diff --git a/nginx-conf/matomo.conf b/nginx-conf/matomo.conf index abf1100..3769df7 100644 --- a/nginx-conf/matomo.conf +++ b/nginx-conf/matomo.conf @@ -13,12 +13,10 @@ server { ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - root /var/www/html/; - index index.php index.html index.htm; + add_header Referrer-Policy origin; - location / { - try_files $uri $uri/ =404; - } + root /var/www/html/; + index index.php; error_page 404 /404.html; error_page 500 502 503 504 /50x.html; @@ -31,7 +29,7 @@ server { access_log off; } - location ~ \.php$ { + location ~ ^/(index|matomo|piwik).php { fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWARE nginx; fastcgi_param QUERY_STRING $query_string; @@ -49,9 +47,49 @@ server { fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; + fastcgi_param HTTP_PROXY ""; fastcgi_intercept_errors on; fastcgi_pass matomo_backend; } + + location ~* ^.+\.php$ { + deny all; + return 403; + } + + location / { + try_files $uri $uri/ =404; + } + + ## disable all access to the following directories + location ~ /(config|tmp|core|lang) { + deny all; + return 403; # replace with 404 to not show these directories exist + } + + location ~ /\.ht { + deny all; + return 403; + } + + location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade4 + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~ /(libs|vendor|plugins|misc/user) { + deny all; + return 403; + } + + ## properly display textfiles in root directory + location ~/(.*\.md|LEGALNOTICE|LICENSE) { + default_type text/plain; + } } server {