== Preamble ==
Currently, some websites of [[ https://www.wikimedia.it/ | Wikimedia Italia ]] has server-side analytics thanks to [[ https://en.wikipedia.org/wiki/AWStats | AWStats ]] while the main website is not covered by this system (it's hosted in another server and we have not access to the log files) and moreover we are currently dropping other kind of third parts trackers.
More info:
* {T270616}
* https://wiki.wikimedia.it/wiki/Matomo
== Description ==
It was proposed to deploy a [[ https://en.wikipedia.org/wiki/Matomo_(software) | Matomo ]] installation in one of their [[https://wiki.wikimedia.it/wiki/Server|servers]]: `wmi-fabula`. This will be done to keep data out of the reach of third-party companies (mostly non-European companies) and simplify our privacy policy and simplify the work for our GDPR manager.
This should:
* fit fundraising needs (monitor campaigns)
* fit IT department needs (monitor performances)
The new installation is expected to be available here:
https://matomo.wikimedia.it/
We can adopt the same server that is currently hosting other websites like this:
```
$ nslookup cinquepermille.wikimedia.it
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: cinquepermille.wikimedia.it
Address: 54.38.36.173
```
So this should be the expected DNS entry to be created:
```
name=wikimedia.it.
matomo IN A 54.38.36.173
```
== Status ==
* [X] request domain creation
* [X] prepare the webserver
* [ ] deploy Matomo in our websites
== Server intervention ==
This happens in the `centos01` server.
We installed Matomo verifying it with the [[ https://matomo.org/blog/2014/11/verify-signatures-piwik-packages/ | official PGP keys ]].
```
name=Preparation
$ mkdir -p /var/www/matomo/tmp
$ chown apache: /var/www/matomo/tmp
$ cd /var/www/matomo
```
```
name=Matomo download and crypto verification
$ wget https://builds.matomo.org/matomo-latest.tar.gz
$ wget https://builds.matomo.org/matomo-latest.tar.gz.asc
$ cat matomo-latest.tar.gz.asc
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgU40b6AaINuwS2gHtdvVklWQojcFAl/hfvYACgkQtdvVklWQ
ojfUIw/+PXokvbnRQVFCJCDPYowK6nhywkgS4phD1qbbnF8dzxvdjY7i8oGjRqTw
yRjzGhagqYK4WEeb8KXBtzruV/iMGaj+wBjCBnTFKO+cKNcxStZ1CRH/TcjgoDPE
GXMkgeksQzMwB5pqp4oznNfzUN71jnOvgrqP/rbCfeKHwbZ5ucfH3E8y18SUl6c2
NjQoDGSKeYzh011zIhbymzaj4ybvK8Nk/lziTl1MzZ7iqh4cR3d4Bz5rQykZCtx6
y2fRIgRClaur4xaNr0b4/AaEISMFQTkrbN6NMLP4E7DclBRH3Sr5vi3ldouc7TRW
m++gUy4ISH+jA69FztUD63acTEcSVVnd4jvXURDwWyzgqT0KWjEpkR0megHwDIht
qkw2mKqLizp+6e3swWrmJmLvNNMuehWuSTTXThGetQ/K+VuJWA5bnoCQJKDkyolx
b2IDz+rfb/1DhSDd7vcDrctM3rF8g5JFk8mgbbJi3hiASTUH+s/xMNBTZdPhVCvi
nijczlbTL4a8kc4VJy7VSGyzGc5S0FmkH0/YTYgs9262z8dhPaXe7ckOGbZQfUZW
STwtojjZgDWMGtu5pR1NWzaR/P+qm4QUsK1tfxHyVRWEERMvVbnO0T6LuvV6V071
UZSM6mV2KRDGWPifmWWfp+VpBjPTc43WbjPuw56VEtqcAtODDjU=
=TFGT
-----END PGP SIGNATURE-----
$ sha1sum matomo-latest.tar.gz
0493d84590f6b000c2fb08bccbd7f67b4a3c4e2c matomo-latest.tar.gz
$ md5sum matomo-latest.tar.gz
3f1e29e620dc36899625836eddf09f66 matomo-latest.tar.gz
$ gpg --keyserver keys.gnupg.net --recv-keys 814E346FA01A20DBB04B6807B5DBD5925590A237
gpg: key B5DBD5925590A237: public key "Matthieu Aubry <matt@piwik.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
$ gpg --fingerprint 814E346FA01A20DBB04B6807B5DBD5925590A237
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key 5590A237 from hkp server keys.gnupg.net
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 5590A237: public key "Matthieu Aubry <matt@piwik.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
# extract the webroot
$ tar xzf matomo-latest.tar.gz
$ mv matomo www
# remove unuseful stuff
$ rm matomo-latest.tar.gz matomo-latest.tar.gz.asc How*.html
```
Then we have published an Apache configuration in:
{rWIIN}
And deployed:
```
$ ln -s /etc/wmit-infrastructure/servers/ovh-centos01/projects/matomo/apache2/it-wikimedia-matomo.conf /etc/httpd/conf.d/it-wikimedia-matomo.conf
$ sudo certbot certonly --webroot --webroot-path=/var/www/matomo/www/ -d matomo.wikimedia.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for matomo.wikimedia.it
Using the webroot path /var/www/matomo/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/matomo.wikimedia.it/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/matomo.wikimedia.it/privkey.pem
Your cert will expire on 2021-03-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
# check if everything is OK
$ apachectl configtest
Syntax OK
# reload Apache HTTPd without any service interruption
$ apachectl graceful
```
Additional hardening:
``'
adduser apache-framadate
usermod -G apache apache-framadate
chown root:apache-framadate /var/www/framadate/www/app/inc/config-secret.php
```
== Notes ==
Some time ago I developed a very minimal but efficient Matomo plugin that also strictly respects the [[ https://en.wikipedia.org/wiki/Do_Not_Track | DoNotTrack ]] browser preference. I like it because it has no web configuration or any other dummy feature: it just integrates with Matomo and its parameters can be changed only if you have command line access to the `wp-config.php`. It's damn fast and secure :^)
That KISS WordPress-Matomo plugin I'm talking about is online here:
https://gitpull.it/source/wp-matomo/
Mirror here:
https://github.com/valerio-bozzolan/wp-matomo/
Here the project workboard:
https://gitpull.it/tag/wordpress_matomo/
----
This is partially related to these:
* {T266998}
* {T270616}