Preamble
Currently, some websites of Wikimedia Italia has server-side analytics thanks to AWStats while the main website is not covered by this system (it's hosted in another server and we have not access to the log files) and moreover we are currently dropping other kind of third parts trackers.
More info:
- T270616: Review Wikimedia Italia's technologies to keep everything in compliance with current policies
- https://wiki.wikimedia.it/wiki/Matomo
- https://wiki.wikimedia.it/wiki/Matomo/Technical_documentation
Description
It was proposed to deploy a Matomo installation in one of their servers: wmi-fabula. This will be done to keep data out of the reach of third-party companies (mostly non-European companies) and simplify our privacy policy and simplify the work for our GDPR manager.
This should:
- fit fundraising needs (monitor campaigns)
- fit IT department needs (monitor performances)
The new installation is expected to be available here:
We can adopt the same server that is currently hosting other websites like this:
$ nslookup cinquepermille.wikimedia.it Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: cinquepermille.wikimedia.it Address: 54.38.36.173
So this should be the expected DNS entry to be created:
matomo IN A 54.38.36.173
Status
- request domain creation
- prepare the webserver
- deploy Matomo in our websites
Server intervention
This happens in the centos01 server.
We installed Matomo verifying it with the official PGP keys.
$ mkdir -p /var/www/matomo/tmp $ chown apache: /var/www/matomo/tmp $ cd /var/www/matomo
$ wget https://builds.matomo.org/matomo-latest.tar.gz $ wget https://builds.matomo.org/matomo-latest.tar.gz.asc $ cat matomo-latest.tar.gz.asc -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEgU40b6AaINuwS2gHtdvVklWQojcFAl/hfvYACgkQtdvVklWQ ojfUIw/+PXokvbnRQVFCJCDPYowK6nhywkgS4phD1qbbnF8dzxvdjY7i8oGjRqTw yRjzGhagqYK4WEeb8KXBtzruV/iMGaj+wBjCBnTFKO+cKNcxStZ1CRH/TcjgoDPE GXMkgeksQzMwB5pqp4oznNfzUN71jnOvgrqP/rbCfeKHwbZ5ucfH3E8y18SUl6c2 NjQoDGSKeYzh011zIhbymzaj4ybvK8Nk/lziTl1MzZ7iqh4cR3d4Bz5rQykZCtx6 y2fRIgRClaur4xaNr0b4/AaEISMFQTkrbN6NMLP4E7DclBRH3Sr5vi3ldouc7TRW m++gUy4ISH+jA69FztUD63acTEcSVVnd4jvXURDwWyzgqT0KWjEpkR0megHwDIht qkw2mKqLizp+6e3swWrmJmLvNNMuehWuSTTXThGetQ/K+VuJWA5bnoCQJKDkyolx b2IDz+rfb/1DhSDd7vcDrctM3rF8g5JFk8mgbbJi3hiASTUH+s/xMNBTZdPhVCvi nijczlbTL4a8kc4VJy7VSGyzGc5S0FmkH0/YTYgs9262z8dhPaXe7ckOGbZQfUZW STwtojjZgDWMGtu5pR1NWzaR/P+qm4QUsK1tfxHyVRWEERMvVbnO0T6LuvV6V071 UZSM6mV2KRDGWPifmWWfp+VpBjPTc43WbjPuw56VEtqcAtODDjU= =TFGT -----END PGP SIGNATURE----- $ sha1sum matomo-latest.tar.gz 0493d84590f6b000c2fb08bccbd7f67b4a3c4e2c matomo-latest.tar.gz $ md5sum matomo-latest.tar.gz 3f1e29e620dc36899625836eddf09f66 matomo-latest.tar.gz $ gpg --keyserver keys.gnupg.net --recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237 gpg: key B5DBD5925590A237: public key "Matthieu Aubry <matt@piwik.org>" imported gpg: Total number processed: 1 gpg: imported: 1 $ gpg --fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237 gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: requesting key 5590A237 from hkp server keys.gnupg.net gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 5590A237: public key "Matthieu Aubry <matt@piwik.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) # extract the webroot $ tar xzf matomo-latest.tar.gz $ mv matomo www # remove unuseful stuff $ rm matomo-latest.tar.gz matomo-latest.tar.gz.asc How*.html
Then we have published an Apache configuration in:
rWIIN wikimedia-it-wmit-infrastructure
And deployed:
$ ln -s /etc/wmit-infrastructure/servers/ovh-centos01/projects/matomo/apache2/it-wikimedia-matomo.conf /etc/httpd/conf.d/it-wikimedia-matomo.conf $ sudo certbot certonly --webroot --webroot-path=/var/www/matomo/www/ -d matomo.wikimedia.it Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for matomo.wikimedia.it Using the webroot path /var/www/matomo/www for all unmatched domains. Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/matomo.wikimedia.it/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/matomo.wikimedia.it/privkey.pem Your cert will expire on 2021-03-30. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le # check if everything is OK $ apachectl configtest Syntax OK # reload Apache HTTPd without any service interruption $ apachectl graceful
Notes
Some time ago I developed a very minimal but efficient Matomo plugin that also strictly respects the DoNotTrack browser preference. I like it because it has no web configuration or any other dummy feature: it just integrates with Matomo and its parameters can be changed only if you have command line access to the wp-config.php. It's damn fast and secure :^)
That KISS WordPress-Matomo plugin I'm talking about is online here:
https://gitpull.it/source/wp-matomo/
Mirror here:
https://github.com/valerio-bozzolan/wp-matomo/
Here the project workboard:
https://gitpull.it/tag/wordpress_matomo/
This is partially related to these: