forked from pool/matomo
Eric Schirra
1069e7187d
- (add) more secure PHP settings for:
upload_tmp_dir => "/var/cache/apache2" (upload is disabled, but this
makes Matomo's security check happy)
session.save_path => "/run/matomo_sessions/", to keep session files
secure. Added: matomo-tmpfile.conf for this
- just recommend cron and mariadb:
* mariadb can be run on another host (matomo just needs the client)
* cron script can be obsoleted by the provided systemd timer
- pre-require php, to run the commands in post
- recommend php-openssl for (php) curl requests from matomo
OBS-URL: https://build.opensuse.org/request/show/759049
OBS-URL: https://build.opensuse.org/package/show/network:utilities/matomo?expand=0&rev=47
105 lines
3.1 KiB
Plaintext
105 lines
3.1 KiB
Plaintext
Alias /matomo "__matomo_web__"
|
|
|
|
<Directory "__matomo_web__">
|
|
AllowOverride All
|
|
Options FollowSymLinks
|
|
<IfModule mod_authz_core.c>
|
|
# Apache 2.4
|
|
Require all granted
|
|
</IfModule>
|
|
<IfModule !mod_authz_core.c>
|
|
# Apache 2.2
|
|
Order allow,deny
|
|
Allow from all
|
|
</IfModule>
|
|
|
|
|
|
<IfModule mod_authz_core.c>
|
|
# Apache 2.4
|
|
|
|
<Files "*">
|
|
Require host 127.0.0.1
|
|
# Require ip 128.252.135.
|
|
# Require host mydomain.com
|
|
# Require host host.mydomain.com
|
|
</Files>
|
|
|
|
<Files ~ "^matomo\.(js|php)|^piwik\.(js|php)|robots\.txt$|index\.php$">
|
|
Require all granted
|
|
</Files>
|
|
|
|
<Files "archive.php">
|
|
Require all granted
|
|
</Files>
|
|
|
|
</IfModule>
|
|
|
|
|
|
<IfModule !mod_authz_core.c>
|
|
# Apache 2.2
|
|
|
|
<Files "*">
|
|
Order deny, allow
|
|
Deny from all
|
|
Allow from 127.0.0.1
|
|
# Allow from 128.252.135.
|
|
# Allow from .mydomain.com
|
|
# Allow from host.mydomain.com
|
|
</Files>
|
|
|
|
<Files ~ "^matomo\.(js|php)|^piwik\.(js|php)|robots\.txt$|index\.php$">
|
|
Allow from all
|
|
Satisfy any
|
|
</Files>
|
|
|
|
<Files "archive.php">
|
|
Order Allow,Deny
|
|
Allow from all
|
|
</Files>
|
|
|
|
</IfModule>
|
|
|
|
<IfModule mod_mime.c>
|
|
AddType application/x-javascript .js
|
|
AddType text/css .css
|
|
</IfModule>
|
|
<IfModule mod_deflate.c>
|
|
AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/plain text/xml application/javascript
|
|
<IfModule mod_setenvif.c>
|
|
BrowserMatch ^Mozilla/4 gzip-only-text/html
|
|
BrowserMatch ^Mozilla/4.0[678] no-gzip
|
|
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
|
|
</IfModule>
|
|
</IfModule>
|
|
Header append Vary User-Agent env=!dont-vary
|
|
|
|
<IfModule mod_php7.c>
|
|
# improved security
|
|
php_admin_value open_basedir "__matomo_web__:__matomo_conf__:__matomo_log__:/tmp:/usr/bin:/var/cache/apache2:/run/matomo_sessions"
|
|
php_admin_flag display_startup_errors Off
|
|
php_admin_flag display_errors Off
|
|
php_admin_flag file_uploads Off
|
|
php_admin_flag allow_url_fopen Off
|
|
php_admin_value upload_tmp_dir "/var/cache/apache2"
|
|
php_admin_value session.save_path "/run/matomo_sessions/"
|
|
php_admin_value disable_functions "posix_setpgid,exec,ftp_login,mysql_pconnect,apache_setenv,popen,posix_getpwuid,posix_setsid,passthru,escapeshellcmd,ini_alter,ftp_raw,ftp_nb_fput,ini_restore,shell_exec,ftp_get,proc_get_status,highlight_file,proc_close,proc_terminate,syslog,ftp_connect,posix_uname,ini_get_all,proc_open,posix_kill,escapeshellarg,ftp_rawlist,posix_setuid,openlog,php_uname,system,ftp_exec,posix_mkfifo,proc_nice,ftp_put"
|
|
php_admin_value memory_limit "1024M"
|
|
php_admin_value max_execution_time 120
|
|
</IfModule>
|
|
|
|
|
|
</Directory>
|
|
|
|
|
|
<Directory "__matomo_web__/vendor/tecnickcom/tcpdf/tools">
|
|
<IfModule mod_authz_core.c>
|
|
# Apache 2.4
|
|
Require all denied
|
|
</IfModule>
|
|
<IfModule !mod_authz_core.c>
|
|
# Apache 2.2
|
|
Order deny,allow
|
|
Deny from all
|
|
</IfModule>
|
|
</Directory>
|