Haack's Wiki

User Tools

Site Tools

Trace:
computing:filebrowser

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
computing:filebrowser [2025/12/09 03:08] – created oemb1905computing:filebrowser [2025/12/13 06:18] (current) oemb1905
Line 1: Line 1:
 +-------------------------------------------
 +  * **Setting up a secure & public-facing Filebrowser instance**
 +  * **oemb1905**
 +  * **filebrowser-pub**
 +  * **webmaster@gnulinux.studio**
  
 +-------------------------------------------
  
 +//filebrowser-pub//
  
-1. Install File Browser (latest)   +------------------------------------------- 
-   ```bash + 
-   curl -fsSL https://raw.githubusercontent.com/filebrowser/get/master/get.sh | bash +This tutorial is for Debian Trixie users seeking to set up a secure and public-facing [[https://filebrowser.org/|Filebrowser]] instance. This is to assist with uploading and managing music/media on Navidrome, Jellyfin, and other similar instances. Do not proceed with this tutorial until you've learned how to set up a public facing VM/VPS and harden it appropriately. If you have not done that, start with [[https://wiki.haacksnetworking.org/doku.php?id=computing:apachesurvival|Apache Survival]]. So long as that's in place, you can safely begin. You can install Filebrowser manually, or use their automated bash script. I chose the latter. Make sure to verify the checksums and code before using the pipe-to-bash approach like me: 
-   ```+ 
 +  curl -fsSL https://raw.githubusercontent.com/filebrowser/get/master/get.sh | bash 
 +  sudo mkdir -p /var/lib/filebrowser 
 +  sudo chown -R filebrowser:filebrowser /var/lib/filebrowser 
 +  sudo chmod 755 /var/lib/filebrowser 
 +  adduser navidrome filebrowser 
 +  adduser jellyfin filebrowser 
 + 
 +The system will give you an auto-generated user and password upon completion of the installer. Let's change that before we proceed: 
 + 
 +  sudo systemctl stop filebrowser 
 +  sudo filebrowser users update admin --password yournewpassword 
 +  sudo systemctl start filebrowser 
 + 
 +Make sure to pick a 16+ character password; this is public facing. To be clear, this is invoking the ''filebrowser'' service to update the admin user in the sql lite database it just created. The service does, however, required a dedicated simple UNIX user, which we will now create and make sure to turn off home directory and shell access for:
  
-2. Create system user   
-   ```bash 
    sudo adduser --system --group --no-create-home filebrowser    sudo adduser --system --group --no-create-home filebrowser
-   ``` 
  
