Update matomo-nginx.conf.j2 ["fix the error private directories are accessible"]

[cwivagg]

Fixes bug:

Security problems noted in #3441.

Description of changes proposed in this pull request:

Adds a line in the nginx config for Matomo barring browser access to any files in several recommended directories. This is the preferred fix method according to Matomo's docs (link, see "Nginx web server", or scroll your eyes to the next section "Other web server" to save yourself a click on seeing what their Nginx conf is doing).

Smoke-tested on which OS or OS's:

multipass 22.04 Small Matomo install

Mention a team member @username e.g. to help with code review:

@holta

[holta]

@cwivagg thank you!

Thanks also to @jvonau for pointing out Matomo's recommendations here.

Building on:

• IIAB Community Analytics framework, above & beyond AWStats (likely Matomo?) #1762
• PR Cwivagg/matomo 20220618 #3304
• PR Several updates to make Matomo experience cleaner #3448
• PR Store actual System TZ (not Ansible's ambiguous TZ abbreviations) into fpm/php.ini & cli/php.ini — for Matomo etc #3453

[holta]

Example output of http://box/matomo (username: Admin, password: changeme) > ⚙️ (Administration) > Diagnostic > System Check below:

(This was a fresh install of IIAB on the latest Ubuntu Server 23.04 daily build.)

<details>
<summary>Click to view System Check</summary>

### Mandatory checks

#### PHP version >= 7.2.5:
 ✔ 8.1.12-1ubuntu1

#### PDO extension:
 ✔ 

#### PDO\MYSQL extension:
 ✔ 

#### MYSQLI extension:
 ✔ 

#### Other required extensions:
 ✔ zlib ✔ json ✔ filter ✔ hash ✔ session

#### Required functions:
 ✔ debug_backtrace ✔ eval ✔ hash ✔ gzcompress ✔ gzuncompress ✔ pack

#### Required PHP configuration (php.ini):
 ✔ session.auto_start = 0 ✔ max_execution_time = 0 OR = -1 OR >= 30

#### Directories with write access:
 ✔ $DOC_ROOT/tmp ✔ $DOC_ROOT/tmp/assets ✔ $DOC_ROOT/tmp/cache ✔ $DOC_ROOT/tmp/climulti ✔ $DOC_ROOT/tmp/latest ✔ $DOC_ROOT/tmp/logs ✔ $DOC_ROOT/tmp/sessions ✔ $DOC_ROOT/tmp/tcpdf ✔ $DOC_ROOT/tmp/templates_c


### Optional checks

#### Required Private Directories:
 ✔ All private directories are inaccessible from the internet.

#### Recommended Private Directories:
 ✔ All private directories are inaccessible from the internet.

#### File integrity:
 ✔ 

#### 64-bit PHP Binary:
 ✔ 

#### Tracker status:
 ✔ 

#### Memory limit:
 ✔ 128M

#### Time zone:
 ✔ 

#### Open URL:
 ✔ curl

#### PageSpeed is turned off:
 ✔ 

#### GD > 2.x + FreeType (graphics):
 ✔ 

#### Other extensions:
 ✔ json ✔ libxml ✔ dom ✔ SimpleXML ✔ openssl

#### Other functions:
 ✔ shell_exec ✔ set_time_limit ✔ mail ✔ parse_ini_file ✔ glob ✔ gzopen ✔ md5_file

#### Filesystem:
 ✔ 

#### Set up Cron (faster report-loading):
 ⚠ Warning: For optimal performance and a speedy Matomo, it is highly recommended to set up a crontab to automatically archive your reports, and to disable browser triggering in the Matomo settings. Learn more.

#### Set up Cron - Managing processes via CLI:
 ✔ Ok

#### Database abilities:
 ✔ UTF8mb4 charset ✔ LOAD DATA INFILE ✔ CREATE TEMPORARY TABLES ✔ Changing transaction isolation level

#### Max Packet Size:
 ⚠ Warning: It is recommended to configure a 'max_allowed_packet' size in your MySQL database of at least 64MB. Configured is currently 16MB.

