matomo-org / matomo-nginx

Nginx configuration for running Matomo
408 stars 121 forks source link

Review new configs #45

Closed fdellwing closed 5 years ago

fdellwing commented 6 years ago

I looked through your changes and have some additional hints:

Combine these two locations: https://github.com/matomo-org/matomo-nginx/blob/518f3cb89b8cc33d2429287ab7b533c2c8df87d2/sites-available/matomo.conf#L35 https://github.com/matomo-org/matomo-nginx/blob/518f3cb89b8cc33d2429287ab7b533c2c8df87d2/sites-available/matomo.conf#L69

Do not serve .ht files:

        location ~ /\.ht {
                deny  all;
        }

Serve .well-known:

        location ^~ /.well-known {
                allow all;
                default_type "text/plain";
        }

Make sure httpoxy is prohibited: https://github.com/matomo-org/matomo-nginx/blob/518f3cb89b8cc33d2429287ab7b533c2c8df87d2/sites-available/matomo.conf#L45 https://github.com/matomo-org/matomo-nginx/blob/518f3cb89b8cc33d2429287ab7b533c2c8df87d2/sites-available/matomo.conf#L51

                fastcgi_param HTTP_PROXY "";

You did not provide a nginx.conf, but there are some more important configs to consider. Are you sure, you do not want to provide one?

Findus23 commented 6 years ago

Thanks for making me check my config again, going crazy for more than half an hour because tmp/ wasn't blocked and finally noticing that including the cache config at the top wasn't the best idea because it matches first. So I now reordered the rules and it works the way it should.

Combine these two locations:

It is intentional that the order is

 location ~ /(config|tmp|core|lang)
 location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$
 location ~ /(libs|vendor|plugins|misc/user)

that way everything from config|tmp|core|lang is blocked, but static files from libs|vendor|plugins|misc/user are allowed.

Do not serve .ht files:

I don't think it would be critical if they are public, but it definitely doesn't hurt.

Serve .well-known

Do you have a specific reason in mind. In case you mean for Let's Encrypt, then one could only add the rule to the HTTP server and use a separate root.

Make sure httpoxy is prohibited:

I kind of understand the reasonding, but am really confused why this is mentioned nowhere in the really extensive debian nginx config.

Are you sure, you do not want to provide one?

That's a good question. I don't want people to overwrite their config with the Matomo one as this shouldn't be a matter of Matomo, but providing a commented one for people to compare theirs with sounds useful. Do you have an idea how to make this clear?

Mine is this:

``` user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /var/log/nginx/other.access.log; error_log /var/log/nginx/other.error.log; ## # Gzip Settings ## gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_min_length 256; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss application/rss+xml application/atom+xml text/javascript image/svg+xml; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } # vim: filetype=nginx ```

Apart from gzip I can't think of anything that's essential, and even that shouldn't be enabled by default without knowing the implications (less secure encryption)

fdellwing commented 6 years ago

that way everything from config|tmp|core|lang is blocked, but static files from libs|vendor|plugins|misc/user are allowed.

Makes sense.

I don't think it would be critical if they are public, but it definitely doesn't hurt.

It may show file system specific information to an attacker and should never be accessible.

Do you have a specific reason in mind. In case you mean for Let's Encrypt, then one could only add the rule to the HTTP server and use a separate root.

It is probably not needed here.

I kind of understand the reasonding, but am really confused why this is mentioned nowhere in the really extensive debian nginx config.

There are some people out there, thinking that the bug is mitigated. But it isn't, the namespace there still overlaps today and if a vulnerable library is used it is still critical. I include it in every fastcgi config together with a link to httpoxy.

That's a good question. I don't want people to overwrite their config with the Matomo one as this shouldn't be a matter of Matomo,

True

but providing a commented one for people to compare theirs with sounds useful.

Good idea

Here is my config, I commented the parts that are important for me:

``` user www-data; worker_processes 4; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 1024; multi_accept on; use epoll; } // Use it if you server a lot of static files. It increases performance since the workers need to be restarted less often. worker_rlimit_nofile 40000; http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 15; types_hash_max_size 2048; // The server should not show the version he is on server_tokens off; client_max_body_size 15M; fastcgi_read_timeout 120; # server_names_hash_bucket_size 64; // Increase this value if you have long server names or many server "aliases" to increase performance server_names_hash_bucket_size 128; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; // If you use gzip, make sure to disable it for really old IE, they don't speak gzip. gzip_disable "MSIE [1-6]\."; gzip_vary on; gzip_proxied expired no-cache no-store private auth; gzip_min_length 10240; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon image/png image/jpeg text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # text/html is always compressed by gzip module ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; ## # Filehandle Cache ## // There is no good reason imo to not use the open_file_cache, it gives a lot of performance costing very little memory. If you server a lot of static files (like Matomo does in the backend), use this. open_file_cache max=2000 inactive=20s; open_file_cache_valid 60s; open_file_cache_min_uses 5; open_file_cache_errors off; } ```
Findus23 commented 6 years ago

There are some people out there, thinking that the bug is migated. But it isn't, the namespace there still overlaps today and if a vulnerable library is used it is still critical. I include it in every fastcgi config together with a link to httpoxy.

It definitely doesn't hurt or break anything, so I'll include it.

Regarding server_tokens and co: I think the easiest way is just adding a Tips section to the readme explaining them.

fdellwing commented 6 years ago

Regarding server_tokens and co: I think the easiest way is just adding a Tips section to the readme explaining them.

Good plan

kissifrot commented 6 years ago

However the new configuration breaks the AdBlocker workarounds (calling /js/ instead of piwik.php directly in the tracking script)

Findus23 commented 6 years ago

@kissifrot You are right, I just fixed it

BTW: you could also add

rewrite /statistics.php /piwik.php;
rewrite /statistics.js /piwik.js;

to the nginx config and use these paths in the tracking code.

Findus23 commented 5 years ago

I have now added a Tips section. If someone knows more, please open a PR or issue.