User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
selfhost:fileserver [2024/01/18 14:08] willyselfhost:fileserver [2025/03/13 09:29] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
-====== File Server ======+====== H) File Server ======
  
 +I will not discuss how to share your files on the home network using __legacy__ tools like [[https://it.wikipedia.org/wiki/Network_File_System|NFS]] or [[https://it.wikipedia.org/wiki/Samba_(software)|SAMBA]], there are plenty of tutorials online and, beside, it's kind out of the scope for self-hosting.
  
-Access to a **common area** (future: also user-specific **private** areas).+I will focus on how to provide access via __web browser__ and via __WebDAV__, which is web-based sharing protocol a bit like NFS or SAMBA, but aimed ad broader //in**ter**net// access, and not //in**tra**net// access.
  
-Access must be both from web page (HTTP/S) and from WebDAV.+The idea is to create share areas where your users will be able to store files. It is possible to extend this idea also to user-specific areas where each user can put private stuff not visible by other users, but this require a little bit extra complexity and might be addressed in the future.
  
-[[https://filebrowser.org/|File Browser]] is used for web based access from browser.+You will be using your SSO authentication, there will be no need to create new users anywhere, and it will of course be protected by the Reverse Proxy for external access.
  
-[[https://httpd.apache.org/|Apache]] is used as WebDAV server. 
  
-[[sailing:NGINX]] is used as reverse proxy to provide secure access to both WebDAV clients and browsers.+===== Overall Architecture and Shares =====
  
 +This solution leverages different tools:
 +  * [[services:cloudcommander|CloudCommander]], full featured file manager
 +  * [[services:filebrowser|FileBrowser]], nicer UI but lesser functionalities than Cloud Commander
 +  * [[https://httpd.apache.org/download.cgi|Apache]] strictly as WebDAV server
  
-===== Permissions and Users =====+Note: choosing between FileBrowser or Cloud Commander is a matter of preference. I use both, for different kind of shares.
  
-All users need to be in the **users** group.+The NGINX reverse proxy will integrate with your preferred [[selfhost:sso|SSO]] authentication and add the HTTPS layer to ensure all access is properly encrypted.
  
-The **common** share will be accessible by any user in the **users** group.+I will assume that your shares are under **/shares**, but of course each share can be located anywhere you like. Let's also assume, as an example, that your share is called __/shares/common__ and is managed by the user __fileserver__ of the group __users__. The requirement for users and groups will be detailed later on.
  
-===== Shares Configuration =====+Each share folder will have the following structure: 
 +  * /share/common/: main folder 
 +  * /share/common/db: contains the FileBrowser database, needed for browser access (not needed for CloudCommander) 
 +  * /share/common/webdav: contains WebDAV specific stuff, for WebDAV access 
 +  * /share/common/data: contains the actual shared files and directories.
  
-Files will be under **/home/common** for example. The shares will be configured in the **/etc/conf.d/shares** file: +This structure is provided as an example to follow, of course you can move the individual folders where you prefer. The only caveat is that, for security reasons, the **db** and **webdav** folder should **not** be inside the **data** folder.
-<file txt shares> +
-SHARES="common:3002 other:3003" +
-</file>+
  
-where "common" and "other" is the name of the folder under **/home** and 3002/3003 is the port number (which will be needed for NGINX reverse proxy access via browser).+You will also need to assign two ports for each share, as an example for our //common// share: 
 +  * 3002: port for FileBrowser or Cloud Commander 
 +  * 10001: port for Apache WebDAV server
  
 +Any other share can start from these port numbers and go up in numbering.
  
-===== Software Installation for Browser access =====+I choose to assign a dedicated subdomain, **drive.mydomain.com**, as file server and organize the shares like this: 
 +  * **https://drive.mydomain.com/common**: direct browser access URL for __common__ 
 +  * **https://drive.mydomain.com/webdav/common**: WebDAV specific access URL for __common__ 
 +  * **https://drive.mydomain.com**: will show a main directory page to access the shares.
  
-[[https://filebrowser.org/|File Browser]] is a nice web-based file manager that you can use to access your file server via browser.+You can add any more folders as separate shares as you likeDue to how WebDAV works, it is mandatory to separate the browser accessible URLs from the WebDAV ones, like i did above.
  
-I do not like the default installation method because it will install system-wide. I will show you how to install in a more customized way. 
  
-first you need to create a new user: +=== Permissions and Users ===
-<code bash> +
- > useradd -d /data/daemons/filebrowser -m filebrowser -g users +
-</code>+
  
-the //filebrowser// user will have **users** as it's main group so that any files managed by it can be accessed and managed by users as well.+(Note: you should set both FileBrowser and Cloud Commander with user **fileserver**)
  
-You will need to create the following folders architecture in your //filebrowser// home folder: +Each share will be accessible by different users, so this needs to be planned a bit. For user-specific shares, not much needs to be done except run FileBrowser/Cloud Commander for the specific share as the specific user. This is left as an exercise for you.
-  * bin: where the FileBrowser binary will be located +
-  * data/db: where the FileBrowser databases files will be stored +
-  * data/logs: where the various log files will be created+
  
-You need to set the //umask// for the user to **0002** so that any new files created by it will be writable by the users.+For common shares instead, it's important to create one common user, which i will call **fileserver** user to run the associated services, and create the **/home/common** folder
  
-Then, as //filebrowser// user, get the software package and decompress it. The default install approach is based on a auto executable web link ([[https://raw.githubusercontent.com/filebrowser/get/master/get.sh|here]]) which i do not recommend to use directly. Instead go to [[https://github.com/filebrowser/filebrowser/releases/|here]] and download the proper package for your architecture. Then:+You need to assign that folder to the **users** group and the **fileserver** user:
 <code bash> <code bash>
- > su filebrowser +useradd -/shares/common -m fileserver -g users
- > echo "umask 0002" >> ~/.bashrc +
- > source ~/.bashrc +
- > mkdir bin data data/logs data/db +
- > cd bin +
- > tar xvf ../linux-amd64-filebrowser.tar.gz+
 </code> </code>
  
-Now, you will need to start a copy of FileBrowser for each share you want to have, and it must be owned by the user that want file permissions on that shareTo achieve thisyou will be using a special script called **fileserver.sh** which i will show you at the endbecause it will contain also the WebDAV start stuff in it.+You need to set the //umask// for the fileserver user to **0002** so that any new files created by it will be writable by the usersAlsocreate the **db** folder, where the FileBrowser database will need to be located, and the **webdav** folder, there specific Apache configuration need to be located, and of course don't forget the **data** folderwhere you can put the shared content itself: 
 +<code bash> 
 +su - fileserver 
 +echo "umask 0002" >> ~/.bashrc 
 +source ~/.bashrc 
 +mkdir db 
 +mkdir webdav 
 +mkdir data 
 +</code>
  
-===== Software Installation for WebDAV access ===== 
  
-While there are a few WebDAV servers like [[https://github.com/micromata/dave|Dave]], they seems to be either unmaintained or overly complicated. Also [[sailing:nginx|NGINX]] can be a WebDAV server, but it seems to be buggy and not supporting LOCK stuff, so i decided to go with Apache web server, which also has a long standing WebDAV implementation.+===== Fileserver access via Browser =====
  
-The idea here is to run a dedicated copy of Apache as user //filebrowser// and group //users// so that it can access and manage the shared filesSo first you need to emerge apache: +Both [[services:filebrowser|FileBrowser]] and [[services:cloudcommander|Cloud Commander]] are good tools for accessing your shares via browser. FileBrowser has a nice thumbnail system which makes it more useful for media and photo browsing, but it's quite quirkyCloud Commander is top notch in functionalities, but the UI is a bit more old-style and might not be the best choice for less tech savvy users.
-<code bash> +
- > emerge apache +
-</code> +
-WebDAV is enabled by default in Gentoo Apache ebuild.+
  
-Running apache manually requires some effortso, buckle up.+You can find installation instruction for both tools in the links above. Install both or the one you preferi will assume you have installed your pick on your system already by following my guides above.
  
-First of all, Apache needs some folders to operate, so you need to create: +You will need to run **one** instance of the tool you choose for //each share//, so you will to allocate one specific port for each share. I will describe how to run it for the **common** share, so the tool will run as the **fileserver** user that you created above. 
-  * /data/daemons/filebrowser/data/conf: to store the apache config file +
-  /data/daemons/filebrowser/data/roots: which will map as WebDAV root (you will see why) +
-  /data/daemons/filebrowser/data/locks: which will be used for WebDAV lock databases +
-  /data/daemons/filebrowser/data/pids: which will be used to store apache PID files+
  
-<code bash> +If you choose FileBrowser: 
- > su - filebrowser +So, create the specific **/etc/conf.d/fileserver.common**: 
- > mkdir /data/daemons/filebrowser/data/conf +<file - filebrowser.common> 
- > mkdir /data/daemons/filebrowser/data/root +BASE_URL="/common" 
-</code>+DATABASE="/shares/common/db/filebrowser_common.db" 
 +DESCRIPTION="Common web archive" 
 +FOLDER="/shares/common/data
 +GROUP="users" 
 +PORT=3002 
 +USER="fileserver" 
 +</file>
  
