# If you run matomo stand alone, please redirect all traffix on port 80
# to an SSL encrypted setup on port 443.
# In this case, uncomment the following server section.
#server {
#    listen [::]:80 fastopen=500; # remove this if you don't want Matomo to be reachable from IPv6
#    listen 80 fastopen=500;
#    server_name matomo.example.com;
#    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
#    location / {
#        return 301 https://$host$request_uri;
#    }
#}

server {
# If you run matomo behind a load balancer like haproxy, let haproxy handle the SSL offloading
# for you. If no, please comment the two lines below and uncomment the lines above and below
# for SSL encrypted traffic
    listen [::]:80 fastopen=500; # remove this if you don't want Matomo to be reachable from IPv6
    listen 80 fastopen=500;
# If you run nginx with SSL, please adjust and uncomment the lines below
#    listen 443 ssl http2 fastopen=500;
#    listen [::]:443 ssl http2 fastopen=500; # remove this if you don't want Matomo to be reachable from IPv6
#    include ssl.conf; # if you want to support older browsers, please read through this file
#    add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
#    add_header X-Content-Type-Options "nosniff" always;
#    add_header X-XSS-Protection "1; mode=block" always;
#    ssl_certificate /etc/letsencrypt/example.com/fullchain.cer;
#    ssl_certificate_key /etc/letsencrypt/example.com/example.com.key;

# Please insert the correct FQDN of your server below:
    server_name matomo.example.com;

    error_log   /var/log/nginx/error.log;
    access_log  /var/log/nginx/access.log;
    log_not_found off;

# If you run nginx behind a reverse proxy like haproxy, please
# adjust and uncomment the lines below:
#    set_real_ip_from  192.168.0.1;
#    real_ip_header    X-Forwarded-For;

    root __matomo_web___;
    index index.php;

    # only allow accessing the following php files
    location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs).php {
        include /etc/nginx/fastcgi.conf;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        try_files $fastcgi_script_name =404; # protects against CVE-2019-11043
        set $path_info $fastcgi_path_info;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
        fastcgi_pass 127.0.0.1:9000;
    }
    # deny access to all other .php files
    location ~* ^.+\.php$ {
        deny all;
        return 403;
    }
    # serve all other files normally
    location / {
        try_files $uri $uri/ =404;
    }
    # disable all access to the following directories 
    location ~ /(config|tmp|core|lang) {
        deny all;
        return 403; 
    }
    # disable all access to files starting with .ht (apache)
    location ~ /\.ht {
        deny  all;
        return 403;
    }
    # Cache images,CSS,JS and webfonts for an hour
    # Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
    location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
        allow all;
        expires 1h;
        add_header Pragma public;
        add_header Cache-Control "public";
    }
    # disable all access to the following directories  
    location ~ /(libs|vendor|plugins|misc/user) {
        deny all;
        return 403;
    }
}