authelia/docs/community/example-of-authelia-lite-on...

---
layout: default
title: Example of authelia lite on docker swarm
parent: Community
nav_order: 4
---

The overlay network for docker swarm can be initialized with:

```
$ docker swarm init
$ docker swarm init && docker network create --driver=overlay traefik-public
$ mkdir ./redis ./letsencrypt
```

The structure of the folder should be like this:

```
├── authelia/
│   ├── configuration.yml
│   └── users_database.yml
├── redis/
├── letsencrypt/
│   └── acme.json
└── traefik-compose.yml
```

The following configuration allows you to deploy authelia to docker swarm with traefik 2.x. Please replace the **example.com** and **your@email.com** with your domain and email respectively.  Then save it as **traefik-compose.yml**.

```
version: '3.3'

services:
  authelia:
    image: authelia/authelia:4
    volumes:
      - ./authelia:/config
    networks:
      - traefik-public
    deploy:
      labels:
        - 'traefik.enable=true'
        - 'traefik.http.routers.authelia.rule=Host(`auth.example.com`)'
        - 'traefik.http.routers.authelia.entrypoints=web'
        - "traefik.http.services.authelia.loadbalancer.server.port=9091"
        # TLS
        - "traefik.http.routers.authelias.rule=Host(`auth.example.com`)"
        - "traefik.http.routers.authelias.entrypoints=websecure"
        - "traefik.http.routers.authelias.tls.certresolver=letsencrypt"
        # Redirect
        - "traefik.http.routers.authelia.middlewares=https_redirect"
        - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
        # Authelia
        - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.example.com'
        - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
        - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups'
        - "traefik.http.routers.authelia.service=authelia"

  redis:
    image: redis:6-alpine
    volumes:
      - ./redis:/data
    networks:
      - traefik-public

  traefik:
    # The official v2.0 Traefik docker image
    image: traefik:v2.2
    deploy:
      labels:
        - 'traefik.enable=true'
        - 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
        - 'traefik.http.routers.api.entrypoints=web'
        - 'traefik.http.routers.api.service=api@internal'
        - 'traefik.http.services.traefik.loadbalancer.server.port=80'
        # TLS
        - "traefik.http.routers.apis.rule=Host(`traefik.example.com`)"
        - "traefik.http.routers.apis.entrypoints=websecure"
        - "traefik.http.routers.apis.tls.certresolver=letsencrypt"
        # Redirect
        - "traefik.http.routers.api.middlewares=https_redirect"
        - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
        # Authelia
        - 'traefik.http.routers.apis.service=api@internal'
        - 'traefik.http.routers.apis.middlewares=authelia@docker'
      placement:
        constraints:
          - node.role == manager
    command: 
      - "--api"
      - "--providers.docker=true"
      - "--providers.docker.swarmMode=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencrypt.acme.email=your@email.com"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
    ports:
      # Listen on port 80, default for HTTP, necessary to redirect to HTTPS
      - target: 80
        published: 80
        mode: host
      # Listen on port 443, default for HTTPS
      - target: 443
        published: 443
        mode: host
    volumes:
      # So that Traefik can listen to the Docker events
      - /var/run/docker.sock:/var/run/docker.sock
      - ./letsencrypt:/letsencrypt
    networks:
      - traefik-public

  secure:
    image: containous/whoami
    networks:
      - traefik-public
    deploy:
      labels:
        - 'traefik.enable=true'
        - 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
        - 'traefik.http.routers.secure.entrypoints=web'
        - 'traefik.http.services.secure.loadbalancer.server.port=80'
        # TLS
        - "traefik.http.routers.secures.rule=Host(`secure.example.com`)"
        - "traefik.http.routers.secures.entrypoints=websecure"
        - "traefik.http.routers.secures.tls.certresolver=letsencrypt"
        # Redirect
        - "traefik.http.routers.secure.middlewares=https_redirect"
        - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
        # Authelia
        - 'traefik.http.routers.secures.middlewares=authelia@docker'

  public:
    image: containous/whoami
    networks:
      - traefik-public
    deploy:
      labels:
        - 'traefik.enable=true'
        - 'traefik.http.routers.public.rule=Host(`public.example.com`)'
        - 'traefik.http.routers.public.entrypoints=web'
        - 'traefik.http.services.public.loadbalancer.server.port=80'
        # TLS
        - "traefik.http.routers.publics.rule=Host(`public.example.com`)"
        - "traefik.http.routers.publics.entrypoints=websecure"
        - "traefik.http.routers.publics.tls.certresolver=letsencrypt"
        # Redirect
        - "traefik.http.routers.public.middlewares=https_redirect"
        - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
        # Authelia
        - 'traefik.http.routers.publics.middlewares=authelia@docker'

networks:
  traefik-public:
    external: true
```

