Reverse Proxy or noauth is not bypassing the login page of Filebrowser.

[kondasandeep13]

Description

I was trying to implement the reverse proxy using docker image and as well as using source code.

I created a container from filebrowser/filebrowser image and using the config "filebrowser.json" with the below content.

Docker Command: docker run -itd -v ~/.filebrowser.json:/.filebrowser.json -p 8080:80 --name filebrowser filebrowser/filebrowser

.file_browser.json { "port": 80, "authMethod": "proxy", "authHeader": "username", "baseURL": "", "address": "", "log": "stdout", "database": "/database.db", "root": "/srv" }

Expected behaviour

Expected to bypass the login of filebrowser I expect that after reverse proxy auth succeeds then the username header is passed to filebrowser with the authenticated username which will then log me in automatically.

What is happening instead?

After running the container with the above config, It still shows the Filebrowser login page on the client browser.

Additional context

I have tried with the source code as well, But still it lands on the same login page.

$ filebrowser.exe config set --auth.method=proxy --auth.header=username Sign up: false Create User Dir: false Auth method: proxy Shell:

Branding: Name: Files override: Disable external links: false Color:

Server: Log: stdout Port: 8080 Base URL: Root: . Socket: Address: 127.0.0.1 TLS Cert: TLS Key: Exec Enabled: false

Defaults: Scope: . Locale: en View mode: list Single Click: false Commands: Sorting: By: name Asc: false Permissions: Admin: false Execute: true Create: true Rename: true Modify: true Delete: true Share: true Download: true

Auther configuration (raw):

{ "header": "username" } Additional Info

I have tried using auth.method=noauth , It still shows the login page using noauth. Expected behavior is should not show Filebrowser default login page.

Please help me out to fix this ASAP. Thanks

[ramiresviana]

Currently its not possible to set the authentication method using a configuration file, authMethod is not a valid entry. The noauth option can be used to configure the authentication method, check https://filebrowser.org/cli/filebrowser. Keep in mind that using this option only works when there's no existing database file. For existing installations, the filebrowser config must be used, check https://filebrowser.org/cli/filebrowser-config-set.

[kondasandeep13]

Thanks for the comments.

How to use the existing database or config from a docker container to create a new container out of it ?

[ramiresviana]

An existing database file can be used by providing it to docker using bind mounts. The default configuration utilizes the /database.db path, running docker run -v path/to/file:/database.db filebrowser/filebrowser will create a container with a bind to the provided path.

[PriamX]

@ramiresviana Same issue here. I've configured it to use proxy authentication, however, I'm still getting the un/pw prompt screen. Wondering what the solution ended up being.

I'm using a compose file with the lastest:s6 pull (today).

Here's my docker compose:

 filebrowser:
    image: filebrowser/filebrowser:s6
    container_name: filebrowser
    environment:
      - PUID=1001
      - PGID=1001
    volumes:
      - /media/docker/appdata/filebrowser:/config
      - /media/docker/appdata/filebrowser/database:/database
      - /media/files:/data
    ports:
      - 80:80
    networks:
      - mynet
    depends_on:
      - swag
    restart: unless-stopped

Starting from scratch (no database yet), the first thing I do is drop a copy of settings.json into my /media/docker/appdata/filebrowser directory, which shows up as /config/settings.json on the container side. Then I start the filebrowser container and the db is created in /database. Here's the settings file I'm starting with:

{
  "port": 80,
  "baseURL": "/filebrowser",
  "address": "",
  "log": "stdout",
  "database": "/database/filebrowser.db",
  "auth.method": "proxy",
  "auth.header": "X-WEBAUTH-USER",
  "root": "/data"
}

And here's my proxy config file for NGINX (using linuxserver's "swag" container):

location /filebrowser {
    return 301 $scheme://$host/filebrowser/;
}

location ^~ /filebrowser/ {
    # To use the Organizr-auth API
    include /config/nginx/proxy-confs/organizr-auth.subfolder.conf;
    auth_request /auth-0;

    include /config/nginx/proxy.conf;
    include /config/nginx/resolver.conf;
    set $upstream_app filebrowser;
    set $upstream_port 80;
    set $upstream_proto http;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

The included proxy.conf (supplied by the swag container) looks like this:

## Version 2022/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;

# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;

# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;

Any help would be appreciated. Thanks!

[PriamX]

Well, been doing a bit of troubleshooting on this.

I've found you cannot make changes that involve the database while filebrowser is running (you'll get a timeout error); it's probably a DartDB lockfile issue. So if you need to do any commands like filebrowser -c /config/settingts.json config set <etc etc> then you need to stop the filebrowser service first. I use:

docker exec -it filebrowser /bin/bash
cd /var/run/s6/services
s6-svc -d filebrowser

My docker pull is filebrowser/filebrowser:s6 so that method is only available on the s6 containers.

This stops filebrowser, but allows you to stay in the container's shell and run any filebrowser command you need to.

I've found that filebrowser -c /config/settings.json config set --auth.method=noauth works well.

And going back to filebrowser -c /config/settings.json config set --auth.method=json also works well.

But, filebrowser -c /config/settings.json config set --auth.method=proxy --auth.header=X-WEBAUTH-USER just really doesn't work. Not in the way that authentication fails, which is what I'd expect if, for example, my nginx proxy configuration was wrong, but it instead it still presents the login page, but authentiction doesn't work.

So one of two things it's looking like: 1. proxy auth is just broken and needs work, OR 2. The documentation is just broken and need work. ;) One way or the other. I'm missing something. Any help/advice here would be appreciated.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[PriamX]

Just commenting because it's still an issue.

