---
date: 2025-03-16
title: filebrowser auth
subtitle: look ma no keycloak
tags:
  - programming
permalink: /blog/23/
---
I FINALLY GOT IT WORKING

docker-compose.yml

```yaml
services:
  filebrowser:
    image: "filebrowser/filebrowser:s6"
    container_name: "filebrowser"
    environment:
      # filebrowser will run as this user, you may want to create a new one
      - "PUID=1000"
      - "PGID=1000"
    restart: "unless-stopped"
    volumes:
      - "/data/filebrowser/srv:/srv"
      - "/data/filebrowser/database:/database"
      - "/data/filebrowser/config:/config"
    ports:
      - "8200:80"
```

```bash
sudo docker-compose up -d
```

log into filebrowser as admin and do your setup, then:

```bash
sudo docker-compose down
sudo docker-compose run --entrypoint /bin/bash filebrowser
filebrowser config set --auth.method=proxy --auth.header=X-Remote-User
exit
sudo docker-compose up -d
```

filebrowser is now expecting to get a header with the authenticated username. We can give it that! install the pwauth authenticator:

```bash
apt-get install libapache2-mod-authnz-external pwauth
a2enmod authnz_external
```

and configure it like this:

```xml
<VirtualHost *:443>
  ServerName fb.hatspace.net
  DefineExternalAuth pwauth pipe /usr/sbin/pwauth
  <Proxy *>
    Order deny,allow
    Allow from all
    AuthType Basic
    AuthName "Login"
    AuthBasicProvider external
    AuthExternal pwauth
    Require valid-user
    RequestHeader set X-Remote-User %{REMOTE_USER}s
  </Proxy>
  <Location />
    # filebrowser
    ProxyPass http://localhost:8200/ nocanon
  </Location>
</VirtualHost>
```

That `%{REMOTE_USER}s` is not a typo, the s is important! I think it stands for "ssl" or "secure" or something? You need it or the var will be null.

and viola! the server will now allow you to log in with your linux username and password, and filebrowser will show the correct files when you do!

References:
- <https://filebrowser.org/installation>
- <https://stackoverflow.com/questions/724599/setting-up-an-apache-proxy-with-authentication>
- <https://serverfault.com/questions/45278/authenticate-in-apache-via-system-account>
- <https://serverfault.com/questions/207301/get-the-authenticated-user-under-apache>

Update 2025-03-17: Don't do this until this issue is resolved: <https://github.com/filebrowser/filebrowser/issues/2658>

Basically: filebrowser does all operations as root, including file creation. So even if you restrict a user to their home directory, all the files they create will belong to root. Less than ideal. I'm looking into [ifm](https://github.com/misterunknown/ifm) as an alternative.