matomo

Introduction

This is a short and straightforward guide on installing Matomo on servers running Ubuntu 20.04.

We will describe which terminal commands should be used for the first part of the Matomo installation, while you will complete the next part via the web interface.

Prerequisites

You can find the instructions related to the configuration on the Matomo website.

You must install the following packages on the server - unless they are already installed:

  1. PHP version 7.2.5 or higher;
  2. MySQL version 5.5 or higher or MariaDB;
  3. NGINX.

Finally, you need a domain name (e.g.: matomo.domain.com).

1. Verifying that the Ubuntu 20.04 server is up to date

Once logged in via SSH to the server, check for any updates:

sudo apt update
sudo apt upgrade

Install some dependencies (if they are not already installed on the server):

apt install curl wget unzip gnupg2 -y

2. Install the necessary packages

If you don’t have the packages listed under prerequisites already installed on your server, proceed with their installation as follows:

We propose two solutions depending on whether you want to install MySQL or MariaDB to create the database. We point out that these are two different solutions, where MySQL was the first to be developed in 1995, while MariaDB is a fork of MySQL developed in 2009. On the Internet, you can find several contributions comparing the two solutions.

In our case, we will use MariaDB.

And therefore, for installation purposes, opt for one of the following solutions that are alternatives to each other:

  1. For the database to be created if you want to install MYSQL only, proceed as follows:
apt install nginx mysql-server php7.4 php7.4-cli php7.4-fpm php7.4-common php7.4-curl php7.4-gd php7.4-xml php7.4-mbstring php7.4-mysql -y
  1. For the database you will need to create if you want to install only MariaDB, proceed as follows:
apt install nginx mariadb-server php7.4 php7.4-cli php7.4-fpm php7.4-common php7.4-curl php7.4-gd php7.4-xml php7.4-mbstring php7.4-mysql -y

3. Create the database

Access MySQL or MariaDB - without setting a password - with the following command:

sudo mysql -u root

After typing the command above, you will be presented with a prompt as follows:

MariaDB [(none)]>

If it were MySQL, you would have

mysql>

Then, proceed to create the database as follows:

CREATE DATABASE matomo;

Then you have to create user and password as follows, deciding - if you want - to change matomoadmin with another username (it will be the one used to access the database), but replace strongpassword with the password that the system will use to access the Matomo database.

CREATE USER 'matomoadmin'@'localhost' IDENTIFIED BY 'strongpassword';

Then, you have to grant the created user (assuming he intends to leave matomoadmin, otherwise change to the chosen username) full access to the database like this:

GRANT ALL ON matomo.* TO 'matomoadmin'@'localhost';

Save the settings as follows:

FLUSH PRIVILEGES;

Exit the MariaDB or MySQL shell by typing:

exit;

4. Installing Matomo

Before installing Matomo, run these commands on the server:

Move to the folder where you will install Matomo:

cd /var/www/

then, with the command wget we download the file “matomo.zip” by typing the link present on the Matomo installation page, and then we unzip the file:

wget https://builds.matomo.org/matomo.zip && unzip matomo.zip

The “matomo.zip” file will be downloaded and then automatically unzipped into the “matomo” folder, which will be in /var/www/

In fact, by typing

ls -la

You will see the folder “matomo” which will be in /var/www/matomo/

At this point, you will have to assign ownership to the user “www-data” for the folder “matomo” as follows

sudo chown -R www-data:www-data /var/www/matomo

Change the permissions for accessing the “matomo” folder as follows

sudo chmod -R 755 /var/www/matomo

5. Configuring NGINX with a domain name

You must create an NGINX configuration file for proper addressing if you have a domain name.

On the Matomo website at this page, clicking on Nginx, you will direct to a GitHub page where you can download the NGINX configuration file.

