请注意,本文编写于 478 天前,最后修改于 249 天前,其中某些信息可能已经过时。


nginx 配置

按照计划需要给博客增加分析系统,考虑到国内的网络情况,另外也想要数据完全的私有化,采用开源的 matomo 方案:

matomo-org/matomo 但是官方文档感觉写的不是很好,很多内容零碎,需要自己找。我的需求是,通过 docker-compose 部署 php 版本的 matomomysql ,然后在外层宿主机通过 nginx 连接 matomo 容器中的 php 暴露的端口进行代理。经过一番折腾,配置如下:


version: "3" services: db: image: mariadb command: --max-allowed-packet=64MB restart: always volumes: - /var/docker/matomo/db:/var/lib/mysql environment: - MYSQL_ROOT_PASSWORD=matomo - MYSQL_PASSWORD=matomo - MYSQL_DATABASE=matomo - MYSQL_USER=matomo app: image: matomo:fpm-alpine restart: always links: - db volumes: # - ./config:/var/www/html/config:rw # - ./logs:/var/www/html/logs - /var/www/html:/var/www/html environment: - MATOMO_DATABASE_HOST=db - PHP_MEMORY_LIMIT=2048M - MATOMO_DATABASE_ADAPTER=mysql - MATOMO_DATABASE_TABLES_PREFIX=matomo_ - MATOMO_DATABASE_USERNAME=matomo - MATOMO_DATABASE_PASSWORD=matomo - MATOMO_DATABASE_DBNAME=matomo ports: - 8919:9000

nginx 配置

server { listen 80; server_name matomo.mereith.com; # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; server_name matomo.mereith.com; # list all domains Matomo should be reachable from access_log /var/log/nginx/matomo.access.log; error_log /var/log/nginx/matomo.error.log; ## uncomment if you want to enable HSTS with 6 months cache ## ATTENTION: Be sure you know the implications of this change (you won't be able to disable HTTPS anymore) #add_header Strict-Transport-Security max-age=15768000 always; ## replace with your SSL certificate ssl_certificate /var/cert/mereith.com.crt; ssl_certificate_key /var/cert/mereith.com.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; root /var/docker/matomo/app/; # replace with path to your matomo instance index index.php; ## only allow accessing the following php files location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$ { include snippets/fastcgi-php.conf; https://github.com/nginx/nginx/blob/master/conf/fastcgi.conf # try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here. fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/ # fastcgi_pass unix:/var/run/php/php7.2-fpm.sock; #replace with the path to your PHP socket file fastcgi_pass; # uncomment if you are using PHP via TCP sockets (e.g. Docker container) } ## deny access to all other .php files location ~* ^.+\.php$ { deny all; return 403; } ## serve all other files normally location / { try_files $uri $uri/ =404; } ## disable all access to the following directories location ~ ^/(config|tmp|core|lang) { deny all; return 403; # replace with 404 to not show these directories exist } location ~ /\.ht { deny all; return 403; } location ~ js/container_.*_preview\.js$ { expires off; add_header Cache-Control 'private, no-cache, no-store'; } location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { allow all; ## Cache images,CSS,JS and webfonts for an hour ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade expires 1h; add_header Pragma public; add_header Cache-Control "public"; } location ~ ^/(libs|vendor|plugins|misc|node_modules) { deny all; return 403; } ## properly display textfiles in root directory location ~/(.*\.md|LEGALNOTICE|LICENSE) { default_type text/plain; } }
ali pay
wechat pay



版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!