--- 
navigation: true
title: Beszel
main:
  fluid: false
---
:ellipsis{left=0px width=40rem top=10rem blur=140px}
# Beszel

::alert{type="info"}
🎯 __Objectives:__
- Install Beszel
- Monitor the local server
- Monitor a remote server
- Expose Beszel with Swag
::

[Beszel](https://beszel.dev/) is a container that gives you real-time access to hardware information from your servers and allows historical tracking. CPU activity, disk usage, temperatures, RAM—nothing escapes your monitoring. Beszel also lets you configure notifications and alerts when your predefined thresholds are exceeded.

Beszel includes a hub with a web UI and an agent that collects data from your server or a remote server.

![Beszel](/img/serveex/beszel.png)

## Installation
---

Folder structure

```console
root
└── docker
    └── beszel
        ├── data
        └── socket
```

Open Dockge, click `compose`, name the stack `beszel`, and paste the following:

```yaml
---
services:
  beszel:
    image: henrygd/beszel:latest
    container_name: beszel
    restart: unless-stopped
    ports:
      - ${PORT}:8090
    volumes:
      - ./data:/beszel_data
      - ./socket:/beszel_socket

  beszel-agent:
    image: henrygd/beszel-agent:latest
    container_name: beszel-agent
    restart: unless-stopped
    network_mode: host
    volumes:
      - ./socket:/beszel_socket
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      LISTEN: /beszel_socket/beszel.sock
      # Do not remove quotes around the key
      KEY: ${KEY}
```

::alert{type="success"}
✨ __Tip:__ Add the Watchtower label to each container to automate updates.

```yaml
services:
  beszel:
    #...
    labels:
      - com.centurylinklabs.watchtower.enable=true
```
::

Fill out the `.env` file, for example:

```properties
PORT=8090 # web UI port
KEY= # private key to retrieve from Beszel when adding a system
```

For the `KEY` value, you'll need to launch Beszel once to get it.

Deploy the container and go to `http://yourserverip:8090`. Your Beszel web UI is now accessible!

::alert{type="danger"}
:::list{type="danger"}
- __If it fails:__ check your firewall rules.
:::
::

### Add local server information

Now that the web UI is accessible, you need to push local server information into it. Just add a machine via the web UI and configure it like this:

![Beszel add system](/img/serveex/beszel-add.png)

Note the private key and confirm. Enter the key in your `.env` file in Dockge and redeploy the stack. Once done, your server will appear in the web UI:

![Beszel system](/img/serveex/beszel-system.png)

### Add a remote server

You can also monitor a remote server. To do so, run the agent on the remote server. Add a new machine in Beszel and fill in:

- The name displayed for your remote server
- The IP address or domain name of the remote server
- The listening port (e.g., `45876`)

Beszel will suggest a `compose.yaml` to deploy on the remote server, or you can use:

```yaml
---
services:
  beszel-agent:
    image: henrygd/beszel-agent
    container_name: beszel-agent
    restart: unless-stopped
    network_mode: host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      LISTEN: ${PORT}
      KEY: ${KEY}
```

And in `.env`:

```properties
PORT=45876 # communication port between hub and remote agent
KEY= # private key from Beszel when adding the system
```

Deploy the stack on the remote server. Data will begin flowing into the web UI after a few seconds.

::alert{type="danger"}
:::list{type="danger"}
- __If it fails:__ check your firewall rules.
:::
::

## Expose Beszel with Swag
---

::alert{type="warning"}
:::list{type="warning"}
- Beszel does not support multi-factor authentication. Exposing it on the internet could compromise connected machines. Only do this if you're using a system like [Authentik](/serveex/security/authentik/). Otherwise, do not expose with SWAG—use a VPN like [Wireguard](/serveex/security/wireguard) instead.
:::
::

If you want to access Beszel remotely from all your devices, expose it using Swag.

::alert{type="info"}
📋 __Prerequisite:__
<br/><br/>
You must have created a DNS subdomain like `beszel.mydomain.com` with a `CNAME` pointing to `mydomain.com`, and—unless you're using Cloudflare Zero Trust—you must have forwarded port `443` on your router to your server’s `443` port via [NAT rules](/general/networking/nat).
::

In Dockge, edit Swag's compose file and add Beszel’s network:

```yaml
services:
  swag:
     container_name: # ...
      # ...
     networks:
      # ...
      - beszel            # network declared in the stack

networks:
  # ...
  beszel:
    name: beszel_default  # actual external network name
    external: true
```

Redeploy the stack and wait for Swag to become fully operational.

::alert{type="info"}
:::list{type="info"}
- We assume the network name is `beszel_default`. You can check connectivity by visiting Swag's dashboard at `http://yourserverip:81`.
:::
::

In Swag’s config folders, create `beszel.subdomain.conf`.

::alert{type="success"}
✨ __Tip:__ Use [File Browser](/serveex/files/file-browser) to browse and edit files instead of terminal commands.
::

```shell
sudo vi /docker/swag/config/nginx/proxy-confs/beszel.subdomain.conf
```

Press `i` to enter insert mode and paste:

```nginx
## Version 2023/12/19

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name beszel.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    #if ($lan-ip = yes) { set $geo-whitelist yes; }
    #if ($geo-whitelist = no) { return 404; }
    if ($geo-blacklist = no) { return 404; }

    # enable for ldap auth
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik
    #include /config/nginx/authentik-server.conf;

    location / {
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        #include /config/nginx/ldap-location.conf;
        #include /config/nginx/authelia-location.conf;
        #include /config/nginx/authentik-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app beszel;
        set $upstream_port 8090;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}
```

Press `Esc`, type `:x`, and hit `Enter` to save and exit.

That’s it—Beszel is now exposed!

::alert{type="success"}
✨ You can protect this app with Authentik by opening `beszel.subdomain.conf` and removing the `#` in front of `include /config/nginx/authentik-server.conf;` and `include /config/nginx/authentik-location.conf;`. Don’t forget to [create an application and provider in Authentik](/serveex/security/authentik#protecting-an-app-via-reverse-proxy).
::