Setup Plausible for privacy-friendly web analytics

Project details

Project description (max 200 words): Google Analytics can be setup to be somewhat in line with the GDPR requirements. That’s when e.g. the last octet of an IPv4 address is omitted. Therefore, no personal details are stored. But there is still enough personal data shared with Google that concerns the EU. Even when data is stored on Google servers within the EU, a data request may export the data outside of the EU. There are warnings that Google Analytics may become illegal in the EU. This forum doesn’t use any 3rd party analytics. But zeitgeistbeweging.nl does (with some privacy enhancements). This project is about setting up Plausible for a privacy-friendly self-hosted #open-source GDPR complaint instance for the TZM Community. Which may be used as an alternative for Google Analytics.
Your personal background within the context of the project: Senior Linux systems engineer
Estimated timeline in terms of time boxed deliverables: Less than a week
Resources needed or already arranged: We already have a container host (tzmc1 which also hosts this forum)

Checklist

Subdomain analytics.tzm.community (thanks to @kublermdk)
Create Nginx virtual host (as reverse proxy to the Docker container)
Check out the Git repo
Modify the Plausible env file
Create Let’s Encrypt TLS certificate
Start container
Implement everything in Ansible and run everything from scratch
Onboard zeitgeistbeweging.nl and if possible, setup more accounts for any TZM chapter that would like to make use of this service
Setup daily off-site backup and test a restore

Google Analytics banned in EU for GDPR violation explains in more detail how Google Analytics is now illegal, at least for use by Austrian companies.

1 Like

It seems to work fine. But I consider it still beta for one month. I need to finalize 2 more things: backups and lockdown registration (done, accounts will be made on request).

Other things that would be nice, but are not really limited to Plausible is IPv6 and DNSSEC. The container is reachable over IPv6 via the Nginx reverse proxy. But the DNS name servers of the domain do not have an IPv6 address. Also, DNSSEC is (still) missing.

It’s not a huge issue, DNSSEC does improve security, but it can be without it. But then again, setting it up is not difficult since many cloud services integrate this into the DNS dashboard (such as TransIP which I use for TZM NL). IPv6 is somewhat an issue since IPv4 is dried out. Some visitors might only connect via IPv6 in the near future. For complete analytics dual-stack support is a must to not miss anything.

Granted, most DNS resolvers also have IPv4, so for now it won’t affect it too much. But if @kublermdk has the time and interest somewhere this year (absolutely not a priority) then it would be cool to be compatible with the modern Internet standards :slight_smile:

Ohh it’s the NS records which Hover creates by default. Weird they don’t have an IPv6 version.
I don’t have any real control over “ns1.hover.com” or ns2.

I can’t find any AAA records for their name servers either with a quick Google search.

You’ll need to help me a bit with the DNSSEC side of things.

If IPv6 for the NS servers really does become a major issue then I’d offer to migrate the DNS hosting to DNS MADE EASY https://dnsmadeeasy.com/ which I have an account with, but I’ve got no spare spots and it’s a bit of a price hike to add more.

From the documentation I understand that Hover gives you the option to delegate DNSSEC to another nameserver, but they don’t provide this integration themselves. This is different than e.g. TransIP, where this is done transparently for the user. For our TZM NL domain we do delegate the domain to our own Plesk instance because that offers even more dashboard features. TransIP also treats IPv6 as a first class feature.

I’m a huge fan of TransIP :nerd_face: Also because it is in the EU so strict privacy rules apply as well. That doesn’t mean that TransIP is the way of course. But if you ever look for another DNS hosting service I’d recommend something like TransIP to have all eggs in one basket.

IPv6 nameservers and DNSSEC don’t seem to be present indeed. And DNSSEC is only offered as a delegation record, which means someone might as well switch DNS provider entirely. But again, not a huge issue. It would just be cool to meet with the Internet standards :slight_smile: Thanks for checking though!

1 Like

Haven’t setup backups yet. Of course it is part of the full VPS backup cycle, bit that’s not ideal. I don’t consider it a priority since I’m the only user and I don’t see this data as mission critical. I also have other priorities at the moment.

But leaving this as a note to do backups in the future: