For a more strict config we could maybe disallow access to everything apart from \.(gif|ico|jpg|png|svg|js|css|htm|html|swf|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$
Old issues:
closes #44 (not needed anymore as there is no caching anymore)
closes #15 (same as above)
resolves #42 (matomo.php is supported and all JS are allowed)
closes #33 (there are now proper instructions on how to use the template)
resolves #42 (by default uses the most modern SSL config, HSTS can be commented out)
closes #30 (no helper regex anymore; maybe I'll add an optional security-by-obscurity rulelist that will block more text files)
not sure about #29 (maybe it is only needed in reverse-proxy setups)
resolves #28 (no more splitting up the CGI-path)
definitely resolves #27 (only essential files in the repo and a simple way to integrate into existing nginx config
closes #26 (no more explanations on how to install nginx as it depends on ones environment)
resolves #25 (I'm also wondering what caching piwik.php improves)
resolves #24 (same as #26)
closes #23 (doesn't matter anymore)
closes #20 (I'm against an automated script as manual configuration is simple and important for understanding what one does in my opinion and with the new config it is far easier)
closes #16 (This config is for running nginx directly. We should create a separate config for running nginx as a reverse proxy in front of apache)
closes #14 (referrer can easily be faked if one wants to create fake visits)
resolves #13 (only one config remaining)
closes #12 (no set_real_ip_from anymore (not needed when using directly as webserver))
I tried to create a minimal nginx config that uses nginx defaults for most settings and only changes Matomo-related routes.
If someone notices a regression or missing feature, please comment
Check https://github.com/findus23/matomo-nginx for the new version as the diff tool isn't that useful here.
For a more strict config we could maybe disallow access to everything apart from
\.(gif|ico|jpg|png|svg|js|css|htm|html|swf|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$
Old issues:
closes #44 (not needed anymore as there is no caching anymore) closes #15 (same as above) resolves #42 (matomo.php is supported and all JS are allowed) closes #33 (there are now proper instructions on how to use the template) resolves #42 (by default uses the most modern SSL config, HSTS can be commented out) closes #30 (no helper regex anymore; maybe I'll add an optional security-by-obscurity rulelist that will block more text files) not sure about #29 (maybe it is only needed in reverse-proxy setups) resolves #28 (no more splitting up the CGI-path) definitely resolves #27 (only essential files in the repo and a simple way to integrate into existing nginx config closes #26 (no more explanations on how to install nginx as it depends on ones environment) resolves #25 (I'm also wondering what caching piwik.php improves) resolves #24 (same as #26) closes #23 (doesn't matter anymore) closes #20 (I'm against an automated script as manual configuration is simple and important for understanding what one does in my opinion and with the new config it is far easier) closes #16 (This config is for running nginx directly. We should create a separate config for running nginx as a reverse proxy in front of apache) closes #14 (referrer can easily be faked if one wants to create fake visits) resolves #13 (only one config remaining) closes #12 (no
set_real_ip_from
anymore (not needed when using directly as webserver))