From cd6506c60abcb835f7f56270fa1ad7a864f56967 Mon Sep 17 00:00:00 2001 From: root Date: Tue, 19 Dec 2023 12:07:21 +0000 Subject: [PATCH] fix: upgrade matomo configuration for performance and better monitoring of services --- confs/matomo/cron.d-disabled/matomo-archive | 4 + confs/matomo/cron.d-disabled/matomo-tracking | 4 + .../matomo/mysql/mariadb.conf.d/50-server.cnf | 140 ++++++++++++++++++ confs/matomo/nginx/sites-enabled/default | 114 ++++++++++++++ confs/matomo/nginx/sites-enabled/stub_status | 29 ++++ confs/matomo/systemd/email-failures@.service | 1 + .../systemd/mariadb.service.d/override.conf | 3 + confs/matomo/systemd/matomo-archive.service | 18 +++ confs/matomo/systemd/matomo-archive.timer | 11 ++ confs/matomo/systemd/matomo-tracking.service | 19 +++ confs/matomo/systemd/matomo-tracking.timer | 11 ++ .../php7.3-fpm.service.d/override.conf | 3 + .../redis-server.service.d/override.conf | 3 + 13 files changed, 360 insertions(+) create mode 100644 confs/matomo/cron.d-disabled/matomo-archive create mode 100644 confs/matomo/cron.d-disabled/matomo-tracking create mode 100644 confs/matomo/mysql/mariadb.conf.d/50-server.cnf create mode 100644 confs/matomo/nginx/sites-enabled/default create mode 100644 confs/matomo/nginx/sites-enabled/stub_status create mode 120000 confs/matomo/systemd/email-failures@.service create mode 100644 confs/matomo/systemd/mariadb.service.d/override.conf create mode 100644 confs/matomo/systemd/matomo-archive.service create mode 100644 confs/matomo/systemd/matomo-archive.timer create mode 100644 confs/matomo/systemd/matomo-tracking.service create mode 100644 confs/matomo/systemd/matomo-tracking.timer create mode 100644 confs/matomo/systemd/php7.3-fpm.service.d/override.conf create mode 100644 confs/matomo/systemd/redis-server.service.d/override.conf diff --git a/confs/matomo/cron.d-disabled/matomo-archive b/confs/matomo/cron.d-disabled/matomo-archive new file mode 100644 index 00000000..ab4f3928 --- /dev/null +++ b/confs/matomo/cron.d-disabled/matomo-archive @@ -0,0 +1,4 @@ +MAILTO="root@openfoodfacts.org" +# see https://fr.matomo.org/faq/on-premise/how-to-set-up-auto-archiving-of-your-reports/ +# only start if no process is already running +5 * * * * www-data ps -elf|grep "core:archive"|grep -v grep || /usr/bin/php /var/www/html/matomo/console core:archive --url=http://analytics.openfoodfacts.org/ >> /var/log/matomo/matomo-archive.log 2>>/var/log/matomo/matomo-archive-err.log diff --git a/confs/matomo/cron.d-disabled/matomo-tracking b/confs/matomo/cron.d-disabled/matomo-tracking new file mode 100644 index 00000000..7107ca9f --- /dev/null +++ b/confs/matomo/cron.d-disabled/matomo-tracking @@ -0,0 +1,4 @@ +MAILTO="root@openfoodfacts.org" +# see https://matomo.org/faq/on-premise/how-to-configure-matomo-to-handle-unexpected-peak-in-traffic/ +# only start if no process is already running +* * * * * www-data ps -elf|grep "queuedtracking:process"|grep -v grep || /usr/bin/php /var/www/html/matomo/console queuedtracking:process --no-ansi >> /var/log/matomo/matomo-tracking.log 2>>/var/log/matomo/matomo-tracking-err.log diff --git a/confs/matomo/mysql/mariadb.conf.d/50-server.cnf b/confs/matomo/mysql/mariadb.conf.d/50-server.cnf new file mode 100644 index 00000000..624a0624 --- /dev/null +++ b/confs/matomo/mysql/mariadb.conf.d/50-server.cnf @@ -0,0 +1,140 @@ +# +# These groups are read by MariaDB server. +# Use it for options that only the server (but not clients) should see +# +# See the examples of server my.cnf files in /usr/share/mysql + +# this is read by the standalone daemon and embedded servers +[server] + +# this is only for