Skip to main content

Magento, Docker & Traefik 2

This blog post might be outdated!
This blog post was published more than one year ago and might be outdated!
· 3 min read
Stephan Hochdörfer
Stephan Hochdörfer
Head of IT Business Operations

Back in 2020 I published our customized Magento development setup with Mark Shust's Docker Configuration for Magento and Traefik version 1. Since Traefik version 2 is now out for a while, I decided to upgrade our setup. This blogpost covers the different steps I took.

First, we start with a basic Traefik configuration to set up the entrypoints as well as the providers. The traefik.toml file is stored in a directory called docker/traefik/:

[serversTransport]
insecureSkipVerify = true

[entryPoints]

[entryPoints.web]
address = ":80"

[entryPoints.websecure]
address = ":443"

[providers]

[providers.docker]
watch = true
endpoint = "unix:///var/run/docker.sock"
exposedByDefault = false

[providers.file]
filename = "/ssl.toml"

The SSL configuration is kept in a separate file called ssl.toml which is also stored in the docker/traefik directory:

[tls]

[tls.stores]

[tls.stores.default]

[tls.stores.default.defaultCertificate]
certFile = "/certs/nginx.crt"
keyFile = "/certs/nginx.key"

[[tls.certificates]]
certFile = "/certs/nginx.crt"
keyFile = "/certs/nginx.key"
stores = ["default"]

In the docker-compose.yaml file we add the Traefik service as follows:

version: '3'

services:
    traefik:
        image: traefik:2.9
        ports:
            - "80:80"
            - "443:443"
        links:
            - web
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
            - ./docker/traefik/traefik.toml:/traefik.toml
            - ./docker/traefik/ssl.toml:/ssl.toml
            - ./docker/traefik/certs:/certs

Besides mounting the Docker socket into the container, we also mount the traefik.toml and ssl.toml files into the container. And since we use a user defined TLS certificate, we also mount the local /docker/traefik/certs directory into the Traefik container.

To generate and manage locally trusted development certificates we use the tool mkcert which needs to be installed locally on the developers machine. Once installed, you need to run the following command to initialize mkcert and to install the local CA in the system trust store. This way your browser will trust the self-signed certificate:

mkcert -install

Next, we generate a new certificate for a custom domain. For this blog post we'll use bitexpert.loc as domain. mkcert will generate a nginx.key and nginx.crt file in thedocker/traefik/certs directory from which Traefik will then read the files:

mkcert -key-file docker/traefik/certs/nginx.key -cert-file docker/traefik/certs/nginx.crt bitexpert.loc localhost

As last step, we need to add Traefik labels to the app container defined in Mark Shust's setup so that Traefik will be aware of the container and register it properly:

version: "3"

services:
  app:
    image: markoshust/magento-nginx:1.18-8
    volumes: &appvolumes
      - ~/.composer:/var/www/.composer:cached
      - ~/.ssh/id_rsa:/var/www/.ssh/id_rsa:cached
      - ~/.ssh/known_hosts:/var/www/.ssh/known_hosts:cached
      - appdata:/var/www/html
      - sockdata:/sock
      - ssldata:/etc/nginx/certs
    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.mage_https.redirectscheme.scheme=https"
      - "traefik.http.routers.mage.entrypoints=web"
      - "traefik.http.routers.mage.rule=Host(`bitexpert.loc`)"
      - "traefik.http.routers.mage.middlewares=mage_https@docker"
      - "traefik.http.routers.mage_https.rule=Host(`bitexpert.loc`)"
      - "traefik.http.routers.mage_https.tls=true"
      - "traefik.http.routers.mage_https.entrypoints=websecure"

The labels instruct Traefik to forward all incoming requests to bitexpert.loc to the app container. Additionally, Traefik ensures that TLS is activated for the domain and also does an HTTP to HTTPS redirect automatically.