6.3 KiB
6.3 KiB
| layout | title | parent | nav_order |
|---|---|---|---|
| default | Example of authelia lite on docker swarm | Community | 4 |
The overlay network for docker swarm can be initialized with:
$ docker swarm init
$ docker swarm init && docker network create --driver=overlay traefik-public
$ mkdir ./redis ./letsencrypt
The structure of the folder should be like this:
├── authelia/
│ ├── configuration.yml
│ └── users_database.yml
├── redis/
├── letsencrypt/
│ └── acme.json
└── traefik-compose.yml
The following configuration allows you to deploy authelia to docker swarm with traefik 2.x. Please replace the example.com and your@email.com with your domain and email respectively. Then save it as traefik-compose.yml.
version: '3.3'
services:
authelia:
image: authelia/authelia:4
volumes:
- ./authelia:/config
networks:
- traefik-public
deploy:
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`auth.example.com`)'
- 'traefik.http.routers.authelia.entrypoints=web'
- "traefik.http.services.authelia.loadbalancer.server.port=9091"
# TLS
- "traefik.http.routers.authelias.rule=Host(`auth.example.com`)"
- "traefik.http.routers.authelias.entrypoints=websecure"
- "traefik.http.routers.authelias.tls.certresolver=letsencrypt"
# Redirect
- "traefik.http.routers.authelia.middlewares=https_redirect"
- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
# Authelia
- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.example.com'
- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups'
- "traefik.http.routers.authelia.service=authelia"
redis:
image: redis:6-alpine
volumes:
- ./redis:/data
networks:
- traefik-public
traefik:
# The official v2.0 Traefik docker image
image: traefik:v2.2
deploy:
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
- 'traefik.http.routers.api.entrypoints=web'
- 'traefik.http.routers.api.service=api@internal'
- 'traefik.http.services.traefik.loadbalancer.server.port=80'
# TLS
- "traefik.http.routers.apis.rule=Host(`traefik.example.com`)"
- "traefik.http.routers.apis.entrypoints=websecure"
- "traefik.http.routers.apis.tls.certresolver=letsencrypt"
# Redirect
- "traefik.http.routers.api.middlewares=https_redirect"
- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
# Authelia
- 'traefik.http.routers.apis.service=api@internal'
- 'traefik.http.routers.apis.middlewares=authelia@docker'
placement:
constraints:
- node.role == manager
command:
- "--api"
- "--providers.docker=true"
- "--providers.docker.swarmMode=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entryPoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.letsencrypt.acme.email=your@email.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
ports:
# Listen on port 80, default for HTTP, necessary to redirect to HTTPS
- target: 80
published: 80
mode: host
# Listen on port 443, default for HTTPS
- target: 443
published: 443
mode: host
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock
- ./letsencrypt:/letsencrypt
networks:
- traefik-public
secure:
image: containous/whoami
networks:
- traefik-public
deploy:
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
- 'traefik.http.routers.secure.entrypoints=web'
- 'traefik.http.services.secure.loadbalancer.server.port=80'
# TLS
- "traefik.http.routers.secures.rule=Host(`secure.example.com`)"
- "traefik.http.routers.secures.entrypoints=websecure"
- "traefik.http.routers.secures.tls.certresolver=letsencrypt"
# Redirect
- "traefik.http.routers.secure.middlewares=https_redirect"
- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
# Authelia
- 'traefik.http.routers.secures.middlewares=authelia@docker'
public:
image: containous/whoami
networks:
- traefik-public
deploy:
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.public.rule=Host(`public.example.com`)'
- 'traefik.http.routers.public.entrypoints=web'
- 'traefik.http.services.public.loadbalancer.server.port=80'
# TLS
- "traefik.http.routers.publics.rule=Host(`public.example.com`)"
- "traefik.http.routers.publics.entrypoints=websecure"
- "traefik.http.routers.publics.tls.certresolver=letsencrypt"
# Redirect
- "traefik.http.routers.public.middlewares=https_redirect"
- "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
# Authelia
- 'traefik.http.routers.publics.middlewares=authelia@docker'
networks:
traefik-public:
external: true
Finally, the stack is ready to be deployed.
$ docker stack deploy -c traefik-compose.yml traefik
Full configuration files can be found here https://github.com/wuhanstudio/authelia-docker-swarm
$ docker swarm init && docker network create --driver=overlay traefik-public
$ git clone https://github.com/wuhanstudio/authelia-docker-swarm && cd authelia-docker-swarm
# Replace wuhanstudio.cc with your domain
$ find . -type f -name "*.yml" -exec sed -i'' -e 's/example.com/wuhanstudio.cc/g' {} +
# Replace wuhanstudio@qq.com with your email
$ find . -type f -name "*.yml" -exec sed -i'' -e 's/your@email.com/wuhanstudio@qq.com/g' {} +
$ docker stack deploy -c traefik-compose.yml traefik