Then, on the server, move to the NGINX sites-available folder as follows

cd /etc/nginx/sites-available/

Create a file to which we will give the name “domainname.conf” as follows

nano nomeadominio.conf

Create a file to which we will give the name “domainname.conf” as follows

server {
    listen [::]:80; # remove this if you don't want Matomo to be reachable from IPv6
    listen 80;
    server_name matomo.domainname.com;
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    location / {
        return 301 https://$host$request_uri;
    }
}
server {
    listen [::]:443 ssl http2; # remove this if you don't want Matomo to be reachable from IPv6
    listen 443 ssl http2;
    server_name matomo.domainname.com; # list all domains Matomo should be reachable from
    access_log /var/log/nginx/matomo.access.log;
    error_log /var/log/nginx/matomo.error.log;

    ## uncomment if you want to enable HSTS with 6 months cache
    ## ATTENTION: Be sure you know the implications of this change (you won't be able to disable HTTPS anymore)
    #add_header Strict-Transport-Security max-age=15768000 always;

    ## replace with your SSL certificate
    ssl_certificate /etc/letsencrypt/live/matomo.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/matomo.example.com/privkey.pem;

    # include ssl.conf; # if you want to support older browsers, please read through this file

    add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    root /var/www/matomo/; # replace with path to your matomo instance

    index index.php;

    ## only allow accessing the following php files
    location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$ {
        include snippets/fastcgi-php.conf; # if your Nginx setup doesn't come with a default fastcgi-php config, you can fetch it from https://github.com/nginx/nginx/blob/master/conf/fastcgi.conf
        #try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here.
        fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; #replace with the path to your PHP socket file
        #fastcgi_pass 127.0.0.1:9000; # uncomment if you are using PHP via TCP sockets (e.g. Docker container)
    }

    
    ## deny access to all other .php files
    location ~* ^.+\.php$ {
        deny all;
        return 403;
    }

    ## serve all other files normally
    location / {
        try_files $uri $uri/ =404;
    }

    ## disable all access to the following directories
    location ~ ^/(config|tmp|core|lang) {
        deny all;
        return 403; # replace with 404 to not show these directories exist
    }

    location ~ /\.ht {
        deny  all;
        return 403;
    }

    location ~ js/container_.*_preview\.js$ {
        expires off;
        add_header Cache-Control 'private, no-cache, no-store';
    }

    location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
        allow all;
        ## Cache images,CSS,JS and webfonts for an hour
        ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
        expires 1h;
        add_header Pragma public;
        add_header Cache-Control "public";
    }

    location ~ ^/(libs|vendor|plugins|misc|node_modules) {
        deny all;
        return 403;
    }

    ## properly display textfiles in root directory
    location ~/(.*\.md|LEGALNOTICE|LICENSE) {
        default_type text/plain;
    }
}
# vim: filetype=nginx

Once pasted, close the editor with Ctrl+X and type Y to save the file.

To verify that the configuration of the file is correct, type

nginx -t

If we get the following answer

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

It means that the configuration is correct. In this case, we can create the link in the folder /etc/nginx/sites-enabled/ highlighting that “nomeadominio.conf” is the name of the chosen Nginx configuration end.

Then we will type

ln -s /etc/nginx/sites-enabled/nomeadominio.conf /etc/nginx/sites-available/nomeadominio.conf

At this point, we restart Nginx with

systemctl restart nginx

6. Installing SSL certificate with Let’s Encrypt

To get a connection to matomo.domainname.com with HTTPS protocol, we install an SSL certificate with certbot as follows:

certbot --nginx

At this point, follow the indications that appear in the terminal, paying attention to choose the item that corresponds to the domain name (we had exemplified with “matomo.domainname.com” and then choose No. 2, namely:

2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you’re confident your site works on HTTPS. You can undo this change by editing your web server’s configuration.”.

7. Complete the installation with the browser

At this point, open the browser and type in the address bar the domain name we had set (in our case matomo.domainname.com).

If everything goes well, the web page from which to complete the configuration of Matomo will appear, as you can see on the official website.

Stay tuned!