Page MenuHomePhabricator

Deploy a Matomo instance in matomo.wikimedia.it (server wmi-fabula)
Closed, ResolvedPublic

Description

Preamble

Currently, some websites of Wikimedia Italia has server-side analytics thanks to AWStats while the main website is not covered by this system (it's hosted in another server and we have not access to the log files) and moreover we are currently dropping other kind of third parts trackers.

More info:

Description

It was proposed to deploy a Matomo installation in one of their servers: wmi-fabula. This will be done to keep data out of the reach of third-party companies (mostly non-European companies) and simplify our privacy policy and simplify the work for our GDPR manager.

This should:

  • fit fundraising needs (monitor campaigns)
  • fit IT department needs (monitor performances)

The new installation is expected to be available here:

https://matomo.wikimedia.it/

We can adopt the same server that is currently hosting other websites like this:

$ nslookup cinquepermille.wikimedia.it
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	cinquepermille.wikimedia.it
Address: 54.38.36.173

So this should be the expected DNS entry to be created:

wikimedia.it.
matomo IN A 54.38.36.173

Status

  • request domain creation
  • prepare the webserver
  • deploy Matomo in our websites

Server intervention

This happens in the centos01 server.

We installed Matomo verifying it with the official PGP keys.

Preparation
$ mkdir -p      /var/www/matomo/tmp
$ chown apache: /var/www/matomo/tmp
$ cd            /var/www/matomo
Matomo download and crypto verification
$ wget https://builds.matomo.org/matomo-latest.tar.gz
$ wget https://builds.matomo.org/matomo-latest.tar.gz.asc

$ cat matomo-latest.tar.gz.asc 
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEgU40b6AaINuwS2gHtdvVklWQojcFAl/hfvYACgkQtdvVklWQ
ojfUIw/+PXokvbnRQVFCJCDPYowK6nhywkgS4phD1qbbnF8dzxvdjY7i8oGjRqTw
yRjzGhagqYK4WEeb8KXBtzruV/iMGaj+wBjCBnTFKO+cKNcxStZ1CRH/TcjgoDPE
GXMkgeksQzMwB5pqp4oznNfzUN71jnOvgrqP/rbCfeKHwbZ5ucfH3E8y18SUl6c2
NjQoDGSKeYzh011zIhbymzaj4ybvK8Nk/lziTl1MzZ7iqh4cR3d4Bz5rQykZCtx6
y2fRIgRClaur4xaNr0b4/AaEISMFQTkrbN6NMLP4E7DclBRH3Sr5vi3ldouc7TRW
m++gUy4ISH+jA69FztUD63acTEcSVVnd4jvXURDwWyzgqT0KWjEpkR0megHwDIht
qkw2mKqLizp+6e3swWrmJmLvNNMuehWuSTTXThGetQ/K+VuJWA5bnoCQJKDkyolx
b2IDz+rfb/1DhSDd7vcDrctM3rF8g5JFk8mgbbJi3hiASTUH+s/xMNBTZdPhVCvi
nijczlbTL4a8kc4VJy7VSGyzGc5S0FmkH0/YTYgs9262z8dhPaXe7ckOGbZQfUZW
STwtojjZgDWMGtu5pR1NWzaR/P+qm4QUsK1tfxHyVRWEERMvVbnO0T6LuvV6V071
UZSM6mV2KRDGWPifmWWfp+VpBjPTc43WbjPuw56VEtqcAtODDjU=
=TFGT
-----END PGP SIGNATURE-----

$ sha1sum matomo-latest.tar.gz 
0493d84590f6b000c2fb08bccbd7f67b4a3c4e2c  matomo-latest.tar.gz

$ md5sum matomo-latest.tar.gz 
3f1e29e620dc36899625836eddf09f66  matomo-latest.tar.gz

$ gpg --keyserver keys.gnupg.net --recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237
gpg: key B5DBD5925590A237: public key "Matthieu Aubry <matt@piwik.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key 5590A237 from hkp server keys.gnupg.net
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 5590A237: public key "Matthieu Aubry <matt@piwik.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

# extract the webroot
$ tar xzf matomo-latest.tar.gz
$ mv matomo www

# remove unuseful stuff
$ rm matomo-latest.tar.gz matomo-latest.tar.gz.asc How*.html

Then we have published an Apache configuration in:

rWIIN wikimedia-it-wmit-infrastructure

And deployed:

$ ln -s /etc/wmit-infrastructure/servers/ovh-centos01/projects/matomo/apache2/it-wikimedia-matomo.conf /etc/httpd/conf.d/it-wikimedia-matomo.conf

$ sudo certbot certonly --webroot --webroot-path=/var/www/matomo/www/ -d matomo.wikimedia.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for matomo.wikimedia.it
Using the webroot path /var/www/matomo/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/matomo.wikimedia.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/matomo.wikimedia.it/privkey.pem
   Your cert will expire on 2021-03-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

# check if everything is OK
$ apachectl configtest
Syntax OK

# reload Apache HTTPd without any service interruption
$ apachectl graceful

Notes

Some time ago I developed a very minimal but efficient Matomo plugin that also strictly respects the DoNotTrack browser preference. I like it because it has no web configuration or any other dummy feature: it just integrates with Matomo and its parameters can be changed only if you have command line access to the wp-config.php. It's damn fast and secure :^)

That KISS WordPress-Matomo plugin I'm talking about is online here:

https://gitpull.it/source/wp-matomo/

Mirror here:

https://github.com/valerio-bozzolan/wp-matomo/

Here the project workboard:

https://gitpull.it/tag/wordpress_matomo/


This is partially related to these:

Event Timeline

valerio.bozzolan triaged this task as Medium priority.
valerio.bozzolan updated the task description. (Show Details)

Note that the new DNS record matomo.wikimedia.it is not available yet.

$ nslookup matomo.wikimedia.it
** server can't find matomo.wikimedia.it: NXDOMAIN

Now this is online.

Anyway before marking this as resolved I would like to wait for T269782#6710708 in order to being able to publish the related configuration files.

valerio.bozzolan renamed this task from Deploy a Matomo instance in matomo.wikimedia.it to Deploy a Matomo instance in matomo.wikimedia.it (server wmi-fabula).Jan 20 2021, 9:58 AM
valerio.bozzolan updated the task description. (Show Details)