File Server

In order to access your files from everywhere you need the following access vectors:

• From a web browser (to access anywhere)
• Via WebDAV (to access from apps and phone)
• Using NFS (to access from Linux)
• Using SMB (to access from Windows)

It is not possible to achieve all this using one single tool, so you will need to leverage different pieces together, and i will show yo how.

The idea is to create one share area where your users will be able to store files. It is possible to extend this idea also to user-specific areas where each user can put private stuff not visible by other users, but this require a little bit extra complexity and might be addressed in the future.

You will be using your home server authentication, there will be no need to create new users anywhere, and it will of course be protected by the Reverse Proxy for external access.

I will show you some DIY glue to manage everything together.

Let's assume you will need one common share, called with lots of imagination common, and the files will be under /home/common (for example).

Create a text file under /etc/conf.d/shares to manage all your shares:

shares

SHARES="common:3002 other:3003"

(as an example, i defined also a second share called other)

where “common” and “other” is the name of the folder under /home and 3002/3003 are the ports number (which will be needed for NGINX reverse proxy access via browser) for each share.

All users which need to access the shares must be in the users group: the common share will be accessible by any user in the users group.

You will also need to add a specific fileserver user to run the associated services, then go ahead and create the /home/common folder. You need to assign that folder to the users group and the fileserver user:

useradd -d /data/services/fileserver -m fileserver -g users
mkdir /home/common
chown fileserver:users  /home/common

There are a few software out there, but i like File Browser a lot because it's lightweight, don't get in the way, is flexible and simple to use, but i do not like the default installation method of FileBrowser because it will install system-wide. I will show you how to install in a more customized way.

FileBrowser will run as the fileserver user that you created above. You will need to create the following folders architecture in your *fileserver* home folder: - bin: where the FileBrowser binary will be located - data/db: where the FileBrowser databases files will be stored - data/logs: where the various log files will be created

You need to set the umask for the user to 0002 so that any new files created by it will be writable by the users.

Then, as fileserver user, get the software package and decompress it. The default install approach is based on a auto executable web link (here) which i do not recommend to use directly. Instead go to here and download the proper package for your architecture. Then:

su - fileserver
echo "umask 0002" >> ~/.bashrc
source ~/.bashrc
mkdir bin data data/logs data/db
cd bin
tar xvf ../linux-amd64-filebrowser.tar.gz

Now, you will need to start a copy of FileBrowser for each share you want to have, and it must be owned by the user that want file permissions on that share. To achieve this, you will be using a special script called fileserver.sh which i will show you at the end, because it will contain also the WebDAV start stuff in it.

## Software Installation for WebDAV access

While there are a few WebDAV servers like [Dave](https://github.com/micromata/dave), they seems to be either unmaintained or overly complicated. Also NGINX can be a WebDAV server, but it seems to be buggy and not supporting LOCK stuff, so i decided to go with Apache web server, which also has a long standing WebDAV implementation.

The idea here is to run a dedicated copy of Apache as user filebrowser and group users so that it can access and manage the shared files. So first you need to emerge apache: `> emerge apache`

WebDAV is enabled by default in Gentoo Apache ebuild.

Running apache manually requires some effort, so, buckle up.

First of all, Apache needs some folders to operate, so you need to create:

- /data/daemons/filebrowser/data/conf: to store the apache config file - /data/daemons/filebrowser/data/roots: which will map as WebDAV root (you will see why) - /data/daemons/filebrowser/data/locks: which will be used for WebDAV lock databases - /data/daemons/filebrowser/data/pids: which will be used to store apache PID files

```

su - filebrowser
mkdir /data/daemons/filebrowser/data/conf
mkdir /data/daemons/filebrowser/data/root

