Page MenuHomePhabricator

Deploy a Matomo instance in (server wmi-fabula)
Closed, ResolvedPublic



Currently, some websites of Wikimedia Italia has server-side analytics thanks to AWStats while the main website is not covered by this system (it's hosted in another server and we have not access to the log files) and moreover we are currently dropping other kind of third parts trackers.

More info:


It was proposed to deploy a Matomo installation in one of their servers: wmi-fabula. This will be done to keep data out of the reach of third-party companies (mostly non-European companies) and simplify our privacy policy and simplify the work for our GDPR manager.

This should:

  • fit fundraising needs (monitor campaigns)
  • fit IT department needs (monitor performances)

The new installation is expected to be available here:

We can adopt the same server that is currently hosting other websites like this:

$ nslookup

Non-authoritative answer:

So this should be the expected DNS entry to be created:
matomo IN A


  • request domain creation
  • prepare the webserver
  • deploy Matomo in our websites

Server intervention

This happens in the centos01 server.

We installed Matomo verifying it with the official PGP keys.

$ mkdir -p      /var/www/matomo/tmp
$ chown apache: /var/www/matomo/tmp
$ cd            /var/www/matomo
Matomo download and crypto verification
$ wget
$ wget

$ cat matomo-latest.tar.gz.asc 


$ sha1sum matomo-latest.tar.gz 
0493d84590f6b000c2fb08bccbd7f67b4a3c4e2c  matomo-latest.tar.gz

$ md5sum matomo-latest.tar.gz 
3f1e29e620dc36899625836eddf09f66  matomo-latest.tar.gz

$ gpg --keyserver --recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237
gpg: key B5DBD5925590A237: public key "Matthieu Aubry <>" imported
gpg: Total number processed: 1
gpg:               imported: 1

$ gpg --fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key 5590A237 from hkp server
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 5590A237: public key "Matthieu Aubry <>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

# extract the webroot
$ tar xzf matomo-latest.tar.gz
$ mv matomo www

# remove unuseful stuff
$ rm matomo-latest.tar.gz matomo-latest.tar.gz.asc How*.html

Then we have published an Apache configuration in:

rWIIN wikimedia-it-wmit-infrastructure

And deployed:

$ ln -s /etc/wmit-infrastructure/servers/ovh-centos01/projects/matomo/apache2/it-wikimedia-matomo.conf /etc/httpd/conf.d/it-wikimedia-matomo.conf

$ sudo certbot certonly --webroot --webroot-path=/var/www/matomo/www/ -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /var/www/matomo/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2021-03-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

# check if everything is OK
$ apachectl configtest
Syntax OK

# reload Apache HTTPd without any service interruption
$ apachectl graceful


Some time ago I developed a very minimal but efficient Matomo plugin that also strictly respects the DoNotTrack browser preference. I like it because it has no web configuration or any other dummy feature: it just integrates with Matomo and its parameters can be changed only if you have command line access to the wp-config.php. It's damn fast and secure :^)

That KISS WordPress-Matomo plugin I'm talking about is online here:

Mirror here:

Here the project workboard:

This is partially related to these:

Event Timeline

valerio.bozzolan triaged this task as Medium priority.
valerio.bozzolan updated the task description. (Show Details)

Note that the new DNS record is not available yet.

$ nslookup
** server can't find NXDOMAIN

Now this is online.

Anyway before marking this as resolved I would like to wait for T269782#6710708 in order to being able to publish the related configuration files.

valerio.bozzolan renamed this task from Deploy a Matomo instance in to Deploy a Matomo instance in (server wmi-fabula).Jan 20 2021, 9:58 AM
valerio.bozzolan updated the task description. (Show Details)