Matomo/Technical documentation
This page needs an update. The server is not fabula anymore.
Brief documentation for system administrators of the Matomo instance in Wikimedia Italia.
Server access
ssh fabula.wikimedia.it
To request access:
Version
Current Matomo version is 4.1.0
.
List of pending security issues to be applied
- 4.2.0
- A SuperUser (and only a SuperUser) is able to do remote-code-execution. Currently our Super-Users are very-trusted so no huge to update.
- https://matomo.org/changelog/matomo-4-2-0/
Overview
┌─────┐ ┌─────────────────┐ ┌───────────────┐ │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9000)│ └──┬──┘ └────────┬────────┘ └───────┬───────┘ │ request │ │ │<────────────────────>│ │ │ │ │ │ │ request │ │ │<─────────────────────────>│ ┌──┴──┐ ┌────────┴────────┐ ┌───────┴───────┐ │Alice│ │Apache (:80 :443)│ │PHP-FPM (:9000)│ └─────┘ └─────────────────┘ └───────────────┘
(refresh)
Filesystem
The whole application is in read-only (writable only by root
) but some files. See #Hardening.
Here a quick overview:
# ls -l /var/www/matomo/ total 12 drwxrwx--- 2 apache-matomo apache-matomo 4096 30 gen 09.36 session drwxrwx--- 2 apache-matomo apache-matomo 4096 23 dic 13.39 tmp lrwxrwxrwx 1 root root 16 24 gen 22.24 www -> www-matomo.4.1.0 drwxrwxr-x 13 apache-matomo apache-matomo 4096 30 dic 11.24 www-matomo.4.1.0
Here an overview of the parent directory.
# ls -l /var/www/matomo/www/ total 380 -rw-r--r-- 1 root root 91119 22 dic 06.05 CHANGELOG.md drwxr-xr-x 3 apache-matomo apache-matomo 4096 29 dic 21.27 config -rwxr-xr-x 1 root root 753 22 dic 06.05 console -rw-r--r-- 1 root root 929 22 dic 06.05 CONTRIBUTING.md drwxr-xr-x 51 root root 4096 29 dic 21.27 core -rw-r--r-- 1 root root 578 22 dic 06.05 DIObject.php -rw-r--r-- 1 root root 0 29 dic 21.26 favicon.ico -rw-r--r-- 1 root root 712 22 dic 06.05 index.php drwxr-xr-x 2 root root 4096 29 dic 21.27 js drwxr-xr-x 2 root root 4096 29 dic 21.27 lang -rw-r--r-- 1 root root 828 22 dic 06.05 LegacyAutoloader.php -rw-r--r-- 1 root root 8620 22 dic 06.05 LEGALNOTICE drwxr-xr-x 9 root root 4096 29 dic 21.27 libs -rw-r--r-- 1 root root 35146 22 dic 06.05 LICENSE -rw-r--r-- 1 apache-matomo apache-matomo 61980 22 dic 06.05 matomo.js -rw-r--r-- 1 root root 328 22 dic 06.05 matomo.php drwxr-xr-x 8 root root 4096 6 gen 02.44 misc drwxr-xr-x 21 root root 4096 29 dic 21.27 node_modules -rw-r--r-- 1 root root 6381 22 dic 06.05 offline-service-worker.js -rw-r--r-- 1 root root 4601 22 dic 06.05 package-lock.json -rw-r--r-- 1 apache-matomo apache-matomo 61980 22 dic 06.05 piwik.js -rw-r--r-- 1 root root 2685 22 dic 06.05 piwik.php drwxr-xr-x 69 root root 4096 29 dic 21.27 plugins -rw-r--r-- 1 root root 4617 22 dic 06.05 PRIVACY.md -rw-r--r-- 1 root root 5688 22 dic 06.05 README.md -rw-r--r-- 1 root root 744 22 dic 06.05 robots.txt -rw-r--r-- 1 root root 1174 22 dic 06.05 SECURITY.md drwxr-xr-x 2 root root 4096 22 dic 06.06 tests drwxrwx--- 10 apache-matomo apache-matomo 4096 29 dic 21.27 tmp drwxr-xr-x 23 root root 4096 29 dic 21.27 vendor
Admin
This is the admin panel:
The enabled users are listed in Matomo#Amministratori.
