filebrowser auth

I FINALLY GOT IT WORKING

docker-compose.yml

services:
  filebrowser:
    image: "filebrowser/filebrowser:s6"
    container_name: "filebrowser"
    environment:
      # filebrowser will run as this user, you may want to create a new one
      - "PUID=1000"
      - "PGID=1000"
    restart: "unless-stopped"
    volumes:
      - "/data/filebrowser/srv:/srv"
      - "/data/filebrowser/database:/database"
      - "/data/filebrowser/config:/config"
    ports:
      - "8200:80"

sudo docker-compose up -d

log into filebrowser as admin and do your setup, then:

sudo docker-compose down
sudo docker-compose run --entrypoint /bin/bash filebrowser
filebrowser config set --auth.method=proxy --auth.header=X-Remote-User
exit
sudo docker-compose up -d

filebrowser is now expecting to get a header with the authenticated username. We can give it that! install the pwauth authenticator:

apt-get install libapache2-mod-authnz-external pwauth
a2enmod authnz_external

and configure it like this:

<VirtualHost *:443>
  ServerName fb.hatspace.net
  DefineExternalAuth pwauth pipe /usr/sbin/pwauth
  <Proxy *>
    Order deny,allow
    Allow from all
    AuthType Basic
    AuthName "Login"
    AuthBasicProvider external
    AuthExternal pwauth
    Require valid-user
    RequestHeader set X-Remote-User %{REMOTE_USER}s
  </Proxy>
  <Location />
    # filebrowser
    ProxyPass http://localhost:8200/ nocanon
  </Location>
</VirtualHost>

That %{REMOTE_USER}s is not a typo, the s is important! I think it stands for "ssl" or "secure" or something? You need it or the var will be null.

and viola! the server will now allow you to log in with your linux username and password, and filebrowser will show the correct files when you do!

References:

• https://filebrowser.org/installation
• https://stackoverflow.com/questions/724599/setting-up-an-apache-proxy-with-authentication
• https://serverfault.com/questions/45278/authenticate-in-apache-via-system-account
• https://serverfault.com/questions/207301/get-the-authenticated-user-under-apache

Update 2025-03-17: Don't do this until this issue is resolved: https://github.com/filebrowser/filebrowser/issues/2658

Basically: filebrowser does all operations as root, including file creation. So even if you restrict a user to their home directory, all the files they create will belong to root. Less than ideal. I'm looking into ifm as an alternative.