为Docker、Traefik和Bitnami Magento2配置SSL/LetsEncrypt/Certbot
2026-4-20
Docker、Traefik和Bitnami Magento2配置SSL/LetsEncrypt/Certbot
嘿,我来帮你搞定Bitnami Magento 2和Traefik搭配的SSL证书配置!咱们一步步把核心配置调整到位,让你的站点用上Let's Encrypt的免费证书。
第一步:完善你的docker-compose.yml配置
先把你现有的docker-compose.yml补全并调整,重点是给Traefik加上证书解析配置,给Magento服务加上Traefik路由标签:
# Copyright Broadcom, Inc. All Rights Reserved. # SPDX-License-Identifier: APACHE-2.0 version: '3.8' # 升级到3.x版本,兼容性更好 services: traefik: image: traefik:latest restart: unless-stopped ports: - "80:80" - "443:443" volumes: - "./traefik.yaml:/etc/traefik/traefik.yaml" - "./acme.json:/acme.json" # 存储Let's Encrypt证书的文件 - "/var/run/docker.sock:/var/run/docker.sock" environment: - TRAEFIK_CERTIFICATESRESOLVERS_LE_ACME_EMAIL=your-email@example.com # 替换成你的邮箱,用于证书过期提醒 labels: # 启用Traefik仪表盘(可选,记得设置密码) - traefik.enable=true - traefik.http.routers.traefik.rule=Host(`traefik.your-domain.com`) - traefik.http.routers.traefik.service=api@internal - traefik.http.routers.traefik.tls.certresolver=le - traefik.http.routers.traefik.middlewares=auth - traefik.http.middlewares.auth.basicauth.users=admin:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/ # 替换成你的用户名和加密密码,可用htpasswd生成 mariadb: image: docker.io/bitnami/mariadb:10.6 environment: - ALLOW_EMPTY_PASSWORD=no - MARIADB_ROOT_PASSWORD=${MARIADB_ROOT_PASSWORD} - MARIADB_USER=${DB_USER} - MARIADB_PASSWORD=${MARIADB_PASSWORD} - MARIADB_DATABASE=${DB_NAME} volumes: - 'mariadb_data:/bitnami/mariadb' restart: unless-stopped magento: image: docker.io/bitnami/magento:2 environment: - ALLOW_EMPTY_PASSWORD=no - MAGENTO_DATABASE_HOST=mariadb - MAGENTO_DATABASE_PORT_NUMBER=3306 - MAGENTO_DATABASE_USER=${DB_USER} - MAGENTO_DATABASE_PASSWORD=${MARIADB_PASSWORD} - MAGENTO_DATABASE_NAME=${DB_NAME} - MAGENTO_HOST=your-domain.com # 替换成你的域名 - MAGENTO_BASE_URL=https://your-domain.com/ # 必须是HTTPS地址 - MAGENTO_ADMIN_USERNAME=${MAGENTO_ADMIN_USER} - MAGENTO_ADMIN_PASSWORD=${MAGENTO_ADMIN_PASS} - MAGENTO_ADMIN_EMAIL=${MAGENTO_ADMIN_EMAIL} volumes: - 'magento_data:/bitnami/magento' - 'magento_storage:/bitnami/magento/storage' depends_on: - mariadb restart: unless-stopped labels: # Traefik路由配置 - traefik.enable=true - traefik.http.routers.magento.rule=Host(`your-domain.com`) || Host(`www.your-domain.com`) # 支持主域名和www子域名 - traefik.http.routers.magento.tls=true - traefik.http.routers.magento.tls.certresolver=le - traefik.http.services.magento.loadbalancer.server.port=8080 # Bitnami Magento内部的HTTP端口 # 强制HTTPS跳转(可选) - traefik.http.middlewares.magento-redirect.redirectscheme.scheme=https - traefik.http.routers.magento-insecure.rule=Host(`your-domain.com`) || Host(`www.your-domain.com`) - traefik.http.routers.magento-insecure.entrypoints=web - traefik.http.routers.magento-insecure.middlewares=magento-redirect volumes: mariadb_data: driver: local magento_data: driver: local magento_storage: driver: local
第二步:配置traefik.yaml文件
在docker-compose.yml同级目录下创建traefik.yaml,内容如下,启用Docker provider和Let's Encrypt证书解析:
global: checkNewVersion: true sendAnonymousUsage: false entryPoints: web: address: ":80" # 自动将HTTP请求重定向到HTTPS http: redirections: entryPoint: to: websecure scheme: https websecure: address: ":443" providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false # 只处理带有traefik.enable=true标签的服务 certificatesResolvers: le: acme: email: your-email@example.com # 和docker-compose里的邮箱保持一致 storage: /acme.json # 使用HTTP-01挑战,需要80端口对外开放 httpChallenge: entryPoint: web
第三步:初始化证书存储文件
Traefik需要acme.json文件来存储证书,而且权限必须是600,否则会报错。执行以下命令创建:
touch acme.json && chmod 600 acme.json
第四步:启动服务
确保你的.env文件已经配置好所有需要的环境变量(比如数据库密码、Magento管理员账号等),然后启动服务:
docker-compose up -d
注意事项
- 确保你的域名已经正确解析到服务器的公网IP,而且80和443端口没有被其他服务占用
- 如果是第一次启动,Traefik会自动向Let's Encrypt申请证书,稍等几分钟就能生效
- Bitnami Magento的
MAGENTO_BASE_URL必须设置为HTTPS地址,否则站点内部的资源链接会出错 - 如果你想启用Traefik仪表盘,记得替换标签里的用户名和加密密码,可以用
htpasswd -nb admin your-password生成加密后的密码
备注:内容来源于stack exchange,提问作者I.T. Navigate