```

Then create the Apache config file for each share. You should create this config that will be used by each share /data/daemons/filebrowser/data/conf/apache_global.conf:

``` ServerRoot “/usr/lib64/apache2” LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule autoindex_module modules/mod_autoindex.so <IfDefine CACHE> LoadModule cache_module modules/mod_cache.so </IfDefine> LoadModule dav_module modules/mod_dav.so LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule dav_lock_module modules/mod_dav_lock.so LoadModule deflate_module modules/mod_deflate.so LoadModule dir_module modules/mod_dir.so LoadModule env_module modules/mod_env.so LoadModule expires_module modules/mod_expires.so LoadModule ext_filter_module modules/mod_ext_filter.so <IfDefine CACHE> LoadModule file_cache_module modules/mod_file_cache.so </IfDefine> LoadModule filter_module modules/mod_filter.so LoadModule headers_module modules/mod_headers.so <IfDefine HTTP2> LoadModule http2_module modules/mod_http2.so </IfDefine> LoadModule include_module modules/mod_include.so <IfDefine INFO> LoadModule info_module modules/mod_info.so </IfDefine> LoadModule log_config_module modules/mod_log_config.so

# This is needed to avoid error on load due to default path being not accessible TransferLog /data/daemons/filebrowser/data/logs/common_transfer_log

LoadModule logio_module modules/mod_logio.so LoadModule mime_module modules/mod_mime.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule setenvif_module modules/mod_setenvif.so <IfDefine STATUS> LoadModule status_module modules/mod_status.so </IfDefine> LoadModule unique_id_module modules/mod_unique_id.so LoadModule unixd_module modules/mod_unixd.so <IfDefine USERDIR> LoadModule userdir_module modules/mod_userdir.so </IfDefine> LoadModule usertrack_module modules/mod_usertrack.so LoadModule vhost_alias_module modules/mod_vhost_alias.so Include /etc/apache2/modules.d/*.conf ```

Then you can create one config file for each share. This is the file for the common share /data/daemons/filebrowser/data/conf/common.conf:

``` Include /data/daemons/filebrowser/data/conf/apache_global.conf

User filebrowser Group users

DavLockDB “/data/daemons/filebrowser/data/locks/common” PidFile /data/daemons/filebrowser/data/pids/common.pid ErrorLog /data/daemons/filebrowser/data/logs/common_error_log TransferLog /data/daemons/filebrowser/data/logs/common_transfer_log CustomLog /data/daemons/filebrowser/data/logs/common_access_log common

DocumentRoot /data/daemons/filebrowser/data/roots

ServerName 127.0.0.1 Listen 127.0.0.1:10001

<Directory /data/daemons/filebrowser/data/roots>

  DAV On
  AllowOverride All
  Options -Indexes +FollowSymlinks -ExecCGI -Includes
  Require all granted

</Directory>

SetEnv redirect-carefully

# vim: ts=4 filetype=apache ```

Please note the Listen directive: you want apache to be bound to 127.0.0. only and note the port too, this port will be needed for the reverse proxy. Each share will need it's own port.

Now, the fun part is that you want to protect this behind the NGINX reverse proxy and it seems that WebDAV does not play well with URL redirection and similar funny things. In other words, the base url you will be using on the reverse proxy must match the url in the Apache. You cannot use rewrite directives or Alias stuff.

Since you will be exposing the browser-based access as https://your_server/archive/common and the WebDAV access as https://your_server/webdav/common it means that we need to connect your /home/common folder to /data/daemons/filebrowser/data/roots/webdav/common for it to work. Since symbolic links cannot be used by WebDAV, the only viable option is mount -o bind which needs to be done by root.

so, create the paths first:

``` > su - filebrowser > cd data/root > mkdir webdav > cd webdav > mkdir common ```

the startup script below will take take of doing the mount -o bind which is mandatory for WebDAV to work.

## Reverse Proxy

You want to integrate all this into the SSL enabled reverse proxy, which is also using PAM authentication.

Now, reverse proxy is simple, but this into /etc/nginx/folders/filebrowser.conf:

```

# Browser based access here
location /archive/common/ {
      client_max_body_size 512M;

      proxy_pass http://127.0.0.1:3002;
      proxy_http_version 1.1;

      proxy_set_header Connection $http_connection;
      proxy_set_header Connection 'upgrade';
      proxy_cache_bypass $http_upgrade;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
  }
  # WebDAV access
  location /webdav/common {
      # https://mailman.nginx.org/pipermail/nginx/2007-January/000504.html - fix Destination: header
      # https://trac.nginx.org/nginx/ticket/348 - bug, workaround with named capture
      set $dest $http_destination;
      if ($http_destination ~ "^https://(?<myvar>(.+))") {
              set $dest http://$myvar;
      }

      proxy_pass http://127.0.0.1:10001;
      proxy_redirect off;
      proxy_buffering off;
      gzip off;
      proxy_pass_request_headers on;
      proxy_set_header Destination       $dest;
      proxy_set_header      Host $host;
      proxy_set_header      X-Real-IP $remote_addr;
      proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;

} ```

and put this file include inside the usual /etc/nginx*/folders/main.conf*\*, and restart nginx. ## Wrapup and Autostart Create the /data/daemons/filebrowser/fileserver.sh: ``` source /etc/conf.d/shares BASE_PATH=/data/daemons/filebrowser/data for i in $SHARES do SHARE=$(echo $i | cut -d: -f1) PORT=$(echo $i | cut -d: -f2) OWNER=filebrowser echo Starting FileBrowser for $OWNER on share $SHARE su - $OWNER -c “/data/daemons/filebrowser/bin/filebrowser config set –auth.method=noauth -d $BASE_PATH/db/filebrowser_$SHARE.db >/dev/null” su - $OWNER -c “/data/daemons/filebrowser/bin/filebrowser -r /deposito/$SHARE -p $PORT -b /archive/$SHARE -d $BASE_PATH/db/filebrowser_$SHARE.db -l $BASE_PATH/logs/filebrowser_$SHARE.log 2> $BASE_PATH/logs/filebrowser_${SHARE}_run.log”& if [ “$(mount | grep /deposito/daemons/filebrowser/data/roots/webdav/$SHARE)” = “” ] then echo Mounting WebDAV entry points for $SHARE mount -o bind /home/$SHARE /data/daemons/filebrowser/data/roots/webdav/$SHARE else echo WebDAV entry point already mounted fi echo Starting WebDAV backend for $OWNER on share $SHARE su - $OWNER -c “apache2 -f /data/daemons/filebrowser/data/conf/$SHARE.conf” done ``` And the usual autostart stuff /etc/loca.d/40-filebrowser.start ``` #!/bin/bash /data/daemons/filebrowser/fileserver.sh ``` Make both files executable. To access via browser: open https:<your server=“”>/archive/common</your> to access via WebDAV clients: https:<your server=“”>/webdav/common</your> Please note that using HTTP here might cause a 301 redirect to HTTPS, and WebDAV clients will fail. So use HTTPS URL in webdav clients. # EXPERIMENTAL STUFF - nephele WebDAV Replacing WebDAV with Nephele-Serve (which will support also CardDAV/CalDAV in the future) https://www.npmjs.com/package/nephele-serve https://github.com/sciactive/nephele Occorre abilitare NPM per l'utente: ``` NPM_PACKAGES=“$HOME/.npm-packages” mkdir -p “$NPM_PACKAGES” echo “prefix = $NPM_PACKAGES” » ~/.npmrc ``` Nel file ~/.bashrc: ``` # NPM packages in homedir NPM_PACKAGES=“$HOME/.npm-packages” # Tell our environment about user-installed node tools PATH=“$NPM_PACKAGES/bin:$PATH” # Unset manpath so we can inherit from /etc/manpath via the `manpath` command unset MANPATH # delete if you already modified MANPATH elsewhere in your configuration MANPATH=“$NPM_PACKAGES/share/man:$(manpath)” # Tell Node about these packages NODE_PATH=“$NPM_PACKAGES/lib/node_modules:$NODE_PATH” ``` Infine: ``` source ~/.bashrc npm install -g nephele-serve ``` Vantaggio: server semplice, supporta pam_auth. Potrebbe sostituire ANCHE radicale (cal/card dav) in futuro. Svantaggio: ma non supporta i base_url (come apache) # EXPERIMENTAL STUFF - sFtpGO WebDAV / web browser Interessante: https://github.com/drakkan/sftpgo Prima lancialo una volta, poi modifica il file sftpgo.json**:

``` “external_auth_hook”: “/deposito/daemons/filebrowser/login.sh”, “webdavd”: {

  "bindings": [
    {
      "port": 10001, 
      "address": "127.0.0.1",
      "enable_https": false,
      "certificate_file": "",
      "certificate_key_file": "",
      "min_tls_version": 12,
      "client_auth_type": 0,
      "tls_cipher_suites": [],
      "prefix": "/webdav/common",
      "proxy_allowed": [],
      "client_ip_proxy_header": "",
      "client_ip_header_depth": 0,
      "disable_www_auth_header": false
    }
  ],

```

Vantaggio: server WebDAV più semplice da settare di Apache. Supporta il basE_url (prefix) Svantaggio: impossibile disbailitare l'autenticazione, per cui avere la parte browser senza login.