Traefik with Authelia configuration problem in docker swarm

I wanted to add Authelia to my secure services a little better but something is not wright in my config. Traefik works great. Authelia by itself works (I can access and login going directly to login.domain.xyz) but something is missing with redirection/middlewares process when I try to access Authelia protected services. Everything is on docker swarm. What am I missing here?

Traefik config looks like this. I don't have anything is dynamic.ymal or in the Traefik.ymal

version: "3.8"
services:
  traefik:
    image: "traefik:latest"
    command:
#      - --log.level=DEBUG
      - --api.insecure=true
      - --api.dashboard=true
      - --api.debug=true
      - --providers.docker=true
      - --providers.docker.swarmMode=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.filename=/dynamic.yaml
      - --providers.docker.network=web
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.irc.address=:6502
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.letsencrypt.acme.email=<user>@gmail.com
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.domains[0].main=domain.xyz
      - --entrypoints.websecure.http.tls.domains[0].sans=*.domain.xyz
# --- redirect to https ---
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
    deploy:
      placement:
        constraints: [node.labels.srv1 == web]
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 3
        window: 180s
      labels:
        - traefik.enable=true
        - traefik.http.routers.api.entrypoints=websecure
        - traefik.http.routers.api.rule=Host(`traefik.domain.xyz`)
        - traefik.http.routers.api.service=api@internal
        - traefik.http.services.api.loadbalancer.server.port=8080
        - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.domain.xyz/
        - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
        - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email
    ports:
      - "80:80"
#      - "8080:8080"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /mnt/usbdisk/data/appdata/traefik-rp/traefik.ymal:/etc/traefik/traefik.ymal
      - /mnt/usbdisk/data/appdata/traefik-rp/letsencrypt:/letsencrypt
      - /mnt/usbdisk/data/appdata/traefik-rp/dynamic.yaml:/dynamic.yaml
    environment:
      - CLOUDFLARE_EMAIL=/run/secrets/cloudflare_email_address
      - CLOUDFLARE_DNS_API_TOKEN=/run/secrets/cloudflare_dns_api_token
    networks:
      - traefik
    secrets:
      - cloudflare_email_address
      - cloudflare_dns_api_token

networks:
  traefik:
    attachable: true
    name: traefik

secrets:
  cloudflare_email_address:
    file: /mnt/usbdisk/data/secrets/cloudflare_email_address
  cloudflare_dns_api_token:
    file: /mnt/usbdisk/data/secrets/cloudflare_dns_api_token

Authelia config

version: "3.8"
services:
  portainer:
    image: authelia/authelia
    volumes:
      - /mnt/usbdisk/data/appdata/authelia-rp:/config
    environment:
      - TZ=Europe/Berlin
      - AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
      - AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
      - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
#      - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key
      - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password
    deploy:
      placement:
        constraints: [node.labels.srv1 == web]
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 2
        window: 120s
      labels:
        - 'traefik.enable=true'
        - 'traefik.http.routers.authelia.entrypoints=websecure'
        - 'traefik.http.routers.authelia.rule=Host(`login.domain.xyz`)'
        - 'traefik.http.services.authelia.loadbalancer.server.port=9091'
        - 'traefik.http.routers.authelia.tls=true'
        - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.domain.xyz/'
        - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
        - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
    networks:
      - traefik
    secrets:
      - authelia_jwt_secret
      - authelia_session_secret
      - authelia_notifier_smtp_password
#      - authelia_duo_api_secret_key
      - authelia_storage_mysql_password

networks:
  traefik:
    external: true

secrets:
  authelia_jwt_secret:
    file: /mnt/usbdisk/data/secrets/authelia_jwt_secret
  authelia_session_secret:
    file: /mnt/usbdisk/data/secrets/authelia_session_secret
  authelia_storage_mysql_password:
    file: /mnt/usbdisk/data/secrets/authelia_storage_mysql_password
  authelia_notifier_smtp_password:
    file: /mnt/usbdisk/data/secrets/authelia_notifier_smtp_password
#  authelia_duo_api_secret_key:
#    file: $SECRETSDIR/authelia_duo_api_secret_key
  authelia_storage_mysql_password:
    file: /mnt/usbdisk/data/secrets/authelia_storage_mysql_password

and here is Lidarr config that I'm testing on

version: "3.8"
services:
  lidarr:
    image: ghcr.io/linuxserver/lidarr
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
    volumes:
      - /mnt/usbdisk/data/appdata/lidarr-ub:/config
      - /mnt/srv1/data/media/music:/music
      - /mnt/srv1/data/download:/downloads
    deploy:
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 2
        window: 120s
      placement:
        constraints: [node.labels.srv2 == web]
      labels:
        - traefik.enable=true
        - traefik.http.routers.lidarr.entrypoints=websecure
        - traefik.http.routers.lidarr.rule=Host(`lidarr.domain.xyz`)
        - traefik.http.routers.lidarr.tls=true
        - traefik.http.routers.lidarr.middlewares=authelia@docker
        - traefik.http.services.lidarr.loadbalancer.server.port=8686
    networks:
      - traefik

networks:
  traefik:
    external: true

I know that I'm doing something wrong but can't figure out what it is.

I found one error in my config

This should be


- --providers.docker.network=traefik

However Authelia still doesn’t seem to work. I’m seeing this error in Traefik logs


level=debug msg="Error calling http://authelia:9091/api/verify?rd=https://login.domain.xyz/. Cause: Get \"http://authelia:9091/api/verify?rd=https://login.domain.xyz/\": dial tcp: lookup authelia on 127.0.0.11:53: no such host" middlewareName=authelia@docker middlewareType=ForwardedAuthType

Hope somebody can point me in the right direction with this