Finally, the stack is ready to be deployed.

```
$ docker stack deploy -c traefik-compose.yml traefik
```

Full configuration files can be found here https://github.com/wuhanstudio/authelia-docker-swarm

```
$ docker swarm init && docker network create --driver=overlay traefik-public

$ git clone https://github.com/wuhanstudio/authelia-docker-swarm && cd authelia-docker-swarm

# Replace wuhanstudio.cc with your domain
$ find . -type f -name "*.yml" -exec sed -i'' -e 's/example.com/wuhanstudio.cc/g' {} +

# Replace wuhanstudio@qq.com with your email
$ find . -type f -name "*.yml" -exec sed -i'' -e 's/your@email.com/wuhanstudio@qq.com/g' {} +

$ docker stack deploy -c traefik-compose.yml traefik
```
docs: add an example of deploying authelia lite on docker swarm (#1899) Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com> 2021-04-10 21:10:02 +00:00			`---`
			`layout: default`
			`title: Example of authelia lite on docker swarm`
			`parent: Community`
			`nav_order: 4`
			`---`

			`The overlay network for docker swarm can be initialized with:`

			```
			`$ docker swarm init`
			`$ docker swarm init && docker network create --driver=overlay traefik-public`
			`$ mkdir ./redis ./letsencrypt`
			```

			`The structure of the folder should be like this:`

			```
			`├── authelia/`
			`│ ├── configuration.yml`
			`│ └── users_database.yml`
			`├── redis/`
			`├── letsencrypt/`
			`│ └── acme.json`
			`└── traefik-compose.yml`
			```

			`The following configuration allows you to deploy authelia to docker swarm with traefik 2.x. Please replace the example.com and your@email.com with your domain and email respectively. Then save it as traefik-compose.yml.`