Configuration
Matomo configuration:
nano /var/www/matomo/www/config/config.ini.php
Apache configuration:
nano /etc/httpd/sites-enabled/it-wikimedia-matomo-ssl.conf nano /etc/httpd/sites-enabled/it-wikimedia-matomo-txt.conf
PHP-FPM configuration:
nano /etc/opt/rh/rh-php73/php-fpm.d/9000-matomo.conf
To publish whatever change in Wikimedia Phabricator please run this:
/root/scripts/commit.sh
Log
Generic Apache error log:
tail -f /var/log/httpd/error_log
Generic Apache access log:
tail -f /var/log/httpd/access_log
Service
To apply your changes you need to restart the services.
Service of the apache frontend webserver:
apache2ctl configtest apache2ctl graceful
Service of the PHP-FPM backend webserver:
systemctl status rh-php73-php-fpm systemctl restart rh-php73-php-fpm
Database
$ mysql matomo > SHOW TABLES; +---------------------------------------+ | Tables_in_matomo | +---------------------------------------+ | matomo_access | | matomo_archive_blob_2020_01 | | matomo_archive_blob_2020_12 | | matomo_archive_blob_2021_01 | | matomo_archive_blob_2021_02 | | matomo_archive_invalidations | | matomo_archive_numeric_2020_01 | | matomo_archive_numeric_2020_12 | | matomo_archive_numeric_2021_01 | | matomo_archive_numeric_2021_02 | | matomo_brute_force_log | | matomo_custom_dimensions | | matomo_goal | | matomo_locks | | matomo_log_action | | matomo_log_conversion | | matomo_log_conversion_item | | matomo_log_link_visit_action | | matomo_log_profiling | | matomo_log_visit | | matomo_logger_message | | matomo_option | | matomo_plugin_setting | | matomo_privacy_logdata_anonymizations | | matomo_report | | matomo_report_subscriptions | | matomo_segment | | matomo_sequence | | matomo_session | | matomo_site | | matomo_site_setting | | matomo_site_url | | matomo_tracking_failure | | matomo_twofactor_recovery_code | | matomo_user | | matomo_user_dashboard | | matomo_user_language | | matomo_user_token_auth | +---------------------------------------+ 38 rows in set (0.00 sec)ch
Maintenance
Enable maintenance:
a2ensite z_it-wikimedia-matomo-maintenance a2dissite it-wikimedia-matomo-txt a2dissite it-wikimedia-matomo-ssl apachectl graceful
Disable maintenance:
a2dissite z_it-wikimedia-matomo-maintenance a2ensite it-wikimedia-matomo-txt a2ensite it-wikimedia-matomo-ssl apachectl graceful
Matomo uses an SMTP account @wikimedia.it
with username noreply
.
See #Configuration.
See technical addresses.
You can change that from here:
https://matomo.wikimedia.it/index.php?module=CoreAdminHome&action=generalSettings
Update
During an update try to do not use the web interface (because the application is in read-only on the filesystem) and download instead the new version in /var/www/matomo
.
To see it online just replace the /var/www/matomo/www
symbolic link.
Remember to copy the /config
inside your new Matomo.
Then follow the official guide.
https://matomo.org/docs/update/#the-manual-three-step-update
Security
List of volunteers that are subscribed in the official Matomo newsletter that also provides security info:
Hardening
Before any update you may have to restore write-mode:
# allow to write chown www-data: -R /var/www/matomo/www
After any update you should restore read-only mode:
# make read-only for everyone chown root: -R /var/www/matomo/www # make some directories writable by webserver chown www-data: -R /var/www/matomo/www/{js,config,tmp} # make some files writable by webserver chown www-data: /var/www/matomo/www/{piwik,matomo}.js
Cron
In /etc/cron.d/matomo-archive
there is a cron for the Archive process of Matomo:
10 * * * * www-data /usr/bin/php /var/www/matomo/www/console core:archive --url=https://matomo.wikimedia.it/ > /var/www/matomo/log/matomo-archive.log
Phabricator
- phabricator:search - search recent activity
- phabricator:diffusion/WIIN/browse/master/servers/fabula/projects/matomo/ - public configuration