Matomo (formerly Piwik) is a free and open source web analytics application developed by a team of international developers, that runs on a PHP/MySQL web server. It tracks online visits to one or more websites and displays reports on these visits for analysis. You can think of it as an alternative to Google Analytics. Matomo is open source and its code is publicly available on Github. Some of the features it has are: A/B Testing, Heatmaps, Funnels, Tracking and Reporting API, Google AdWords, Facebook Ads, Bing Ads, Cost Per Click (CPC), etc. This tutorial will show you how to install Matomo on a Debian 9 (stretch) system using Nginx as the web server and we will secure the website with a Let's Encrypt SSL certificate.


To run Matomo (Piwik) on your Debian system you will need a couple of things:

  • Web server such as Apache or Nginx.
  • PHP version 5.5.9 or higher with pdo and pdo_mysql or mysqli, gd, xml, curl, and mbsting extensions. PHP 7+ is recommended.
  • MySQL version 5.5 or higher, or the equivalent MariaDB version. MySQL 5.7+ is recommended.


  • An operating system running Debian 9 (stretch).
  • A non-root user with sudo privileges.

Initial steps

Check your Debian version:

lsb_release -ds
# Debian GNU/Linux 9.6 (stretch)

Set up the timezone:

dpkg-reconfigure tzdata

Update your operating system packages (software). This is an important first step because it ensures you have the latest updates and security fixes for your operating system's default software packages:

apt update && apt upgrade -y

Install some essential packages that are necessary for basic administration of the Debian operating system:

apt install -y curl wget vim git unzip socat sudo

Step 1 - Install MySQL and create a database for Matomo

Matomo supports MySQL and MariaDB databases. Debian team replaced MySQL with MariaDB as the default database from Debian 9 (stretch), so in this tutorial, we will use MariaDB as the database server. If you want to install original MySQL you can add and use official MySQL repository maintained by Oracle.

Install MariaDB database server:

sudo apt install -y mariadb-server

Check MariaDB version:

mysql --version
# mysql  Ver 14.14 Distrib 5.7.24, for Linux (x86_64) using  EditLine wrapper

Run mysql_secure installation script to improve MariaDB security and set the password for MariaDB root user:

sudo mysql_secure_installation

Answer each of the questions:

Enter current password for root (enter for none): Press Enter
Set root password? [Y/n] y
New password: your_secure_password
Re-enter new password: your_secure_password
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

Connect to MariaDB shell as the root user:

sudo mysql -u root -p
# Enter password

Create an empty MariaDB database and user for Matomo and remember the credentials:

mysql> CREATE DATABASE dbname;
mysql> GRANT ALL ON dbname.* TO 'username' IDENTIFIED BY 'password';

Exit from MariaDB:

mysql> exit

Replace dbnameusername and password with your own names.

Step 2 - Install PHP and necessary PHP extensions

Install PHP, as well as the necessary PHP extensions:

sudo apt install -y php7.0 php7.0-cli php7.0-fpm php7.0-common php7.0-curl php7.0-gd php7.0-xml php7.0-mbstring php7.0-mysql

Check PHP version:

php --version

# PHP 7.0.33-0+deb9u1 (cli) (built: Dec  7 2018 11:36:49) ( NTS )
# Copyright (c) 1997-2017 The PHP Group
# Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
# with Zend OPcache v7.0.33-0+deb9u1, Copyright (c) 1999-2017, by Zend Technologies

PHP-FPM service is automatically started and enabled on reboot on Debian 9 system, so there is no need to start and enable it manually. We can move on to the next step, which is obtaining free SSL certs from Let's Encrypt CA.

Step 3 - Install client and obtain Let's Encrypt certificate (optional)

Securing your website with HTTPS is not necessary, but it is a good practice to secure your site traffic. In order to obtain TLS certificate from Let's Encrypt we will use client. is a pure Unix shell software for obtaining TLS certificates from Let's Encrypt with zero dependencies. 

Download and install

sudo mkdir /etc/letsencrypt
git clone
sudo ./ --install --home /etc/letsencrypt --accountemail
cd ~

Check version:

/etc/letsencrypt/ --version
# v2.8.0

Obtain RSA and ECC/ECDSA certificates for your domain/hostname:

# RSA 2048
sudo /etc/letsencrypt/ --issue --standalone --home /etc/letsencrypt -d --keylength 2048
sudo /etc/letsencrypt/ --issue --standalone --home /etc/letsencrypt -d --keylength ec-256

After running the above commands, your certificates and keys will be in:

  • For RSA/etc/letsencrypt/ directory.
  • For ECC/ECDSA/etc/letsencrypt/example.com_ecc directory.

Step 3 - Install NGINX and configure NGINX for Matomo

Matomo can work fine with many popular web server software. In this tutorial, we selected Nginx. 

Download and install Nginx from Debian repository:

sudo apt install -y nginx

Check the Nginx version:

sudo nginx -v
# nginx version: nginx/1.10.3

Configure Nginx for Matomo by running:

sudo vim /etc/nginx/sites-available/matomo.conf

And populate the file with the following configuration:

server {

listen [::]:443 ssl http2;
listen 443 ssl http2;
listen [::]:80;
listen 80;

root /var/www/matomo/;
index index.php;

ssl_certificate /etc/letsencrypt/;
ssl_certificate_key /etc/letsencrypt/;
ssl_certificate /etc/letsencrypt/example.com_ecc/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/example.com_ecc/;

location ~ ^/(index|matomo|piwik|js/index).php {
include snippets/fastcgi-php.conf;
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;

= /plugins/HeatmapSessionRecording/configs.php {
include snippets/fastcgi-php.conf;
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;

location ~* ^.+\.php$ {
deny all;
return 403;

location / {
try_files $uri $uri/ =404;

location ~ /(config|tmp|core|lang) {
deny all;
return 403;

location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
allow all;

location ~ /(libs|vendor|plugins|misc/user) {
deny all;
return 403;


NOTEFor complete and production ready Nginx config for Matomo visit

Activate the new matomo.conf configuration by linking the file to the sites-enabled directory.

sudo ln -s /etc/nginx/sites-available/matomo.conf /etc/nginx/sites-enabled

Check Nginx configuration for syntax errors:

sudo nginx -t

Reload Nginx service:

sudo systemctl reload nginx.service

Step 4 - Install Matomo Analytics

Create /var/www directory:

sudo mkdir -p /var/www

Navigate to /var/www directory:

cd /var/www/

Download the latest release Matomo via wget and unzip it:

sudo wget && sudo unzip

Remove downloaded file:

sudo rm

Change ownership of the /var/www/matomo directory to www-data user:

sudo chown -R www-data:www-data /var/www/matomo

Step 5 - Complete the Matomo Analytics setup

Open your site in a web browser and follow the Matomo web installation wizard.

First, Matomo welcome message should appear. Click on the "Next" button.

After, you will see a "System Check" page. If something is missing, you will see a warning. If everything is marked with green checkmark click on the "Next" button to procceed to the next step.

Next, fill in database details and click on the "Next" button.

If everything went well with database setup you should see "Tables created with success!" message.

Create Matomo superuser account and click on the "Next" button.

Next, set up the first website you would like to track and analyze with Matomo. Later on, you can add more sites to track with Matomo.

Next, you will be provided with the JavaScript tracking code for your site that you need to add to start tracking. 

Next, you should see that Matomo installation is completed.


Congratulations! Your Matomo installation is complete.


Was this answer helpful? 0 Users Found This Useful (0 Votes)