matomo-org / matomo-nginx

Nginx configuration for running Matomo
408 stars 121 forks source link

Tweak nginx config #52

Open J0WI opened 5 years ago

Findus23 commented 5 years ago

I hope it is okay if I apply your changes speratly as I'd like to keep an overview over all lines and am not sure about all lines:

J0WI commented 5 years ago

I hope it is okay if I apply your changes speratly as I'd like to keep an overview over all lines

Sure, that was the idea.

X-Frame-Options is already sent by Matomo

It's more secure to add this in the server config, because this is harder to compromise and it doesn't depend on PHP. fastcgi_hide_header X-Content-Type-Options; can be used to avoid duplicates.

Any reason for removing the /.ht section?

This is now covered by \. which denies access to all dotfiles.

Any reason why the .well-known is allowed explicitly? Matomo doesn't really use it and for let's encrypt I think it needs to be in the HTTP section

All HTTP requests are rewritten to HTTPS, so acme challenge would be blocked. You can also merge it with the default_type text/plain section if you like.