From a80c0490b773d8de30cac4c74d042ac34b954ac0 Mon Sep 17 00:00:00 2001
From: nycki <nupanick@gmail.com>
Date: Sun, 16 Mar 2025 21:50:57 -0700
Subject: [PATCH] blog: filebrowser auth

---
 content/blog/23-filebrowser-auth.md | 86 +++++++++++++++++++++++++++++
 static/slimequest/style.css         |  3 +-
 2 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 content/blog/23-filebrowser-auth.md

diff --git a/content/blog/23-filebrowser-auth.md b/content/blog/23-filebrowser-auth.md
new file mode 100644
index 0000000..4e74b6a
--- /dev/null
+++ b/content/blog/23-filebrowser-auth.md
@@ -0,0 +1,86 @@
+---
+date: 2025-02-04
+title: filebrowser auth
+description: look ma no keycloak
+tags:
+  - programming
+permalink: /blog/23/
+---
+
+_{{ description }}_
+
+I FINALLY GOT IT WORKING
+
+docker-compose.yml
+
+```yaml
+services:
+  filebrowser:
+    image: "filebrowser/filebrowser:s6"
+    container_name: "filebrowser"
+    environment:
+      # filebrowser will run as this user, you may want to create a new one
+      - "PUID=1000"
+      - "PGID=1000"
+    restart: "unless-stopped"
+    volumes:
+      - "/data/filebrowser/srv:/srv"
+      - "/data/filebrowser/database:/database"
+      - "/data/filebrowser/config:/config"
+    ports:
+      - "8200:80"
+```
+
+```bash
+sudo docker-compose up -d
+```
+
+log into filebrowser as admin and do your setup, then:
+
+```bash
+sudo docker-compose down
+sudo docker-compose run --entrypoint /bin/bash filebrowser
+filebrowser config set --auth.method=proxy --auth.header=X-Remote-User
+exit
+sudo docker-compose up -d
+```
+
+filebrowser is now expecting to get a header with the authenticated username. We can give it that! install the pwauth authenticator:
+
+```bash
+apt-get install libapache2-mod-authnz-external pwauth
+a2enmod authnz_external
+```
+
+and configure it like this:
+
+```xml
+<VirtualHost *:443>
+  ServerName fb.hatspace.net
+  DefineExternalAuth pwauth pipe /usr/sbin/pwauth
+  <Proxy *>
+    Order deny,allow
+    Allow from all
+    AuthType Basic
+    AuthName "Login"
+    AuthBasicProvider external
+    AuthExternal pwauth
+    Require valid-user
+    RequestHeader set X-Remote-User %{REMOTE_USER}s
+  </Proxy>
+  <Location />
+    # filebrowser
+    ProxyPass http://localhost:8200/ nocanon
+  </Location>
+</VirtualHost>
+```
+
+That `%{REMOTE_USER}s` is not a typo, the s is important! I think it stands for "ssl" or "secure" or something? You need it or the var will be null.
+
+and viola! the server will now allow you to log in with your linux username and password, and filebrowser will show the correct files when you do!
+
+References:
+- <https://filebrowser.org/installation>
+- <https://stackoverflow.com/questions/724599/setting-up-an-apache-proxy-with-authentication>
+- <https://serverfault.com/questions/45278/authenticate-in-apache-via-system-account>
+- <https://serverfault.com/questions/207301/get-the-authenticated-user-under-apache>
diff --git a/static/slimequest/style.css b/static/slimequest/style.css
index 539f936..430a2e4 100644
--- a/static/slimequest/style.css
+++ b/static/slimequest/style.css
@@ -18,6 +18,7 @@ main {
 }
 
 .post img {
+  max-width: 100%;
   display: block;
   margin: 0 auto;
 }
@@ -51,4 +52,4 @@ h2 {
 
 .next {
   font-size: xx-large;
-}
\ No newline at end of file
+}