-Then create the Apache config file for each share. You should create this config that will be used by each share **/data/daemons/filebrowser/data/conf/apache_global.conf**: +If you choose Cloud Commander: 
-<file txt apache_global.conf+So, create the specific **/etc/conf.d/cloudcmd.common**: 
-ServerRoot "/usr/lib64/apache2+<file - cloudcmd.common
-LoadModule actions_module modules/mod_actions.so +BASE_URL="/common
-LoadModule alias_module modules/mod_alias.so +DESCRIPTION="Common web archive" 
-LoadModule auth_basic_module modules/mod_auth_basic.so +FOLDER="/shares/common/data" 
-LoadModule authn_anon_module modules/mod_authn_anon.so +GROUP="users" 
-LoadModule authn_core_module modules/mod_authn_core.so +PORT=3002 
-LoadModule authn_dbm_module modules/mod_authn_dbm.so +USER="fileserver"
-LoadModule authn_file_module modules/mod_authn_file.so +
-LoadModule authz_core_module modules/mod_authz_core.so +
-LoadModule authz_dbm_module modules/mod_authz_dbm.so +
-LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +
-LoadModule authz_host_module modules/mod_authz_host.so +
-LoadModule authz_owner_module modules/mod_authz_owner.so +
-LoadModule authz_user_module modules/mod_authz_user.so +
-LoadModule autoindex_module modules/mod_autoindex.so +
-<IfDefine CACHE> +
-LoadModule cache_module modules/mod_cache.so +
-</IfDefine> +
-LoadModule dav_module modules/mod_dav.so +
-LoadModule dav_fs_module modules/mod_dav_fs.so +
-LoadModule dav_lock_module modules/mod_dav_lock.so +
-LoadModule deflate_module modules/mod_deflate.so +
-LoadModule dir_module modules/mod_dir.so +
-LoadModule env_module modules/mod_env.so +
-LoadModule expires_module modules/mod_expires.so +
-LoadModule ext_filter_module modules/mod_ext_filter.so +
-<IfDefine CACHE> +
-LoadModule file_cache_module modules/mod_file_cache.so +
-</IfDefine> +
-LoadModule filter_module modules/mod_filter.so +
-LoadModule headers_module modules/mod_headers.so +
-<IfDefine HTTP2> +
-LoadModule http2_module modules/mod_http2.so +
-</IfDefine> +
-LoadModule include_module modules/mod_include.so +
-<IfDefine INFO> +
-LoadModule info_module modules/mod_info.so +
-</IfDefine> +
-LoadModule log_config_module modules/mod_log_config.so +
-TransferLog /deposito/archive/logs/common_transfer_log +
-LoadModule logio_module modules/mod_logio.so +
-LoadModule mime_module modules/mod_mime.so +
-LoadModule mime_magic_module modules/mod_mime_magic.so +
-LoadModule negotiation_module modules/mod_negotiation.so +
-LoadModule rewrite_module modules/mod_rewrite.so +
-LoadModule setenvif_module modules/mod_setenvif.so +
-<IfDefine STATUS> +
-LoadModule status_module modules/mod_status.so +
-</IfDefine> +
-LoadModule unique_id_module modules/mod_unique_id.so +
-LoadModule unixd_module modules/mod_unixd.so +
-<IfDefine USERDIR> +
-LoadModule userdir_module modules/mod_userdir.so +
-</IfDefine> +
-LoadModule usertrack_module modules/mod_usertrack.so +
-LoadModule vhost_alias_module modules/mod_vhost_alias.so +
-Include /etc/apache2/modules.d/*.conf+
 </file> </file>
  
-Then you can create one config file for each share. This is the file for the common share **/data/daemons/filebrowser/data/conf/common.conf**+Create the **init.d** symlink too, and start itOf course, choose a free port (3002).
-<file txt common.conf> +
-Include /data/daemons/filebrowser/data/conf/apache_global.conf+
  
-User filebrowser 
-Group users 
  
-DavLockDB "/data/daemons/filebrowser/data/locks/common" +===== Fileserver access via WebDAV =====
-PidFile /data/daemons/filebrowser/data/pids/common.pid +
-ErrorLog /data/daemons/filebrowser/data/logs/common_error_log +
-TransferLog /data/daemons/filebrowser/data/logs/common_transfer_log +
-CustomLog /data/daemons/filebrowser/data/logs/common_access_log common+
  
-DocumentRoot /data/daemons/filebrowser/data/roots+__NOTE:__ using HTTP will cause a 301 redirect to HTTPS, and WebDAV clients will fail. So use HTTPS URL in webdav clients and not HTTP.
  
