Feat: add cleaninsights role

2025-08-08 12:00:26 +01:00 · 2025-08-08 12:00:26 +01:00 · bf6ed83fd6
commit bf6ed83fd6
parent 051c1ab57f
10 changed files with 281 additions and 0 deletions
--- a/roles/podman_cleaninsights/templates/nginx.conf
+++ b/roles/podman_cleaninsights/templates/nginx.conf
@ -0,0 +1,99 @@
+# {{ ansible_managed }}
+
+upstream php-handler {
+	server matomo:9000;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name {{ podman_cleaninsights_web_hostname }};
+    server_tokens off;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://{{ podman_cleaninsights_web_hostname }}$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name matomo {{ podman_cleaninsights_web_hostname }};
+    server_tokens off;
+
+    ssl_certificate /etc/letsencrypt/live/{{ podman_cleaninsights_web_hostname }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ podman_cleaninsights_web_hostname }}/privkey.pem;
+
+    add_header Strict-Transport-Security max-age=15768000 always;
+    add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+	root /var/www/html/; # this is the default matomo image path
+	index index.php;
+
+	location ~ ^/(index|matomo|cleaninsights|piwik|js/index|plugins/HeatmapSessionRecording/configs).php {
+		# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+		# Check that the PHP script exists before passing it
+		#try_files $fastcgi_script_name =404;
+
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_param PATH_INFO $fastcgi_path_info;
+		fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
+        include fastcgi_params;
+		fastcgi_pass php-handler;
+		fastcgi_read_timeout 60s;
+	}
+
+	# deny access to all other .php files
+	location ~* ^.+\.php$ {
+		return 403;
+	}
+
+    # deny access to all cleaninsights.ini file
+	location ~ cleaninsights.ini {
+		return 403;
+	}
+
+    # disable all access to the following directories
+    location ~ ^/(config|tmp|core|lang) {
+        return 403; # replace with 404 to not show these directories exist
+    }
+
+    location ~ /\.ht {
+        return 403;
+    }
+
+    location ~ js/container_.*_preview\.js$ {
+        expires off;
+        add_header Cache-Control 'private, no-cache, no-store';
+    }
+
+    location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$ {
+        allow all;
+        # Cache images,CSS,JS and webfonts for an hour
+        # Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
+        expires 1h;
+        add_header Pragma public;
+        add_header Cache-Control "public";
+    }
+
+    location ~ ^/(libs|vendor|plugins|misc|node_modules) {
+        deny all;
+        return 403;
+    }
+
+    # properly display textfiles in root directory
+    location ~/(.*\.md|LEGALNOTICE|LICENSE) {
+        default_type text/plain;
+    }
+}