#### Forced SSL Connection:
 ⚠ Warning: We recommend using Matomo over secure SSL connections only. To prevent insecure access over http, add <code>force_ssl = 1</code> to the <code>General</code> section in your Matomo config/config.ini.php file.<br /><br />Attention: Doing this without having set up a SSL certificate for using HTTPS will break Matomo.

#### Geolocation:
 ⚠ Warning: The default location provider determines the country visitors connect from based on their selected language. This is not very accurate, so install and use a geolocation database.

#### Update over HTTPS:
 ✔ 

#### Writable JavaScript Tracker ("/matomo.js"):
 ✔ 


### Informational results

#### Matomo Version:
 4.13.0

#### Matomo Update History:
 4.13.0,

#### Matomo Install Version:
 4.13.0

#### Latest Available Version:
 4.13.0

#### Is Git Deployment:
 0

#### PHP_OS:
 Linux

#### PHP_BINARY:
 /usr/sbin/php-fpm8.1

#### PHP SAPI:
 fpm-fcgi

#### Timezone Version:
 0.system

#### PHP Timezone:
 UTC

#### PHP Time:
 1673108601

#### PHP Datetime:
 2023-01-07 16:23:21

#### PHP INI max_execution_time:
 100

#### PHP INI post_max_size:
 100M

#### PHP INI max_input_vars:
 1000

#### PHP INI zlib.output_compression:
 

#### Curl Version:
 7.86.0, OpenSSL/3.0.5

#### Suhosin Installed:
 0

#### DB Prefix:
 matomo_

#### DB Charset:
 utf8mb4

#### DB Adapter:
 PDO\MYSQL

#### MySQL Version:
 10.6.11-MariaDB-1

#### Num Tables:
 31

#### Browser Segment Archiving Enabled:
 1

#### Development Mode Enabled:
 0

#### Internet Enabled:
 1

#### Multi Server Environment:
 0

#### Auto Update Enabled:
 1

#### Custom User Path:
 0

#### Custom Include Path:
 0

#### Release Channel:
 latest_stable

#### Plugins Activated:
 API, Actions, Annotations, BulkTracking, Contents, CoreAdminHome, CoreConsole, CoreHome, CorePluginsAdmin, CoreUpdater, CoreVisualizations, CoreVue, CustomDimensions, CustomJsTracker, Dashboard, DevicePlugins, DevicesDetection, Diagnostics, Ecommerce, Events, Feedback, GeoIp2, Goals, Heartbeat, ImageGraph, Insights, Installation, Intl, IntranetMeasurable, LanguagesManager, Live, Login, Marketplace, MobileMessaging, Monolog, Morpheus, MultiSites, Overlay, PagePerformance, PrivacyManager, ProfessionalServices, Proxy, Referrers, Resolution, RssWidget, SEO, ScheduledReports, SegmentEditor, SitesManager, Tour, Transitions, TwoFactorAuth, UserCountry, UserCountryMap, UserId, UserLanguage, UsersManager, VisitFrequency, VisitTime, VisitorInterest, VisitsSummary, WebsiteMeasurable, Widgetize

#### Plugins Deactivated:
 DBStats, MobileAppMeasurable, TagManager

#### Plugins Invalid:
 

#### Server Info:
 nginx/1.22.0

#### Had visits in last 1 day:
 0

#### Had visits in last 3 days:
 0

#### Had visits in last 5 days:
 0

#### Archive Time Last Started:
 -

#### Archive Time Last Finished:
 -

#### User Agent:
 Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

#### Browser Language:
 en-us,en,hi

#### Total Invalidation Count:
 0

#### In Progress Invalidation Count:
 0

#### Scheduled Invalidation Count:
 0

#### Earliest invalidation ts_started:
 

#### Latest invalidation ts_started:
 

#### Earliest invalidation ts_invalidated:
 

#### Latest invalidation ts_invalidated:
 

#### Number of segment invalidations:
 0

#### Number of plugin invalidations:
 0

#### List of plugins being invalidated:
 

#### Anonymize Referrer:
 

#### Do Not Track enabled:
 1

</details>