admin
This is the admin panel:
The enabled users are listed in Matomo#Amministratori.
Configuration
Matomo configuration:
nano /var/www/matomo/www/config/config.ini.php
Apache configuration:
nano /etc/httpd/sites-enabled/it-wikimedia-matomo-ssl.conf nano /etc/httpd/sites-enabled/it-wikimedia-matomo-txt.conf
PHP-FPM configuration:
nano /etc/opt/rh/rh-php73/php-fpm.d/9000-matomo.conf
To publish whatever change in Wikimedia Phabricator please run this:
/root/scripts/commit.sh
Log
Generic Apache error log:
tail -f /var/log/httpd/error_log
Generic Apache access log:
tail -f /var/log/httpd/access_log
Service
To apply your changes you need to restart the services.
Service of the apache frontend webserver:
apache2ctl configtest apache2ctl graceful
Service of the PHP-FPM backend webserver:
systemctl status rh-php73-php-fpm systemctl restart rh-php73-php-fpm
Database
$ mysql matomo > SHOW TABLES; +---------------------------------------+ | Tables_in_matomo | +---------------------------------------+ | matomo_access | | matomo_archive_blob_2020_01 | | matomo_archive_blob_2020_12 | | matomo_archive_blob_2021_01 | | matomo_archive_blob_2021_02 | | matomo_archive_invalidations | | matomo_archive_numeric_2020_01 | | matomo_archive_numeric_2020_12 | | matomo_archive_numeric_2021_01 | | matomo_archive_numeric_2021_02 | | matomo_brute_force_log | | matomo_custom_dimensions | | matomo_goal | | matomo_locks | | matomo_log_action | | matomo_log_conversion | | matomo_log_conversion_item | | matomo_log_link_visit_action | | matomo_log_profiling | | matomo_log_visit | | matomo_logger_message | | matomo_option | | matomo_plugin_setting | | matomo_privacy_logdata_anonymizations | | matomo_report | | matomo_report_subscriptions | | matomo_segment | | matomo_sequence | | matomo_session | | matomo_site | | matomo_site_setting | | matomo_site_url | | matomo_tracking_failure | | matomo_twofactor_recovery_code | | matomo_user | | matomo_user_dashboard | | matomo_user_language | | matomo_user_token_auth | +---------------------------------------+ 38 rows in set (0.00 sec)ch
Maintenance
Enable maintenance:
a2ensite z_it-wikimedia-matomo-maintenance a2dissite it-wikimedia-matomo-txt a2dissite it-wikimedia-matomo-ssl apachectl graceful
Disable maintenance:
a2dissite z_it-wikimedia-matomo-maintenance a2ensite it-wikimedia-matomo-txt a2ensite it-wikimedia-matomo-ssl apachectl graceful
Matomo uses an SMTP account @wikimedia.it with username noreply.
See #Configuration.
See technical addresses.
You can change that from here:
https://matomo.wikimedia.it/index.php?module=CoreAdminHome&action=generalSettings
Update
During an update try to do not use the web interface (because the application is in read-only on the filesystem) and download instead the new version in /var/www/matomo.
To see it online just replace the /var/www/matomo/www symbolic link.
Remember to copy the /config inside your new Matomo.
Then follow the official guide.
https://matomo.org/docs/update/#the-manual-three-step-update
Security
List of volunteers that are subscribed in the official Matomo newsletter that also provides security info:
Hardening
Before any update you may have to restore write-mode:
# allow to write chown www-data: -R /var/www/matomo/www
After any update you should restore read-only mode:
# make read-only for everyone
chown root: -R /var/www/matomo/www
# make some directories writable by webserver
chown www-data: -R /var/www/matomo/www/{js,config,tmp}
# make some files writable by webserver
chown www-data: /var/www/matomo/www/{piwik,matomo}.js
Cron
In /etc/cron.d/matomo-archive there is a cron for the Archive process of Matomo:
10 * * * * www-data /usr/bin/php /var/www/matomo/www/console core:archive --url=https://matomo.wikimedia.it/ > /var/www/matomo/log/matomo-archive.log
Phabricator
- phabricator:search - search recent activity
- phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/matomo/ - public configuration