Matomo

Matomo, formerly Piwik, is an open source web analysis tool licensed under the GNU General Public License 3. The software is written in PHP and is accessed over the web browser. The core idea of the project is privacy as when using third party website analysis providers website owners are giving away all of their users' data.

With one running instance, multiple websites can be analysed by loading some JavaScript on the target websites.

PHP needs to be configured properly for Matomo to install and work.

First, enable MySQL support as described in PHP#MySQL/MariaDB. Do so by editing /etc/php/php.ini. Uncomment ;extension=pdo_mysql and ;extension=mysqli by removing the preceding semicolon each.

In general, comments are indicated by preceding semicolons.

Moreover, enable ;extension=iconv and ;extension=gd.

Install the package matomo^AUR or matomo-bin^AUR.

Run sudo /usr/share/webapps/matomo/console development:disable.

This feature can be deactivated or, with no installation needed, Matomo can guess the visitors' location by their set browser language which is not reliable information for geographical locations.

matomo^AUR already comes with a geolocation database. To replicate, download the .mmdb file from https://db-ip.com/db/download/ip-to-city-lite and install it to /usr/share/webapps/matomo/misc/.

Alternatively, use geoipupdate and starting/enabling geoipupdate.timer. Beware that a MaxMind account is needed.

The last option to choose is to use an HTTP module like nginx-mainline-mod-geoip.

Use any programme for FastCGI to run PHP websites. Instructions are given for the most common application php-fpm.

Install the php-fpm package and start/enable php-fpm.service (see Nginx#PHP implementation).

Because of new restrictions on php-fpm.service since version 7.4, where ProtectSystem is set to prevent Matomo to function correctly (unable to installing plugins, changing configuration etc.), the ability to access certain files needs to be set manually.

The file /etc/systemd/system/php-fpm.service.d/override_matomo.conf below fixes the issue while not exposing more than necessary and still allows the user to change ACL as described in the installation manifest if this is not desired.

[Service]
ReadWritePaths = /usr/share/webapps/matomo/config
ReadWritePaths = /usr/share/webapps/matomo/matomo.js
ReadWritePaths = /usr/share/webapps/matomo/misc/user/
ReadWritePaths = /usr/share/webapps/matomo/plugins/

Create the server by modifying /etc/nginx/nginx.conf. Add the following template to the http context. Alternatively, take a look at Matomo's instructions on GitHub.

include /etc/nginx/mime.types;

server
{
    index index.php;
    listen 443 ssl;
    listen [::]:443 ssl;
    root /usr/share/webapps/matomo/;
    server_name matomo.example.com;

    location ~ ^/(\.git/|config/|core/|lang/|tmp/)
    {
        return 403;
    }

    location ~ \.php$
    {
        try_files $uri =404;

        # FastCGI
        include fastcgi.conf;
        fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
    }

    location ~ \.(avi|css|eot|gif|htm|html|ico|jpg|js|json|mp3|mp4|ogg|png|svg|ttf|wav|woff|woff2)$
    {
        try_files $uri =404;
    }

    location ~ ^/(libs/|misc/|node_modules/|plugins/|vendor/)
    {
        return 403;
    }
}

To use encryption, you can get free certificates from letsencrypt. After requesting and installing your certificates, use them by adding the following code to the http or server context.

include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain.domain.org/privkey.pem;
ssl_certificate /etc/letsencrypt/live/subdomain.domain.org/fullchain.pem;

Run the Nginx server by starting/enabling nginx.service.

All major settings are done. Call your Matomo website in your browser and complete the small installation guide which is not more than checking that everything needed is available and set up and writing your configuration file.