[C8opmBM]

I made it work with swag.

Will post the setup in a bit.

[C8opmBM]

So first if you're using swag, their default way to authenticate is sub.domain.xxx/authelia We need to change it to auth.domain.xxx

To do that in authelia config make sure you have

server:
  path: "" #(instead of "authelia")

and

default_redirection_url: https://auth.domain.xxx

Then you need to replace/update the following in swag/nginx folder:

authelia-location.conf - make sure you substitute last line with your domain

## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-location.conf.sample
# Make sure that your authelia container is in the same user defined bridge network and is named authelia
# Make sure that the authelia configuration.yml has 'path: "authelia"' defined

## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /authelia;

## Set the $target_url variable based on the original request.

## Comment this line if you're using nginx without the http_set_misc module.
set_escape_uri $target_url $scheme://$http_host$request_uri;

## Uncomment this line if you're using NGINX without the http_set_misc module.
# set $target_url $scheme://$http_host$request_uri;

## Save the upstream response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;

## Inject the response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;

## If the subreqest returns 200 pass to the backend, if the subrequest returns 401 redirect to the portal.
error_page 401 =302 https://auth.domain.xxx/?rd=$target_url;

and authelia-server.conf

## Version 2022/09/22 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/authelia-server.conf.sample
# Make sure that your authelia container is in the same user defined bridge network and is named authelia

set $upstream_authelia http://authelia:9091/api/verify;

## Virtual endpoint created by nginx to forward auth requests.
location /authelia {
    ## Essential Proxy Configuration
    internal;
    proxy_pass $upstream_authelia;

    ## Headers
    ## The headers starting with X-* are required.
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Forwarded-Method $request_method;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-Uri $request_uri;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Content-Length "";
    proxy_set_header Connection "";

    ## Basic Proxy Configuration
    proxy_pass_request_body off;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
    proxy_redirect http:// $scheme://;
    proxy_http_version 1.1;
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 4 32k;
    client_body_buffer_size 128k;

    ## Advanced Proxy Configuration
    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;
}

I temporarily bypass filebrowser in authelia. Then removed auth in filebrowser cause for me login screen wouldn't accept any user credentials:

docker exec -it filebrowser /bin/bash
cd /var/run/s6/services
s6-svc -d filebrowser
filebrowser -c /config/settings.json config set --auth.method=noauth

Then restart the container, go to filebrowser Webui (now without auth) and create new user/pass (this should match your existing authelia user, or create exact same new user in authelia).

Make sure you restart containers then enable Remote-User header in filebrowser:

docker exec -it filebrowser /bin/bash
cd /var/run/s6/services
s6-svc -d filebrowser
filebrowser -c /config/settings.json config set --auth.method=proxy --auth.header=Remote-User

This should now work (after restart). Authelia would ask authentication (I have 2FA with yubico), after confirmed, it will directly log in filebrowser with the same user (authelia login and filebrowser login should be same).

Let me know if that worked for you. Cheers

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[github-actions[bot]]

This issue was closed because it has been stalled for 5 days with no activity.

[PriamX]

Okay, sorry, I missed your solution when you posted it and just noticed an email on the auto-closure and so hopped back on this thread.

I've been using swag too, but was trying to get it to work with nginx's "subfolder" proxy method.

I'm not using authelia, but am using Organizr-auth API, which may or may not be an obstacle.

But, if I'm understanding your solution correctly, you've started with the "subdomain" method instead of the "subfolder" method?

[C8opmBM]

Hi, indeed the solution is for the subdomain setup with authelia, which I currently use. Haven't tested it with subdomain, though it should work with little modifications. I am not familiar with Organizr though.

[PriamX]

Thanks. I'll move it over to a subdomain-type config and then see if I can get it to work with Organizr auth. I'll report back here.

[mqu]

I would like a solution with Apache reverse-proxy.

[f-steff]

I just spend a few hours making it work with Traefik as Reverse Proxy, using this version of traefik-forward-auth as middleware. This results in the X-Forwarded-User header either containing the email addresses for valid users, or nothing for invalid users, who wont even be routed to your Filebrowser instance.

I believe this should be easy to modify to fit other reverse proxies with authentication.

In order to make it work, I overrode the entrypoint of the docker image, using these lines in docker-compose.yml file:

        volumes:
            - filebrowser_config:/config
        entrypoint:
             - /bin/sh
             - /config/filebrowser.sh

In the filebrowser_config volume, I added a filebrowser.sh file containing these lines:

#!/bin/bash
# Note1: It appear output to stderr will cause this file to be executed multiple times. Fixed by sending etderr to stdio using "2>"
# Note2: Also, blank lines in this file causes errors.
echo -e "============================================"
#
echo -e "\nPre-run cleanup:"
rm filebrowser.db 2>
#
echo -e "\n=== Init defaults:"
/filebrowser config init --port 8080 --address "0.0.0.0" --baseurl "" --log "stdout" --root="/data" --auth.method='noauth' --commands "" --lockPassword --perm.admin="true" --perm.create="true" --perm.delete="true" --perm.execute="true" --perm.modify="true" --perm.rename="true" --signup="false" 2>
#
echo -e "\n=== Add users:"
/filebrowser users add [email protected] "" 2>
/filebrowser users add [email protected] "" 2>
#
echo -e "\n=== Configure proxy auth"
/filebrowser config set --auth.method=proxy --auth.header=X-Forwarded-User 2>
#
echo -e "\n=== Execute:"
/filebrowser 2>

Note:

• This recreates the database file every time to container is restarted,
• Valid users must manually be added to the script as seen from above.
• This is not safe, so use it only on your internal network