-ServerName 127.0.0.+While there are a few WebDAV servers like [[https://github.com/micromata/dave|Dave]], they seems to be either unmaintained or overly complicatedAlso NGINX can be a WebDAV server, but it seems to be buggy and not supporting LOCK stuff, so i decided to go with Apache web server, which also has a long standing WebDAV implementation.
-Listen 127.0.0.1:10001+
  
-<Directory /data/daemons/filebrowser/data/roots+The idea here is to run a dedicated copy of Apache as user //fileserver// and group //users// so that it can access and manage the shared files. So first you need to emerge apache:   
-    DAV On +<code bash
-    AllowOverride All +emerge apache 
-    Options -Indexes +FollowSymlinks -ExecCGI -Includes +</code> 
-    Require all granted +WebDAV is enabled by default in Gentoo Apache ebuild, so there is no need to fix USE flags.
-</Directory>+
  
-SetEnv redirect-carefully+You will **not** be running Apache as system service, because that will mess with our user permission approach. I have prepared the following init script that manages to start separated Apache copies for each of your shares. Do drop the following file to **/etc/init.d/webdav**: 
 +<file webdav> 
 +#!/sbin/openrc-run 
 +# Copyright 2024 Willy Garidol 
 +# Distributed under the terms of the GNU General Public License v3
  
-# vim: ts=4 filetype=apache +depend() { 
-</file> +        need localmount net 
 +}
  
-Please note the Listen directive: you want apache to be bound to 127.0.0. only and note the port too, this port will be needed for the reverse proxy. Each share will need it's own port.+# Name of the share 
 +WD_SHARE_NAME="${SHARE_NAME}" 
 +# Where is the original data 
 +WD_DATA_FOLDER="${DATA_FOLDER}" 
 +# Where WebDAV temporary stuff will be located 
 +WD_TEMP_FOLDER="${TEMP_FOLDER}" 
 +WD_ROOT_FOLDER="${WD_TEMP_FOLDER}/root" 
 +WD_MOUNT_FOLDER="${WD_TEMP_FOLDER}/root/webdav/${WD_SHARE_NAME}" 
 +WD_LOCKS_FOLDER="${WD_TEMP_FOLDER}/locks"
  
-Now, the fun part is that you want to protect this behind the NGINX reverse proxy and it seems that WebDAV does **not** play well with URL redirection and similar funny things. In other words, the base url you will be using on the reverse proxy must match the url in the Apache. You cannot use rewrite directives or Alias stuff+WD_TIMEOUT=${TIMEOUT:-5} 
 +WD_LOG_PATH="/var/log/webdav" 
 +WD_SLOT="${SVCNAME#webdav.}" 
 +WD_USER=${USER:-${WD_SLOT}} 
 +WD_GROUP=${GROUP:-${WD_SLOT}}
  
-Since you will be exposing the browser-based access as **https://your_server/archive/common** and the WebDAV access as **https://your_server/webdav/common** it means that we need to sym-link your **/home/common folder to /data/daemons/filebrowser/data/roots/webdav/common** for it to work:+description=${DESCRIPTION:-WebDAV starter} 
 +pidfile="/run/${RC_SVCNAME}.pid" 
 +apache_args=( 
 +-c "ServerRoot /usr/lib64/apache2" 
 +-c "LoadModule dav_module modules/mod_dav.so" 
 +-c "LoadModule dav_fs_module modules/mod_dav_fs.so" 
 +-c "LoadModule dav_lock_module modules/mod_dav_lock.so" 
 +-c "Include /etc/apache2/modules.d/*.conf" 
 +-c "User ${WD_USER}" 
 +-c "Group ${WD_GROUP}" 
 +-c "DavLockDB ${WD_TEMP_FOLDER}/locks" 
 +-c "PidFile ${pidfile}" 
 +-c "ErrorLog ${WD_LOG_PATH}/${WD_SLOT}/error.log" 
 +-c "CustomLog ${WD_LOG_PATH}/${WD_SLOT}/access.log common
 +-c "DocumentRoot ${WD_ROOT_FOLDER}" 
 +-c "ServerName 127.0.0.1" 
 +-c "Listen 127.0.0.1:${PORT}" 
 +-c "<Directory ${WD_ROOT_FOLDER}>" 
 +-c " DAV On" 
 +-c " AllowOverride All" 
 +-c " Options -Indexes +FollowSymlinks -ExecCGI -Includes" 
 +-c " Require all granted" 
 +-c "</Directory>" 
 +-c "SetEnv redirect-carefully" 
 +)
  
 +start_pre() {
 +        # script must be run with ".sharename" symlink:
 +        if [ "${WD_SLOT}" = "webdav" ]
 +        then
 +                ebegin "Error: do not run this script, run a link to it!"
 +                eend 255
 +                return 255
 +        fi
 +        # Data folder must exist:
 +        if [ -z ${WD_DATA_FOLDER} -o ! -d ${WD_DATA_FOLDER} ]
 +        then
 +                ebegin "Error: DATA_FOLDER must be defined and path must exist!"
 +                eend 255
 +                return 255
 +        fi
 +        # Create log paths
 +        test -e "${WD_LOG_PATH}" || mkdir "${WD_LOG_PATH}"
 +        test -e "${WD_LOG_PATH}/${WD_SLOT}" || {
 +                ebegin "Creating log path '${WD_LOG_PATH}/${WD_SLOT}'"
 +                mkdir "${WD_LOG_PATH}/${WD_SLOT}"
 +        } && chown -R ${WD_USER} "${WD_LOG_PATH}/${WD_SLOT}"
 +        # Create all temporary paths:
 +        for path in ${WD_TEMP_FOLDER} ${WD_ROOT_FOLDER} ${WD_MOUNT_FOLDER} ${WD_LOCKS_FOLDER}
 +        do
 +                test -e ${path} || {
 +                        ebegin "Creating '${path}' path"
 +                        mkdir -p ${path}
 +                        chown ${WD_USER}:${WD_GROUP} ${path}
 +                }
 +        done
 +        test -z "$(mount | grep ${WD_MOUNT_FOLDER})" && {
 +                ebegin "Mounting/binding root path '${WD_DATA_FOLDER}' -> '${WD_MOUNT_FOLDER}'"
 +                mount -o bind ${WD_DATA_FOLDER} ${WD_MOUNT_FOLDER}
 +        }
 +        eend 0
 +}
 +
 +start() {
 +        start-stop-daemon -w ${WD_TIMEOUT} --start --pidfile "${pidfile}" -- \
 +                /usr/bin/apache2 "${apache_args[@]}"
 +        eend $?
 +}
 +
 +stop_post() {
 +        test -n "$(mount | grep ${WD_MOUNT_FOLDER})" && {
 +                ebegin "Unmounting/unbinding root path '${WD_DATA_FOLDER}' -|-> '${WD_MOUNT_FOLDER}'"
 +                umount ${WD_MOUNT_FOLDER}
 +        }
 +        eend 0
 +}
 +</file>
 +and make it executable:
 <code bash> <code bash>
- > su - filebrowser +chmod +x /etc/init.d/webdav
- > cd data/root +
- > mkdir webdav +
- > cd webdav +
- > ln -s /home/common common+
 </code> </code>
  
-Now it's time to finish up. 
  
 +=== Create apache configuration files for each share ===
  
 +By using the above init script, defining a new share means to create a share symlink of that script and the associated config file.
  
-===== Reverse Proxy =====+For our __common__ example share, create the following **/etc/conf.d/webdav.common**: 
 +<file - webdav.common> 
 +DESCRIPTION="Common WebDAV archive" 
 +# this must point to where your data to be shared is located 
 +DATA_FOLDER="/deposito/shares/common/data" 
 +# this will contain temporary webdav stuff, will be created if missing 
 +TEMP_FOLDER="/deposito/shares/common/webdav" 
 +# this refers to the URL "https://drive.mydomain.com/webdav/<this part of the url>" 
 +SHARE_NAME="common" 
 +GROUP="users" 
 +USER="filebrowser" 
 +PORT=10001 
 +</file> 
 +Note the port, it needs to be unique and available.
  
-You want to integrate all this into the SSL enabled reverse proxy, which is also using PAM authentication.+Create the symlink: 
 +<code bash> 
 +ln -s /etc/init.d/webdav /etc/init.d/webdav.common 
 +</code>
  
-Now, reverse proxy is simple, but this into **/etc/nginx/folders/filebrowser.conf**: 
-<file txt filebrowser.conf> 
-  # Browser based access here 
-  location /archive/common/ { 
-        client_max_body_size 512M; 
  
-        proxy_pass http://127.0.0.1:3002; +=== Prepare apache folders for each share ===
-        proxy_http_version 1.1;+
  
-        proxy_set_header Connection $http_connection; +The above mentioned init script will create all the needed sub-folders for you, but here is a recap: 
-        proxy_set_header Connection 'upgrade'; +  /share/common/webdav/rootwhich will map as WebDAV root (you will see why) 
-        proxy_cache_bypass $http_upgrade; +  /share/common/webdav/lockswhich will be used for WebDAV lock databases
-        proxy_set_header Host $host; +
-        proxy_set_header X-Real-IP $remote_addr; +
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +
-        proxy_set_header X-Forwarded-Proto $scheme; +
-    } +
-    # WebDAV access +
-    location /webdav/common +
-        # https://mailman.nginx.org/pipermail/nginx/2007-January/000504.html - fix Destinationheader +
-        # https://trac.nginx.org/nginx/ticket/348 - bug, workaround with named capture +
-        set $dest $http_destination; +
-        if ($http_destination ~ "^https://(?<myvar>(.+))") { +
-                set $dest http://$myvar; +
-        }+
  
-        proxy_pass http://127.0.0.1:10001; +Those wll be created by the init script above if missingThey will not be deleted in any case, if existing.
-        proxy_redirect off; +
-        proxy_buffering off; +
-        gzip off; +
-        proxy_pass_request_headers on; +
-        proxy_set_header Destination       $dest; +
-        proxy_set_header      Host $host; +
-        proxy_set_header      X-Real-IP $remote_addr; +
-        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for; +
-}+
  
-</file> 
  
-and put this file include inside the usual **/etc/nginx*/folders/main.conf**, and restart nginx.+=== Messing with the WebDAV root folder ===
  
 +Now, the fun part is that you want to protect this behind the NGINX reverse proxy (for HTTPS and authorization reasons) and it seems that WebDAV does **not** play well with URL redirection and similar funny things. In other words, the base url you will be using on the reverse proxy **must match** the url in the Apache. You **cannot use** rewrite directives or Alias stuff.
  
 +Since you will be exposing the browser-based access as **https://drive.mydomain.com/common** and the WebDAV access as **https://drive.mydomain.com/webdav/common** it means that we need to connect your **/shares/common/data folder to /shares/common/webdav/root/webdav/common** for it to work. Nicely messed up eh?
  
-<file bash filebrowser.sh> +Since symbolic links cannot be used by WebDAV (could it be //that// simple?), the only viable option is **mount -o bind**. This is taken care automatically in the above init script.
-source /etc/conf.d/shares+
  
-BASE_PATH=/deposito/daemons/filebrowser/data 
  
-for i in $SHARES +=== Startup Apache for the share (and autostart) ===
-do +
-        SHARE=$(echo $i | cut -d: -f1) +
-        PORT=$(echo $i | cut -d: -f2) +
-        OWNER=filebrowser+
  
-        echo Starting FileBrowser for $OWNER on share $SHARE +Since you have already created the share specific startup script symlink and the associated config file, all you need to do is add it to the default runlevel and start it: 
-        su $OWNER -c "/deposito/daemons/filebrowser/bin/filebrowser config set --auth.method=noauth -$BASE_PATH/db/filebrowser_$SHARE.db >/dev/null" +<code bash> 
-        su - $OWNER -c "/deposito/daemons/filebrowser/bin/filebrowser -r /deposito/$SHARE -p $PORT -b /archive/$SHARE -d $BASE_PATH/db/filebrowser_$SHARE.db -l $BASE_PATH/logs/filebrowser_$SHARE.log 2$BASE_PATH/logs/filebrowser_${SHARE}_run.log"&+rc-update add webdav.common default 
 +/etc/init.d/webdav.common start 
 +</code>
  
-        echo Starting WebDAV backend for $OWNER on share $SHARE +===== Reverse Proxy and wrap-up =====
-        su $OWNER -c "apache2 -f /data/daemons/filebrowser/data/conf/$SHARE.conf" +
-done +
-</file>+
  
 +Everything is protected behind the [[selfhost:nginx|NGINX Reverse Proxy]], so you should create the following config file for the **drive** subdomain:
 +<file - drive.conf>
 +server {
 +        server_name drive.mydomain.com;
 +        listen 443 ssl; 
 +        listen 8443 ssl; 
 +        http2 on;
  
-And the usual autostart stuff: +        access_log /var/log/nginx/drive.mydomain.com_access_log main; 
-<file bash 40-filebrowser.start> +        error_log /var/log/nginx/drive.mydomain.com_error_log info;
-#!/bin/bash +
-/data/daemons/filebrowser/fileserver.sh +
-</file>+
  
-Make both files executable.+        # WebDAV requires basic auth, while normal auth can be used with FileBrowser 
 +        include "com.mydomain/authelia_location.conf"; 
 +        include "com.mydomain/authelia_location-basic.conf";
  
 +        location / {
 +                include "com.mydomain/authelia_proxy.conf";
 +                include "com.mydomain/authelia_authrequest.conf";
 +                root /home/web/drive;
 +        }
  
 +        location = /common {
 +                 return 301 https://$host/common/;
 +        }
  
-===== Background =====+        location /common/ { 
 +                include "com.mydomain/authelia_proxy.conf"; 
 +                include "com.mydomain/authelia_authrequest.conf"; 
 +                client_max_body_size 512M; 
 +                proxy_pass http://127.0.0.1:3002; 
 +                proxy_set_header Connection $http_connection; 
 +                proxy_set_header Connection 'upgrade'; 
 +                proxy_cache_bypass $http_upgrade; 
 +       }
  
-From users point of view, the common area will be managed by user **filebrowser** which is designed to run as group **users** with an //umask// 550 so that any files uploaded via web browser will be accessible to the normal users.+       location /webdav/common { 
 +                include "com.mydomain/authelia_proxy.conf"; 
 +                include "com.mydomain/authelia_authrequest-basic.conf";
  
-Of courseeach user will need to be part of the **users** group as well.+                # https://mailman.nginx.org/pipermail/nginx/2007-January/000504.html - fix Destination: header 
 +                # https://trac.nginx.org/nginx/ticket/348 - bugworkaround with named capture 
 +                set $dest $http_destination; 
 +                if ($http_destination ~ "^https://(?<myvar>(.+))") { 
 +                        set $dest http://$myvar; 
 +                }
  
-You will need a common "archive" folder under **/home/common** to store some needed stuff.+                # Warning: adding / at the end of the proxy_pass will break WebDAV! 
 +                proxy_pass http://127.0.0.1:10001; 
 +                proxy_buffering off; 
 +                gzip off; 
 +                proxy_pass_request_headers on; 
 +               proxy_set_header Destination       $dest; 
 +        } 
 +        client_max_body_size 100M; 
 +
 +</file>
  
-This folder will need to contain: +The reverse proxy configuration doesn't care if you choose FileBrowser of Cloud Commanderit's identical.
-  * **common** subfolderwhere the common area files will be stored (created in the [[sailing:filebrowser]] instructions) +
-  * **temp/uploads** subfolder, required by WebDAV to upload files  +
-  * **temp/pids** subfolder, to store NGINX pids +
-  * **temp/tmp** subfolder, to store NGINX run files +
-  * **logs** subfolder, to store NGINX log files +
-  * **conf** subfolder, where you will store custom NGINX config files for the private areas (and common area too)+
  
-Create the folders: +This example also shows how i have integrated [[selfhost:sso|SSO Authentication]] with the filesever.
-<code bash> +
- > mkdir /data/archive +
- > mkdir /data/archive/logs +
- > mkdir /data/archive/common +
- > mkdir /data/archive/temp +
- > mkdir /data/archive/temp/pids +
- > mkdir /data/archive/temp/tmp +
- > mkdir /data/archive/conf +
- > chown filebrowser:users -R /data/archive +
-</code>+
  
-===== NGINX WebDAV approach =====+Refer to the [[selfhost:nginx|The Reverse Proxy concept]] page to activate this specific NGIX configuration. Of course you need to create the Let's Encrypt certificates and the subdomain in your DNS provider.
  
-No need to use third party WebDAV server since NGINX has a pretty solid implementation of it already. Follow the [[sailing:nginx]] instructions to set NGINX up with WebDAV and PAM auth support.+==== Main Directory Page ====
  
-Nowthere is nasty catch here which stems from using NGINX as WebDAV server... You need to run NGINX as //filebrowser// user to ensure that the access trough WebDAV will not incur in access permissions errors. Running NGINX as standalone user requires the creation of a specific nginx.conf with some specifics in it.+As you can spot from the above NGINX configurationi have defined common landing on **https://drive.mydomain.com** to provide a nice page to access the individual shares.
  
-For consistency, this NGINX config file will be **/data/archive/conf/nginx_common.conf**: +For this i am using my [[services:dashboards|Simple Dashboard]] with the following **site.json**: 
-<file txt /data/archive/conf/nginx_common.conf+<file - site.json
-worker_processes 1; +{          
-pid /data/archive/temp/pids/nginx_common.pid; +    "title" : "My Drive Title", 
-error_log /data/archive/logs/common_error_log info; +    "header" : {                   
- +        "img" : "",                
-events +        "text" : "My Drive"  
-        worker_connections 100; +        },                                  
-        use epoll;+    "content" : [               
 +        { 
 +        "foldable": false,                                                                                                                                                                    
 +        "title": "",          
 +        "content":           
 +            [ { 
 +                "img" : "images/folder.png", 
 +                "text" : "Common",          
 +                "link" : "/common/",       
 +                "style" : "box-inline",          
 +                "new_page" : true       
 +            } ] 
 +        } 
 +        ], 
 +     "footer"
 +        "img" : "", 
 +        "text" : "back home", 
 +        "style" : "footer-light", 
 +        "link" : "https://home.mydomain.com" 
 +    }
 } }
 +</file>
  
-http { 
-        include /etc/nginx/mime.types; 
-        default_type application/octet-stream; 
  
-        # These folder MUST be redirected to avoid usage of system wide ones: 
-        client_body_temp_path  /data/archive/temp/tmp; 
-        proxy_temp_path  /data/archive/temp/tmp; 
-        fastcgi_temp_path  /data/archive/temp/tmp; 
-        uwsgi_temp_path  /data/archive/temp/tmp; 
-        scgi_temp_path  /data/archive/temp/tmp; 
-        disable_symlinks off; 
  
-        keepalive_timeout 75 20; 
  
-        server { +===== Experimental stuff =====
-                server_name 127.0.0.1;+
  
-                access_log /data/archive/logs/common_access_log; +Just some additional experiments i did, for future references.
-                location / { +
-                        root /data/archive/common/;+
  
-                        dav_methods PUT DELETE MKCOL COPY MOVE; +=== Nephele-Serve === 
-                        dav_ext_methods PROPFIND OPTIONS; +Replacing WebDAV with Nephele-Serve (which will support also CardDAV/CalDAV in the future)
-                        dav_access user:rw group:rw all:r;+
  
-                        client_max_body_size 0; +https://www.npmjs.com/package/nephele-serve   
-                        create_full_put_path on; +https://github.com/sciactive/nephele
-                        client_body_temp_path /data/archive/uploads; +
-                } +
-                listen 10000; +
-        } +
-+
-</file>+
  
-This NGINX server will listen on 127.0.0.1:10000, and you will need to setup a reverse proxy from the main NGINX, by creating the following config file **/etc/nginx/folders/webdav.conf**+NPM needs to be enabled for the fileserver user
-<file txt webdav.conf+<code
-location ~ ^/webdav/common { +NPM_PACKAGES="$HOME/.npm-packages"  
-        rewrite /webdav/common/(.*) /$1 break; +mkdir -p "$NPM_PACKAGES"   
-        proxy_pass http://127.0.0.1:10000; +echo "prefix = $NPM_PACKAGES" >> ~/.npmrc 
-} +</code
-</file+ 
-and including it into the main NGINX server+And in **~/.bashrc**:
  
-Now, edit the **/data/daemons/filebrowser/filebrowser.sh** file and add the following line: 
 <code> <code>
-nginx -/deposito/archive/conf/nginx_common.conf -e /deposito/archive/logs/common_error_log+# NPM packages in homedir 
 +NPM_PACKAGES="$HOME/.npm-packages" 
 +# Tell our environment about user-installed node tools 
 +PATH="$NPM_PACKAGES/bin:$PATH" 
 +# Unset manpath so we can inherit from /etc/manpath via the `manpath` command 
 +unset MANPATH # delete if you already modified MANPATH elsewhere in your configuration   
 +MANPATH="$NPM_PACKAGES/share/man:$(manpath)" 
 +# Tell Node about these packages 
 +NODE_PATH="$NPM_PACKAGES/lib/node_modules:$NODE_PATH"
 </code> </code>
  
-like this+Install
-<file bash filebrowser.sh+<code bash> 
-#!/bin/bash+source ~/.bashrc   
 +npm install -g nephele-serve 
 +</code>
  
-cd /data/daemons/filebrowser && +Advantages: it's a simple server that supports pam_authIn the future, it might **also** replace [[services:radicale|Radicale]] with a single service.
-nginx -c /data/archive/conf/nginx_common.conf -e /data/archive/logs/common_error_log +
-./filebrowser -r /data/archive/common -p 3002 -b /archive/common 2>&1 > filebrowser.log +
-</file>+
  
-and restart filebrwoser and the main NGINX.+Disadvantages: do not support base_url, so unable to host under /webdav even with reverse proxy.
  
-At this point, your common area will be ready and working both on WebDAV and directly via web browser.+=== sFtpGO WebDAV web browser ===
  
-To access via browser:+Interesting [[https://github.com/drakkan/sftpgo|sFtpGo]] support both web-browser access and WebDAV from a single tool. 
 + 
 +You need to start it once then edit **sftpgo.json**: 
 +<code> 
 +"external_auth_hook": "/data/daemons/fileserver/login.sh", 
 +"webdavd":
 +    "bindings":
 +      { 
 +        "port": 10001,  
 +        "address": "127.0.0.1", 
 +        "enable_https": false, 
 +        "certificate_file": "", 
 +        "certificate_key_file": "", 
 +        "min_tls_version": 12, 
 +        "client_auth_type": 0, 
 +        "tls_cipher_suites": [], 
 +        "prefix": "/webdav/common", 
 +        "proxy_allowed": [], 
 +        "client_ip_proxy_header": "", 
 +        "client_ip_header_depth": 0, 
 +        "disable_www_auth_header": false 
 +      } 
 +    ], 
 +</code> 
 +Advnatageseasier than Apache to setup, support base_url
  
-to access via WebDAV clients:+Disadvantagescannot use pam_auth and cannot disable authentication. So double-auth over reverse proxy that might be annoying.
  
 +=== KaraDAV / PicoDAV ===
  
 +[[https://fossil.kd2.org/karadav/doc/main/README.md|KaraDAV]] is a fully featured WebDAV server written in PHP which can be used instead of Apache WebDAV server.
  
 +[[https://fossil.kd2.org/picodav/doc/trunk/README.md|PicoDAV]] is a basic WebDAV server written in PHP which can serve WebDAV in a very simple way instead of Apache WebDAV server.
  
 +Unfortunately, being PHP, they both require either Apache or a properly configured NGINX with PHP as FastCGI, which defeats the scope of **simplifying** the overall setup. Maybe in the future i will look into using either one of these.
  
  

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information