Docker Compose
Introduction
This document provides a complete example of how to deploy Defguard using Docker Compose, including configuration for all components - Core, Proxy, and Gateway. It covers Docker image tags, environment variables, and reverse-proxy setup examples to help you quickly launch a fully functional Defguard environment.
We recommend deploying each Defguard service on a dedicated server or virtual machine to ensure better isolation, performance, and security. In this setup, each Docker Compose file should be used for a single service, keeping the Core, Proxy, and Gateway components physically separated.
Please note that we also offer docker-compose deployment with one-line quick deployment, but this method is recommended for PoC/quick deployment as it launches everything on one server and all services in one docker compose.
Docker images and tags
We use latest (latest production images) tags in the examples below, but you can use others.
All docker images for Core, Gateway, and Proxy have these additional tags:
latest- the latest stable production release.vX.Y,vX.Y.Z,vX.Y-alpha1- fixed tags for specific stable and alpha releases.pre-release- the latest pre-production release (equivalent to vX.Y-alpha1).dev- the latest development build from the dev branch (experimental).
We recommend always using fixed, stable tags (vX.Y, vX.Y.Z) for your production deployment.
Example Docker Compose deployment repository
We prepared a git repository with and example Docker Compose configuration. The deployment files located in the docker-compose-segmented directory are split into 3 separate Docker Compose, one for each component: Core, Proxy, Gateway.
Before running any of the services, make sure to make appropriate changes either in the .env file or the environment section of the compose for every component.
To run one of the components, simply do:
Below you'll find a detailed breakdown of configuration for different components: Core, Proxy and Gateway.
We recommend following the guide on Securing gRPC communication to further secure the communication between components.
Deploying Core, database and reverse proxy services
Here is the compose.yml for the Core, Database and a reverse proxy (Nginx Proxy Manager). Configuration is split to the .env file (see below).
Nginx Proxy Manager
The Reverse Proxy should be setup to access Defguard Core dashboard. The Nginx Proxy Manager (NPM) can be configured by accessing the web interface at port 81.
The Nginx proxy should be configured to proxy the traffic to: http://core:8000.
We recommend also setting up certificates, to serve the traffic over HTTPS. Since Core is designed to be deployed in an internal network, we recommend selecting the DNS validation in NPM or uploading custom, already issued certificates.
The configuration
Here is the .env file with all configuration variables:
Deploying Proxy and reverse proxy service
Here is the compose.yml for Defguard Proxy (enrollment and desktop client configuration service).
Nginx Proxy Manager
The Reverse Proxy should be setup to access Defguard Proxy interface and allow serving all traffic destined to it via HTTPS. The Nginx Proxy Manager (NPM) can be configured by accessing the web interface at port 81.
The Nginx proxy should be configured to proxy the traffic to: http://proxy:8080.
Make sure to turn on websockets supports, as some Defguard features rely on it.
NPM can automatically issue certificates for your Defguard Proxy, by performing a domain validation using port 80. Make sure this port is open when trying to configure certificates. Alternatively, DNS validation can be used.
Deploying Gateway service
You'll need a token to deploy Defguard Gateway. You'll have to set it as DEFGUARD_TOKEN environment variable. Details on how to obtain the token here.
For Gateway to control the WireGuard kernel as well as network, it's recommended to run in the host network mode and adding the NET_ADMIN capability.
Last updated
Was this helpful?