Matomo is an open-source web analytics platform that keeps full ownership of visitor data on infrastructure you control, a privacy-first alternative to Google Analytics. This guide deploys Matomo using Docker Compose with a MariaDB backend, Nginx as the entry point, and Certbot issuing the TLS certificate before the stack goes live. By the end, you'll have Matomo tracking a website with a signed HTTPS certificate at your domain.
Prepare Docker
$ sudo usermod -aG docker $USER
$ newgrp docker
Set Up the Project
1. Create the project directory:
$ mkdir matomo && cd matomo
2. Open the firewall:
$ sudo ufw allow 80/tcp
$ sudo ufw allow 443/tcp
3. Create the environment file:
$ nano .env
MYSQL_ROOT_PASSWORD=your_strong_mysql_root_password
MYSQL_PASSWORD=your_strong_mysql_matomo_password
Use passwords of at least 16 characters.
4. Create the Nginx config:
$ mkdir nginx
$ nano nginx/matomo.conf
server {
listen 80;
server_name matomo.example.com;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
server_name matomo.example.com;
ssl_certificate /etc/letsencrypt/live/matomo.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/matomo.example.com/privkey.pem;
location / {
proxy_pass http://app:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Replace every matomo.example.com occurrence with your domain — it appears in both server blocks and the certificate paths.
Deploy with Docker Compose
$ nano docker-compose.yaml
services:
db:
image: mariadb:11.4
command: --max-allowed-packet=64MB
restart: always
volumes:
- matomo-db-data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
- MYSQL_DATABASE=matomo
- MYSQL_USER=matomo
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
networks:
- matomo-net
app:
image: matomo
restart: always
depends_on:
- db
volumes:
- matomo-app-data:/var/www/html
environment:
- MATOMO_DATABASE_HOST=db
- MATOMO_DATABASE_USERNAME=matomo
- MATOMO_DATABASE_PASSWORD=${MYSQL_PASSWORD}
- MATOMO_DATABASE_DBNAME=matomo
networks:
- matomo-net
nginx:
image: nginx:alpine
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx/matomo.conf:/etc/nginx/conf.d/default.conf
- certbot-etc:/etc/letsencrypt
- certbot-www:/var/www/certbot
depends_on:
- app
networks:
- matomo-net
certbot:
image: certbot/certbot
volumes:
- certbot-etc:/etc/letsencrypt
- certbot-www:/var/www/certbot
volumes:
matomo-db-data:
matomo-app-data:
certbot-etc:
certbot-www:
networks:
matomo-net:
1. Start the database and app first:
$ docker compose up -d db app
2. Issue the certificate before starting Nginx (Certbot needs port 80 free):
$ docker compose run --rm -p "80:80" certbot certonly --standalone -d matomo.example.com --email admin@example.com --agree-tos --no-eff-email
3. Start Nginx:
$ docker compose up -d nginx
Complete the Web Setup
- Open
https://matomo.example.comand click Next on the welcome screen. - Let Matomo run its system checks (PHP version, memory, extensions), then Next.
- On the database step, set Database Server to
db, and enter thematomouser and the password from.env. - Matomo creates its tables — click Next to create the Superuser account (username, password, email).
- Add your first website: name, URL, timezone, and whether it's ecommerce.
- Copy the generated tracking snippet and paste it before
</head>on your site's pages. - Finish the wizard and sign in with the Superuser credentials.
- The dashboard loads, ready to track traffic.
Next Steps
Matomo is running with HTTPS and a working database backend. From here you can:
- Add more websites and grant scoped access to additional user accounts
- Enable Heatmaps, Session Recording, or the Marketing Campaigns Reporting plugin
- Set up scheduled email reports under Administration → Personal → Email Reports
For the full guide with additional tips, visit the original article on Vultr Docs.
Top comments (0)