nycki/nycki.net
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nycki.net/content/blog/23-filebrowser-auth.md
nycki 2d9ac8041a
All checks were successful
/ build (push) Successful in 43s
Details
subtitle and description added to base template
2025-03-21 13:54:14 -07:00

87 lines
2.6 KiB
Markdown
Raw Blame History

---
date: 2025-03-16
title: filebrowser auth
subtitle: look ma no keycloak
tags:
- programming
permalink: /blog/23/
---
I FINALLY GOT IT WORKING
docker-compose.yml
```yaml
services:
filebrowser:
image: "filebrowser/filebrowser:s6"
container_name: "filebrowser"
environment:
# filebrowser will run as this user, you may want to create a new one
- "PUID=1000"
- "PGID=1000"
restart: "unless-stopped"
volumes:
- "/data/filebrowser/srv:/srv"
- "/data/filebrowser/database:/database"
- "/data/filebrowser/config:/config"
ports:
- "8200:80"
```
```bash
sudo docker-compose up -d
```
log into filebrowser as admin and do your setup, then:
```bash
sudo docker-compose down
sudo docker-compose run --entrypoint /bin/bash filebrowser
filebrowser config set --auth.method=proxy --auth.header=X-Remote-User
exit
sudo docker-compose up -d
```
filebrowser is now expecting to get a header with the authenticated username. We can give it that! install the pwauth authenticator:
```bash
apt-get install libapache2-mod-authnz-external pwauth
a2enmod authnz_external
```
and configure it like this:
```xml
<VirtualHost *:443>
ServerName fb.hatspace.net
DefineExternalAuth pwauth pipe /usr/sbin/pwauth
<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
AuthName "Login"
AuthBasicProvider external
AuthExternal pwauth
Require valid-user
RequestHeader set X-Remote-User %{REMOTE_USER}s
</Proxy>
<Location />
# filebrowser
ProxyPass http://localhost:8200/ nocanon
</Location>
</VirtualHost>
```
That `%{REMOTE_USER}s` is not a typo, the s is important! I think it stands for "ssl" or "secure" or something? You need it or the var will be null.
and viola! the server will now allow you to log in with your linux username and password, and filebrowser will show the correct files when you do!
References:
- <https://filebrowser.org/installation>
- <https://stackoverflow.com/questions/724599/setting-up-an-apache-proxy-with-authentication>
- <https://serverfault.com/questions/45278/authenticate-in-apache-via-system-account>
- <https://serverfault.com/questions/207301/get-the-authenticated-user-under-apache>
Update 2025-03-17: Don't do this until this issue is resolved: <https://github.com/filebrowser/filebrowser/issues/2658>
Basically: filebrowser does all operations as root, including file creation. So even if you restrict a user to their home directory, all the files they create will belong to root. Less than ideal. I'm looking into [ifm](https://github.com/misterunknown/ifm) as an alternative.
Reference in a new issue View git blame Copy permalink