			```
			`version: '3.3'`

			`services:`
			`authelia:`
			`image: authelia/authelia:4`
			`volumes:`
			`- ./authelia:/config`
			`networks:`
			`- traefik-public`
			`deploy:`
			`labels:`
			`- 'traefik.enable=true'`
			- 'traefik.http.routers.authelia.rule=Host(`auth.example.com`)'
			`- 'traefik.http.routers.authelia.entrypoints=web'`
			`- "traefik.http.services.authelia.loadbalancer.server.port=9091"`
			`# TLS`
			- "traefik.http.routers.authelias.rule=Host(`auth.example.com`)"
			`- "traefik.http.routers.authelias.entrypoints=websecure"`
			`- "traefik.http.routers.authelias.tls.certresolver=letsencrypt"`
			`# Redirect`
			`- "traefik.http.routers.authelia.middlewares=https_redirect"`
			`- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"`
			`# Authelia`
			`- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.example.com'`
			`- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'`
			`- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups'`
			`- "traefik.http.routers.authelia.service=authelia"`

			`redis:`
			`image: redis:6-alpine`
			`volumes:`
			`- ./redis:/data`
			`networks:`
			`- traefik-public`

			`traefik:`
			`# The official v2.0 Traefik docker image`
			`image: traefik:v2.2`
			`deploy:`
			`labels:`
			`- 'traefik.enable=true'`
			- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
			`- 'traefik.http.routers.api.entrypoints=web'`
			`- 'traefik.http.routers.api.service=api@internal'`
			`- 'traefik.http.services.traefik.loadbalancer.server.port=80'`
			`# TLS`
			- "traefik.http.routers.apis.rule=Host(`traefik.example.com`)"
			`- "traefik.http.routers.apis.entrypoints=websecure"`
			`- "traefik.http.routers.apis.tls.certresolver=letsencrypt"`
			`# Redirect`
			`- "traefik.http.routers.api.middlewares=https_redirect"`
			`- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"`
			`# Authelia`
			`- 'traefik.http.routers.apis.service=api@internal'`
			`- 'traefik.http.routers.apis.middlewares=authelia@docker'`
			`placement:`
			`constraints:`
			`- node.role == manager`
			`command:`
			`- "--api"`
			`- "--providers.docker=true"`
			`- "--providers.docker.swarmMode=true"`
			`- "--providers.docker.exposedbydefault=false"`
			`- "--entrypoints.web.address=:80"`
			`- "--entryPoints.websecure.address=:443"`
			`- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"`
			`- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"`
			`- "--certificatesresolvers.letsencrypt.acme.email=your@email.com"`
			`- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"`
			`ports:`
			`# Listen on port 80, default for HTTP, necessary to redirect to HTTPS`
			`- target: 80`
			`published: 80`
			`mode: host`
			`# Listen on port 443, default for HTTPS`
			`- target: 443`
			`published: 443`
			`mode: host`
			`volumes:`
			`# So that Traefik can listen to the Docker events`
			`- /var/run/docker.sock:/var/run/docker.sock`
			`- ./letsencrypt:/letsencrypt`
			`networks:`
			`- traefik-public`

			`secure:`
			`image: containous/whoami`
			`networks:`
			`- traefik-public`
			`deploy:`
			`labels:`
			`- 'traefik.enable=true'`
			- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
			`- 'traefik.http.routers.secure.entrypoints=web'`
			`- 'traefik.http.services.secure.loadbalancer.server.port=80'`
			`# TLS`
			- "traefik.http.routers.secures.rule=Host(`secure.example.com`)"
			`- "traefik.http.routers.secures.entrypoints=websecure"`
			`- "traefik.http.routers.secures.tls.certresolver=letsencrypt"`
			`# Redirect`
			`- "traefik.http.routers.secure.middlewares=https_redirect"`
			`- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"`
			`# Authelia`
			`- 'traefik.http.routers.secures.middlewares=authelia@docker'`

			`public:`
			`image: containous/whoami`
			`networks:`
			`- traefik-public`
			`deploy:`
			`labels:`
			`- 'traefik.enable=true'`
			- 'traefik.http.routers.public.rule=Host(`public.example.com`)'
			`- 'traefik.http.routers.public.entrypoints=web'`
			`- 'traefik.http.services.public.loadbalancer.server.port=80'`
			`# TLS`
			- "traefik.http.routers.publics.rule=Host(`public.example.com`)"
			`- "traefik.http.routers.publics.entrypoints=websecure"`
			`- "traefik.http.routers.publics.tls.certresolver=letsencrypt"`
			`# Redirect`
			`- "traefik.http.routers.public.middlewares=https_redirect"`
			`- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"`
			`# Authelia`
			`- 'traefik.http.routers.publics.middlewares=authelia@docker'`

			`networks:`
			`traefik-public:`
			`external: true`
			```

			`Finally, the stack is ready to be deployed.`

			```
			`$ docker stack deploy -c traefik-compose.yml traefik`
			```

			`Full configuration files can be found here https://github.com/wuhanstudio/authelia-docker-swarm`

			```
			`$ docker swarm init && docker network create --driver=overlay traefik-public`

			`$ git clone https://github.com/wuhanstudio/authelia-docker-swarm && cd authelia-docker-swarm`

			`# Replace wuhanstudio.cc with your domain`
			`$ find . -type f -name "*.yml" -exec sed -i'' -e 's/example.com/wuhanstudio.cc/g' {} +`

			`# Replace wuhanstudio@qq.com with your email`
			`$ find . -type f -name "*.yml" -exec sed -i'' -e 's/your@email.com/wuhanstudio@qq.com/g' {} +`

			`$ docker stack deploy -c traefik-compose.yml traefik`
			```