Skip to main content

Matomo Nginx config

server {

listen [::]:443 ssl http2;
listen 443 ssl http2;

server_name omotam.elmasy.com;


# Set certificate path
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

# Enable OCSP
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1;
resolver_timeout 5s;

# Add security headers
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy origin always;
add_header Strict-Transport-Security "max-age=63072000" always;

root /var/www/omotam.elmasy.com/;

index index.php;

location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$ {
include snippets/fastcgi-php.conf;
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/var/run/php/php-fpm.sock;
}

## deny access to all other .php files
location ~* ^.+\.php$ {
deny all;
return 403;
}

## serve all other files normally
location / {
try_files $uri $uri/ =404;
}

## disable all access to the following directories
location ~ ^/(config|tmp|core|lang) {
deny all;
return 403; # replace with 404 to not show these directories exist
}

location ~ /\.ht {
deny all;
return 403;
}

location ~ js/container_.*_preview\.js$ {
expires off;
add_header Cache-Control 'private, no-cache, no-store';
}

location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$ {
allow all;
## Cache images,CSS,JS and webfonts for an hour
## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
expires 1h;
add_header Pragma public;
add_header Cache-Control "public";
}

location ~ ^/(libs|vendor|plugins|misc|node_modules) {
deny all;
return 403;
}

## properly display textfiles in root directory
location ~/(.*\.md|LEGALNOTICE|LICENSE) {
default_type text/plain;
}
}

server {

listen [::]:80;
listen 80;

server_name omotam.elmasy.com;

return 301 https://$host$request_uri;
}