-3. Install ACL tools   +Once the dedicated user is created, let's create the systemd unit to control starting/stopping the serviceLet's create a unit file here ''sudo nano/etc/systemd/system/filebrowser.service'' and drop these contents inside: 
-   ```bash + 
-   sudo apt install acl +<code bash> 
-   ```+[Unit] 
 +Description=File Browser 
 +After=network.target 
 + 
 +[Service] 
 +User=filebrowser 
 +Group=filebrowser 
 +WorkingDirectory=/var/lib/filebrowser 
 +ExecStart=/usr/local/bin/filebrowser \ 
 +  --address 127.0.0.1 \ 
 +  --port 8080 \ 
 +  --root /opt/navidrome/music \ 
 +  --database /var/lib/filebrowser/filebrowser.db 
 +Restart=always 
 +RestartSec=5 
 + 
 +[Install
 +WantedBy=multi-user.target 
 +</code> 
 + 
 +Once that's in place, load the unit and start the service: 
 + 
 +  sudo systemctl daemon-reload 
 +  sudo systemctl enable --now filebrowser 
 + 
 +Make sure to customize the unit file for your own use-case. For example, you might have a different startup directory, different listening port, and so on. Once the unit file is created and the service has started, let's make sure that ACL is installed so we can set a custom rule for the filebrowser UNIX user, which the filebrowser's GUI / sql lite database will send commands to via your web session, which is behind a reverse proxy in apache. Let's get that done: 
 +   
 +  sudo apt install acl 
 +  sudo setfacl -R -m u:filebrowser:rwx /opt/navidrome/music 
 +  sudo setfacl -R -m d:u:filebrowser:rwx /opt/navidrome/music 
 +   
 +UPDATE: This is actually overkill. You can simply: 
 +  sudo chown -R filebrowser:navidrome /opt/navidrome  
 +   
 +Bear in mind, however, that new files will be owned by filebrowser:filebrowser, but since you added navidrome and/or jellyfin to the filebrowser group up above ... you are covered. Nothing else is required. Filebrowser owns the directory and is behind SQL-lite and the authorized user and navidrome can read via the group privs.  
 + 
 +This assumes ''/opt/navidrome/music'' is already established and running. If not, then consult the [[https://wiki.haacksnetworking.org/doku.php?id=computing:navidrome|Navidrome]] tutorial first. The ACL above gives every current file read and write access (first stanza) and all future users read and write access (second stanza). At this time, filebrowser is already running, but behind port 8080. Now, one could simply access it with ''http://domain:com:8080'' but that won't be TLS secured and is just kind of janky. So, for these cases, we create a reverse proxy that sits facing the public and receiving requests, and then pushes incoming requests upstream to the filebrowser service running locally on port 8080. To do that, let's first edit ''/etc/apache2/000-default.conf'' and edit the ServerName to ''domain.com'', change the web root to ''/var/www/domain.com/public_html'' and leave everything else as is. Restart the service with ''systemctl restart apache2'' and then let's create a Let's Encrypt cert on the thusly adjusted default virtual host: 
 + 
 +  sudo apt install certbot letsencrypt python3-certbot-apache 
 +  sudo certbot --authenticator standalone --installer apache -d domain.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2" 
 + 
 +This will create another virtual host at ''000-default-le.conf'' or something similar. It will be automatically activated along with ''000-default.conf'' by default. But, this is serving requests from ''/var/www/domain.com/public_html'', and so the upstream filebrowser service is entirely ignored. But/and, the dirty work of creating the TLS cert is now done, so we can simply drop in some replacement configurations into both vhosts and restart the apache2 service and everything will automagically work. Open ''nano /etc/apache2/sites-available/000-default.conf'' and drop this inside: 
 + 
 +<code bash> 
 +<VirtualHost *:80> 
 +    ServerName upload.gnulinux.studio 
 +    RewriteEngine On 
 +    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301] 
 +</VirtualHost> 
 +</code> 
 + 
 +Now, let's do the same trick with the https virtual host. Open up ''nano /etc/apache2/sites-available/000-default-le.conf'' and drop this inside: 
 + 
 +<code bash> 
 +<VirtualHost *:443> 
 +    ServerName upload.gnulinux.studio 
 +    SSLEngine on 
 +    SSLCertificateFile      /etc/letsencrypt/live/domain.com/fullchain.pem 
 +    SSLCertificateKeyFile   /etc/letsencrypt/live/domain.com/privkey.pem 
 + 
 +    ProxyPreserveHost On 
 +    ProxyPass / http://127.0.0.1:8080/ 
 +    ProxyPassReverse / http://127.0.0.1:8080/ 
 + 
 +    RewriteEngine On 
 +    RewriteCond %{HTTP:Upgrade} websocket [NC] 
 +    RewriteCond %{HTTP:Connection} upgrade [NC] 
 +    RewriteRule ^/?(.*) ws://127.0.0.1:8080/$1 [P,L] 
 +</VirtualHost> 
 +</code> 
 + 
 +Once this is done, you should be good to go. Make sure that:
  
-4Systemd unit (final working version)   +  * If you already using domain.com, then change the above to sub.domain.com 
-   `/etc/systemd/system/filebrowser.service` +  * LAMP stack won't work unless all modules, headers, and mpm_event/fpm working 
-   ```ini +  * Have fail2ban configured
-   [Unit] +
-   Description=File Browser +
-   After=network.target+
  
-   [Service] +This tutorial is not designed to provide a full tutorial on these topics, but generally these modules are enough:
-   User=filebrowser +
-   Group=filebrowser +
-   WorkingDirectory=/var/lib/filebrowser +
-   ExecStart=/usr/local/bin/filebrowser \ +
-     --address 127.0.0.1 \ +
-     --port 8080 \ +
-     --root /opt/navidrome/music \ +
-     --database /var/lib/filebrowser/filebrowser.db +
-   Restart=always +
-   RestartSec=5+
  
-   [Install] +  sudo a2enmod ssl 
-   WantedBy=multi-user.target +  sudo a2enmod proxy 
-   ``` +  sudo a2enmod proxy_http 
-   ```bash +  sudo a2enmod proxy_wstunnel 
-   sudo systemctl daemon-reload +  sudo a2enmod headers 
-   sudo systemctl enable --now filebrowser +  sudo a2enmod rewrite 
-   ```+  sudo a2enmod remoteip 
 +  sudo a2enmod proxy_fcgi 
 +  sudo a2enmod setenvif
  
-5. Give File Browser permanent write access to the existing Navidrome library   +If you need more guidance, see the Apache Survival Tutorial already linked at the top. If you need help with mpm_event and fpm, use my [[https://wiki.haacksnetworking.org/doku.php?id=computing:selfhostedwp|WordPress]] tutorial. The only other thing you can optionally do is setup a rule to stop repeat brute-force attackers on Filebrowser's auth mechanism. This is optional, but here's a recipe I got off Reddit and adjusted. Open up ''/etc/fail2ban/jail.d/filebrowser.conf'' and create the jail:
-   ```bash +
-   sudo setfacl -R -m u:filebrowser:rwx /opt/navidrome/music +
-   sudo setfacl -R -m d:u:filebrowser:rwx /opt/navidrome/music +
-   ```+
  
