from Hacker News

Umami: Self-hosted open-source alternative to Google Analytics

by bananaoomarang on 8/18/20, 1:35 PM with 227 comments

  • by mcao on 8/18/20, 3:32 PM

    Hi everyone!

    Author of Umami here. I totally did not expect this response so it looks like you all hugged my little server to death. The demo should be back up now.

    A little background. This is a side project I started 30 days ago because I was tired of how slow and complicated Google Analytics was. I just wanted something really simple and fast that I could browse quickly without diving through layers of menus. So I created Umami to track my own websites and then open sourced it. The stack is React, Redux, and Next.js with a Postgresql backend.

    Would be happy to answer any questions you have.

  • by malisper on 8/18/20, 5:34 PM

    One of the claims of Umami is that it's GDPR compliant:

    > Umami does not collect any personally identifiable information so it is GDPR and CCPA compliant. No cookie notices are needed because Umami does not use cookies.

    From auditing the source code, this doesn't seem to be the case. First, it claims it doesn't use cookies, but it clearly uses localStorage to store a "sessionKey"[0].

    The other claim, that Umami is GDPR and CCPA compliant because it does not collect any personally identifiable information is only half true. While the data collected isn't PII (because you can't use it on it's own to identify a user), it's still "personal data". This is because the "sessionKey" stored alongside all events is actually a pseudonymous user identifier. It's really just a hash of the user's IP along with a few other properties[1]. Because the data Umami collects, when combined with some other data, can be attributed back to the user, the data is still considered "personal data". That means you're still subject to most of GDPR such as GDPR deletion requests[2].

    [0] https://github.com/mikecao/umami/blob/f4ca353b5c68750bf391e5...

    [1] https://github.com/mikecao/umami/blob/master/lib/session.js#...

    [2] https://gdpr-info.eu/art-17-gdpr/

  • by eric4smith on 8/19/20, 5:58 AM

    Lots of home-grown analytics are very privacy focussed these days and do not use cookies. That's a good thing.

    For simple sites like blogs, simple low volume ecommerce, etc.

    But for more "serious" eCommerce, SAAS based applications and sites that are concerned with marketing on email, social and web then then optimizing what you show then and finally generating leads for salespeople to call or actual sales...

    Cookies or local storage, or some way of tracking the customer across all the channels and their actions are essential.

    If one can avoid using Google Analytics, then that's a good thing also.

    But let's get real -- the idea of a cookie-less future is not gonna happen because people actually do business in the web.

  • by andrewzah on 8/18/20, 3:34 PM

    I have been using goatcounter [0] and love the simplicity. I used to use Matomo, but they want a lot of money to see the referrals from google search/etc. And it's a heavier dependency. Goatcounter is a drop-in golang binary.

    [0]: https://github.com/zgoat/goatcounter

  • by lxe on 8/18/20, 8:38 PM

    I've seen a bunch of these simple self-hosted log dashboards here on HN, but I don't think they directly compare with google analytics, which is just a much more powerful and much much more complicated product. Not to say this isn't a great product, but it really isn't an alternative to GA.

  • by arielm on 8/18/20, 5:03 PM

    This looks really nice! If... you’re only looking for high level numbers for something like a personal blog or a simple landing page for a mobile app.

    I wouldn’t call this a replacement to Google Analytics.

    The reason to have something like Google Analytics is to track traffic at a more granular level, and with very specific intent.

    Some of the things I _rely_ on include:

    - custom parameters - segments - goals - A/B testing - specific views

    And that’s just the short list.

    Now, I use Analytics heavily because we spend a lot of effort on growth, both organic (content, seo) and paid (ads), so knowing what’s going on at that level is essential.

    If you don’t, there’s not much reason to use something like GA.

  • by vs4vijay on 8/18/20, 2:30 PM

  • by thinkmassive on 8/18/20, 2:01 PM

    A comparison of Umami and Matomo (formerly Piwik) would be helpful since they seem very similar. I looked at both websites and didn't see any mention of the other project.

  • by colechristensen on 8/18/20, 2:56 PM

    Is there a similar product that does this server side (without injected javascript telemetry) with http logs?

  • by ln_00 on 8/18/20, 2:46 PM

    to be honest, if you are using nginx, just use / run https://goaccess.io/ It collects the same information as umami and is even more lightweight, since it just runs whenever you tell it to.

    just add the command as a cron job, and you get an auto generated static dashboard. very neat.

  • by chrisblackwell on 8/18/20, 2:22 PM

    I'm very excited to see this space heating up. It seems for years we defaulted to using Google Analytics and no one wanted in the market. Now there are plenty alternatives, with many of them open source.

  • by dzink on 8/18/20, 10:29 PM

    It needs more granularity of OS versions and browser versions. Knowing which iOS version your users have is important to decide on what base level version you need for an iOS app, for example.

  • by eden_h on 8/19/20, 9:31 AM

    When I've seen GA used or recommended to people, it's because their use case is tracking the marketing performance of their website.

    Tackling the privacy focus for GA is great, but they're a good deal of products out there that already fill that niche, not to mention the requirements of the privacy crowd usually being a venture into itself.

    If you wanted to make it relatively competitive for marketing, the simplest addition would be adding labelling via regex for referrers.

    i.e. - Some users want to be able to group Baidu, Google, DuckDuckGo, into a single bucket for comparison. Some users want to break them down into common market segments by country. "https://www.baidu.com/link?url=FyYbCZqj65Vc7A4XeSNrOcQCS2qFX...

    is from your live demo referrers, and makes it difficult to actually assess the amount of traffic from Baidu. Using a regex label means that users can break down traffic from Paid/Organic marketing fairly quickly, and start to build up dashboards they can use.

    If you ever extended it to allow multiple labels for each hit, could re-run the regex over past data, and could build reports off it, you'd easily have a benefit over GA that would start to wean the marketing crowd off it.

  • by hitekker on 8/18/20, 2:37 PM

    For something this simple, I was hoping to see an option for SQlite, not just MySQL and PostgresSQL.

  • by busymichael on 8/18/20, 10:56 PM

    Congrats on launching -- really impressive. One important issue that these self hosted analytics solve is ad blocking. Ad blocking by users really undermines the ability of a site or app to figure out what is working and not working. When you host your own analytics, you can get usability information for all of your users, not just those that don't block. That allows you to make a better product.

    I have been working on something similar at https://argyle.cc -- we combine cloud analytics with a self-hosted analytics collector js. That gives you the best of both worlds: privacy focused, user respecting analytics, but full featured reporting in the cloud and ad-blocker resistance. It also allows event tracking to be done over js/web or in-line/server side.

  • by marcus_holmes on 8/18/20, 7:58 PM

    I'd love to use this. But 34 dependencies?

    I know ~10 of them are React, and there's some in there that make sense. But I haven't got the time to audit them all, and re-audit it every time any of those dependencies update .

    And escape-string-regexp? Really? it's literally 2 lines of code [0]. Why have I got to give the maintainer of that project commit access to this program that will be seeing potentially sensitive data?

    Why, if the developer couldn't come up with those 2 lines themselves, isn't this a Stack Overflow copy/paste?

    [0]https://github.com/sindresorhus/escape-string-regexp/blob/ma...

  • by m90 on 8/18/20, 4:07 PM

    Is there a way for me as a user to opt out of this tool other than relying on third party tools like uBlock? I'm starting to get annoyed by so many "privacy focused" tools with literally no consent options at all.

  • by shattl on 8/18/20, 2:33 PM

    Wow, Piwik is now Matomo, how fast time flies!

  • by gowld on 8/18/20, 11:12 PM

    If you want to respect user privacy while collecting analytics data, I recommend using Local Differential Privacy (via Randomized Responses) when collecting information from browsers.

    https://en.wikipedia.org/wiki/Local_differential_privacy and https://en.wikipedia.org/wiki/Randomized_response

  • by nickthemagicman on 8/18/20, 3:26 PM

    Am I wrong for thinking that Google Analytics has bad UI?

    As a noob at UI it was bizarre and unintuitive for me.

    Just finding the region locations of the traffic was odd and didn't make immediate sense.

  • by llacb47 on 8/18/20, 2:36 PM

    The whole script is 502... https://stats.umami.is/umami.js

  • by markl42 on 8/19/20, 1:43 AM

    I'll throw a shoutout for a top tier project - https://github.com/zgoat/goatcounter

    Using it for some personal stuff, and does absolutely everything I need it to, and then some.

    I love the ethos of the project, and whilst it's open source, there's a hosted option that looks super reasonable too.

  • by epoch_100 on 8/18/20, 3:07 PM

    This looks great! For what it’s worth, I also maintain an open source (and self hosted) website analytics tool called Shynet [0] (someone else mentioned it in this thread, but thought I’d share here as well). Really great to see more options in this area!

    [0] https://github.com/milesmcc/shynet

  • by dylan604 on 8/18/20, 4:46 PM

    How useful are the metrics from non-GA sources trusted when validated traffic to various groups like investors, advertisers, etc?

  • by te_chris on 8/19/20, 8:09 AM

    This would be amazing if, out of the box, it sent data to BiqQuery and/or Redshift. Postgres is fine, but for most companies this data is most useful in the warehouse. If this was a simple, drop-in solution to get well formatted data into BQ plus a bit of easy vis, that would be cool and VERY useful.

  • by hugey010 on 8/18/20, 2:42 PM

    I've used https://count.ly/ instead of Google Analytics to gather exception data and business analytics from mobile and web apps. Relatively cheap for decent scale and they're very nice and helpful.

  • by superlupo on 8/19/20, 7:59 AM

    Slightly off-topic: Does anyone have recommendations for self-hosted open source analytics that can handle a large volume site (think 500.000.000 impressions per month)? I can't imagine systems with MySQL/PostgreSQL as database can handle this.

  • by buraksarica on 8/18/20, 2:56 PM

    I wish to see a line about backend platform on installation documentation. Yes, it's simple, but IMO no one will find "Umami requires bla bla platform on bla bla operating system." sentence useless.

  • by dandigangi on 8/18/20, 2:38 PM

    I always like seeing competitors to GA but the website could really use some more information on why you should use it and the features it gives you. It's hard to beat top competitors in a saturated space.

  • by mikece on 8/18/20, 2:04 PM

    Are there any "Google Analytics" alternatives that aren't based on Python, Node, Go, etc but something with a PHP back-end that can be deployed to any commodity LAMP hosting provider?

  • by zanecraw on 8/19/20, 6:49 PM

    Awesome project! Google is definitely fading out for sure. I know many businesses and developers are tired of it. Looking forward to seeing what other inventions will give Google some competition.

  • by anderspitman on 8/18/20, 3:18 PM

    I've been happily paying for GoatCounter for several months. I don't imagine I'll ever need to self host but it's nice knowing I can if necessary.

  • by tobilg on 8/19/20, 3:37 AM

    If you have an AWS account, you can use https://ownstats.cloud to self-host website analytics

  • by songzme on 8/18/20, 9:31 PM

    noticed you didn't write any tests: https://github.com/mikecao/umami

    What was your reasoning? Personally, I write tests for all my projects, it forces me to really think hard about how to break down the different components and functionalities and it helps others feel more confident to contribute.

  • by dirtnugget on 8/18/20, 3:47 PM

    Can anyone tell how this holds up against Matomo?

  • by anvarik on 8/18/20, 8:54 PM

    I liked the image on the home page, how can I create such an image to show case my product? only way is PS?

  • by 1f60c on 8/18/20, 2:36 PM

    From the screenshots, the design looks very slick and I can’t wait to give it a try!

  • by dsalzman on 8/18/20, 2:12 PM

    +1 to https://goatcounter.com/ o use it for my personal blog https://dannysalzman.com . This is a good reminder to donate.

  • by armandososa on 8/19/20, 2:13 AM

    This is super cool!

    FlightPHP looks nice, too, what didn't you use that for the backend?

  • by quaffapint on 8/18/20, 6:51 PM

    Any suggestions for collecting server side logs via nginx pods in k8s?

  • by sahnasidol on 8/18/20, 2:30 PM

    Is there any way to create and track custom events like clicks?

  • by gitgud on 8/18/20, 2:49 PM

    Demo is throwing back "502 Bad Gateway"

    Hacker News hug of death?

  • by takein on 8/18/20, 2:49 PM

    Good job. Getting 502 error!

  • by ethor on 8/18/20, 2:05 PM

    Seemingly no api? :(

  • by gramakri on 8/18/20, 2:02 PM

    Demo gives a 502

  • by kmfrk on 8/18/20, 2:30 PM

    Does this use cookies and similar to warrant a GDPR prompt?

  • by bambam24 on 8/18/20, 2:25 PM

    Clicked on love demo and get 505 bad gateway. I hope they analyzed it

  • by rockwotj on 8/18/20, 2:00 PM

    Demo website 502's for me :/