the mysqld standalone daemon +[mysqld] + +# +# * Basic Settings +# +user = mysql +pid-file = /run/mysqld/mysqld.pid +socket = /run/mysqld/mysqld.sock +#port = 3306 +basedir = /usr +datadir = /var/lib/mysql +tmpdir = /tmp +lc-messages-dir = /usr/share/mysql +#skip-external-locking + +# Instead of skip-networking the default is now to listen only on +# localhost which is more compatible and is not less secure. +bind-address = 127.0.0.1 + +# +# * Fine Tuning +# +#key_buffer_size = 16M +#max_allowed_packet = 16M +#thread_stack = 192K +#thread_cache_size = 8 +# This replaces the startup script and checks MyISAM tables if needed +# the first time they are touched +#myisam_recover_options = BACKUP +#max_connections = 100 +#table_cache = 64 +#thread_concurrency = 10 + +# +# * Query Cache Configuration +# +#query_cache_limit = 1M +query_cache_size = 16M + +# +# * Logging and Replication +# +# Both location gets rotated by the cronjob. +# Be aware that this log type is a performance killer. +# As of 5.1 you can enable the log at runtime! +#general_log_file = /var/log/mysql/mysql.log +#general_log = 1 +# +# Error log - should be very few entries. +# +log_error = /var/log/mysql/error.log +# +# Enable the slow query log to see queries with especially long duration +#slow_query_log_file = /var/log/mysql/mariadb-slow.log +#long_query_time = 10 +#log_slow_rate_limit = 1000 +#log_slow_verbosity = query_plan +#log-queries-not-using-indexes +# +# The following can be used as easy to replay backup logs or for replication. +# note: if you are setting up a replication slave, see README.Debian about +# other settings you may need to change. +#server-id = 1 +#log_bin = /var/log/mysql/mysql-bin.log +expire_logs_days = 10 +#max_binlog_size = 100M +#binlog_do_db = include_database_name +#binlog_ignore_db = exclude_database_name + +# +# * Security Features +# +# Read the manual, too, if you want chroot! +#chroot = /var/lib/mysql/ +# +# For generating SSL certificates you can use for example the GUI tool "tinyca". +# +#ssl-ca = /etc/mysql/cacert.pem +#ssl-cert = /etc/mysql/server-cert.pem +#ssl-key = /etc/mysql/server-key.pem +# +# Accept only connections using the latest and most secure TLS protocol version. +# ..when MariaDB is compiled with OpenSSL: +#ssl-cipher = TLSv1.2 +# ..when MariaDB is compiled with YaSSL (default in Debian): +#ssl = on + +# +# * Character sets +# +# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full +# utf8 4-byte character set. See also client.cnf +# +character-set-server = utf8mb4 +collation-server = utf8mb4_general_ci + +# +# * InnoDB +# +# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. +# Read the manual for more InnoDB related options. There are many! + +# +# * Unix socket authentication plugin is built-in since 10.0.22-6 +# +# Needed so the root database user can authenticate without a password but +# only when running as the unix root user. +# +# Also available for other users if required. +# See https://mariadb.com/kb/en/unix_socket-authentication-plugin/ + +# specific to use memory +# 4G out of 6G (should be 80% of RAM, but DB is not alone) +innodb_buffer_pool_size=4G +# table size 64M / Go = 64*6 +max_heap_table_size=384M +tmp_table_size=384M +# this is only for embedded server +[embedded] + +# This group is only read by MariaDB servers, not by MySQL. +# If you use the same .cnf file for MySQL and MariaDB, +# you can put MariaDB-only options here +[mariadb] + + +# This group is only read by MariaDB-10.3 servers. +# If you use the same .cnf file for MariaDB of different versions, +# use this group for options that older servers don't understand +[mariadb-10.3] diff --git a/confs/matomo/nginx/sites-enabled/default b/confs/matomo/nginx/sites-enabled/default new file mode 100644 index 00000000..85ba4c74 --- /dev/null +++ b/confs/matomo/nginx/sites-enabled/default @@ -0,0 +1,114 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 80 default_server; + listen [::]:80 default_server; + + # SSL configuration + # + # listen 443 ssl default_server; + # listen [::]:443 ssl default_server; + # + # Note: You should disable gzip for SSL traffic. + # See: https://bugs.debian.org/773332 + # + # Read up on ssl_ciphers to ensure a secure configuration. + # See: https://bugs.debian.org/765782 + # + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + # + # include snippets/snakeoil.conf; + + root /var/www/html/matomo; + + # Add index.php to the list if you are using PHP + index index.php; + + server_name _; + + # pass PHP scripts to FastCGI server + # + location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php { + include snippets/fastcgi-php.conf; + #try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here. + fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/ + # + # # With php-fpm (or other unix sockets): + fastcgi_pass unix:/run/php/php7.3-fpm.sock; + # # With php-cgi (or other tcp sockets): + # fastcgi_pass 127.0.0.1:9000; + } + + + ## deny access to all other .php files + location ~* ^.+\.php$ { + deny all; + return 403; + } + + ## serve all other files normally + location / { + try_files $uri $uri/ =404; + } + + ## disable all access to the following directories + location ~ ^/(config|tmp|core|lang) { + deny all; + return 403; # replace with 404 to not show these directories exist + } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + location ~ /\.ht { + deny all; + return 403; + } + + + location ~ js/container_.*_preview\.js$ { + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + } + + location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~ ^/(libs|vendor|plugins|misc/user|node_modules) { + deny all; + return 403; + } + + ## properly display textfiles in root directory + location ~/(.*\.md|LEGALNOTICE|LICENSE) { + default_type text/plain; + } + + +} + diff --git a/confs/matomo/nginx/sites-enabled/stub_status b/confs/matomo/nginx/sites-enabled/stub_status new file mode 100644 index 00000000..a4228fa2 --- /dev/null +++ b/confs/matomo/nginx/sites-enabled/stub_status @@ -0,0 +1,29 @@ +## +# You should look at the following URL's in order to grasp a solid understanding +# of Nginx configuration files in order to fully unleash the power of Nginx. +# https://www.nginx.com/resources/wiki/start/ +# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ +# https://wiki.debian.org/Nginx/DirectoryStructure +# +# In most cases, administrators will remove this file from sites-enabled/ and +# leave it as reference inside of sites-available where it will continue to be +# updated by the nginx packaging team. +# +# This file will automatically load configuration files provided by other +# applications, such as Drupal or Wordpress. These applications will be made +# available underneath a path with that package name, such as /drupal8. +# +# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. +## + +# Default server configuration +# +server { + listen 8080; + + #server_name 127.0.0.1; + + stub_status on; + +} + diff --git a/confs/matomo/systemd/email-failures@.service b/confs/matomo/systemd/email-failures@.service new file mode 120000 index 00000000..d4b473ae --- /dev/null +++ b/confs/matomo/systemd/email-failures@.service @@ -0,0 +1 @@ +../../common/systemd/system/email-failures@.service \ No newline at end of file diff --git a/confs/matomo/systemd/mariadb.service.d/override.conf b/confs/matomo/systemd/mariadb.service.d/override.conf new file mode 100644 index 00000000..8fc20b93 --- /dev/null +++ b/confs/matomo/systemd/mariadb.service.d/override.conf @@ -0,0 +1,3 @@ +[Unit] +OnFailure=email-failures@mariadb-%l.service + diff --git a/confs/matomo/systemd/matomo-archive.service b/confs/matomo/systemd/matomo-archive.service new file mode 100644 index 00000000..84f4e9cd --- /dev/null +++ b/confs/matomo/systemd/matomo-archive.service @@ -0,0 +1,18 @@ +[Unit] +Description=Archive matomo requests +Requires=mariadb.service + +# email on failure +OnFailure=email-failures@matomo-archive-%l.service + +[Service] +Environment=TZ=UTC +# oneshot because it is driven by a timer +Type=oneshot +ExecStart=/usr/bin/php /var/www/html/matomo/console core:archive --url=http://analytics.openfoodfacts.org/ +StandardOutput=file:/var/log/matomo/matomo-archive.log +StandardError=file:/var/log/matomo/matomo-archive-err.log +# place a timeout for bad cases as this process sometimes hangs +# note: we have to use TimeoutStartSec as it's a Type=oneshot service +TimeoutStartSec=1h + diff --git a/confs/matomo/systemd/matomo-archive.timer b/confs/matomo/systemd/matomo-archive.timer new file mode 100644 index 00000000..b1926d6a --- /dev/null +++ b/confs/matomo/systemd/matomo-archive.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Run Matomo archive process every 5 minutes + +[Timer] +# every 5 minutes +OnBootSec=5m +OnUnitInactiveSec=5m + +[Install] +WantedBy=timers.target + diff --git a/confs/matomo/systemd/matomo-tracking.service b/confs/matomo/systemd/matomo-tracking.service new file mode 100644 index 00000000..9a6a1a1f --- /dev/null +++ b/confs/matomo/systemd/matomo-tracking.service @@ -0,0 +1,19 @@ +[Unit] +Description=Process matomo tracking requests from Redis +Requires=mariadb.service +Requires=redis-server.service + +# email on failure +OnFailure=email-failures@matomo-archive-%l.service + +[Service] +Environment=TZ=UTC +# oneshot because it is driven by a timer +Type=oneshot +# see https://matomo.org/faq/on-premise/how-to-configure-matomo-to-handle-unexpected-peak-in-traffic/ +ExecStart=/usr/bin/php /var/www/html/matomo/console queuedtracking:process --no-ansi +StandardOutput=file:/var/log/matomo/matomo-tracking.log +StandardError=file:/var/log/matomo/matomo-tracking-err.log +# place a timeout for bad cases +# note: we have to use TimeoutStartSec as it's a Type=oneshot service +TimeoutStartSec=20m diff --git a/confs/matomo/systemd/matomo-tracking.timer b/confs/matomo/systemd/matomo-tracking.timer new file mode 100644 index 00000000..cb3fb60d --- /dev/null +++ b/confs/matomo/systemd/matomo-tracking.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Run Matomo tracking process every minutes + +[Timer] +# every 1 minutes +OnBootSec=60s +OnUnitInactiveSec=60s + +[Install] +WantedBy=timers.target + diff --git a/confs/matomo/systemd/php7.3-fpm.service.d/override.conf b/confs/matomo/systemd/php7.3-fpm.service.d/override.conf new file mode 100644 index 00000000..82260ea5 --- /dev/null +++ b/confs/matomo/systemd/php7.3-fpm.service.d/override.conf @@ -0,0 +1,3 @@ +[Unit] +OnFailure=email-failures@php7.3-fpm-%l.service + diff --git a/confs/matomo/systemd/redis-server.service.d/override.conf b/confs/matomo/systemd/redis-server.service.d/override.conf new file mode 100644 index 00000000..09ab61ff --- /dev/null +++ b/confs/matomo/systemd/redis-server.service.d/override.conf @@ -0,0 +1,3 @@ +[Unit] +OnFailure=email-failures@redis-server-%l.service +