-6Apache reverse-proxy vhosts (already present)+<code bash> 
 +[filebrowser] 
 +enabled = true 
 +backend = systemd 
 +port = 8080 
 +filter = filebrowser 
 +logpath = /var/log/filebrowser/filebrowser.log 
 +maxretry = 3 
 +findtime = 600 
 +bantime = 3600 
 +action = iptables-allports[name=filebrowser] 
 +</code>
  
-   HTTP → HTTPS redirect   +After the jail is established, we need to create the filter that the jail leverages to decide on whether it bans the request. To do that, open up ''/etc/fail2ban/filter.d/filebrowser.conf'' and drop the filter rules in it:
-   `nano /etc/apache2/sites-available/upload.gnulinux.studio.conf+
-   ```apache +
-   <VirtualHost *:80> +
-       ServerName upload.gnulinux.studio +
-       RewriteEngine On +
-       RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301] +
-   </VirtualHost> +
-   ```+
  
-   HTTPS reverse proxy   +<code bash
-   `nano /etc/apache2/sites-available/upload.gnulinux.studio-le-ssl.conf` +[INCLUDES] 
-   ```apache +before = common.conf 
-   <VirtualHost *:443+[Definition] 
-       ServerName upload.gnulinux.studio +datepattern = ^%%Y/%%m/%%d %%H:%%M:%%S 
-       SSLEngine on +failregex = /api/login: 403 <HOST> .
-       SSLCertificateFile      /etc/letsencrypt/live/upload.gnulinux.studio/fullchain.pem +ignoreregex = 
-       SSLCertificateKeyFile   /etc/letsencrypt/live/upload.gnulinux.studio/privkey.pem+</code>
  
-       ProxyPreserveHost On +Make sure to adjust bantime, maxretry, and findtime to your preferencesAlso, apache-auth's default jail is not designed for reverse proxiesSo, let's create one more jail+filter to block repeat offenders against the proxy, which will trigger a 401 and/or 403 due to them trying to access something that does not existLet's open up the jail file ''/etc/fail2ban/jail.d/apache-auth.conf'' and drop this inside:
-       ProxyPass / http://127.0.0.1:8080/ +
-       ProxyPassReverse http://127.0.0.1:8080/+
  
-       RewriteEngine On +<code bash> 
-       RewriteCond %{HTTP:Upgrade} websocket [NC+[apache-auth
-       RewriteCond %{HTTP:Connection} upgrade [NC] +enabled = true 
-       RewriteRule ^/?(.*) ws://127.0.0.1:8080/$1 [P,L+port = http,https 
-   </VirtualHost> +filter = apache-auth 
-   ```+logpath = /var/log/apache2/error.log 
 +maxretry = 5 
 +findtime = 600 
 +bantime = 3600 
 +action = iptables-allports[name=apache-auth
 +</code>
  
-Done.   +Now, for the filterlet's open ''/etc/fail2ban/filter.d/apache-auth.conf'' and drop the following inside:
-https://upload.gnulinux.studio now writes **straight** into the reallive Navidrome music tree at `/opt/navidrome/music`  +
-Everything appears and plays instantly.+
  
-### One-page note to yourself (for the other Navidrome thread)+<code bash> 
 +[Definition] 
 +failregex = ^<HOST> -.*"(GET|POST|HEAD).* 401 
 +            ^<HOST> -.*"(GET|POST|HEAD).* 403 
 +ignoreregex = 
 +</code>
  
-This entire setup lives on the **exact same VM** `gnulinux.studio` that already runs Navidrome on the main domain.+This creates a separate jail for common errors brute-forcers will receive when they are trying to access your instance's directories etc. Restart the service ''systemctl restart fail2ban'' and you should be good to goIf you need help, hit me up on [[https://matrix.to/#/@haacksnetworking:gnulinux.club|Matrix]]; I'll be happy to help!
  
-- Navidrome is reachable at https://gnulinux.studio (primary vhost)   +Happy Hacking !!!
-- File Browser is reachable at https://upload.gnulinux.studio (separate Apache vhost, same Let’s Encrypt cert)   +
-- File Browser’s `--root` points directly at `/opt/navidrome/music` (Navidrome’s real library – no symlinks, no extra folder)   +
-- Write access for the `filebrowser` system user is granted **exclusively** by two ACL commands: +
-  ```bash +
-  setfacl -R -m u:filebrowser:rwx /opt/navidrome/music +
-  setfacl -R -m d:u:filebrowser:rwx /opt/navidrome/music +
-  ``` +
-  No group membership, no setgid, no cron required for functionality.   +
-- Navidrome continues to own most files and always has group `navidrome`, so it reads everything perfectly.   +
-- File Browser creates files as `filebrowser:navidrome` (group inheritance) → Navidrome plays them instantly.+
  
- --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/12/09 03:07//+ --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/12/11 16:14//
computing/filebrowser.1765249690.txt.gz · Last modified: by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki