[help request] Filebrowser + SSL + Apache

General Discussion
1

I’m running Filebrowser and it’s working fine locally (default install), but I’d like to be able to access it remotely, and provide share links that utilize a custom (dynamic DNS) domain name.

I previously installed PiHole and chose Apache as my server. So the PiHole is running on port 80 (I think) and available at https://[my_dietpi_ip_address]/admin.

I’ve also installed certbot and Let’s encrypt SSL certificates for [my_custom_domain].duckdns.org, and I’m able to load https://[my_custom_domain].duckdns.org and the default Apache page securely in a browser.

My goal is to be able to use a proxy to be able to access Filebrowser (on port 8084) at https://[my_custom_domain].duckdns.org/filebrowser.

I’ve installed all of the recommended apache modules (list below):

a2enmod proxy
a2enmod proxy_http
a2enmod proxy_balancer
a2enmod lbmethod_byrequests
a2enmod headers
sudo a2enmod ssl

And here are the contents of my site config:

cat /etc/apache2/sites-available/my_custom_domain.duckdns.org.conf 
<VirtualHost *:80>
    ServerName my_custom_domain.duckdns.org
    Redirect permanent / https://my_custom_domain.duckdns.org/
</VirtualHost>

<VirtualHost *:443>
    ServerName my_custom_domain.duckdns.org

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/my_custom_domain.duckdns.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/my_custom_domain.duckdns.org/privkey.pem
    # Include this line if you have a chain file

    ProxyPreserveHost On
    ProxyRequests Off

    # Filebrowser
    ProxyPass /filebrowser/ http://localhost:8084/
    ProxyPassReverse /filebrowser/ http://localhost:8084/
    ProxyPassReverseCookiePath / /filebrowser/

    Header edit Location ^http://my_custom_domain.duckdns.org/ https://my_custom_domain.duckdns.org/
</VirtualHost>

I’ve checked the config syntax and restarted Apache.
I also tried setting the Filebrowser baseURL via the following command:

/opt/filebrowser/filebrowser config set --database=/etc/apache2/sites-available/filebrowser.db -b /filebrowser

However when I access Filebrowser locally (via the IP address on port 8084, this baseURL doesn’t show up). I’m also unsure if I need to configure the baseURL if I only want the interface to be available remotely via https://[my_custom_domain].duckdns.org/filebrowser.

At this point I’m (once again) a little out of my depth on how this is supposed to work and where I’ve gone awry. I tried checking Apache logs, but they are owned by Root/Admin and I don’t think Apache is able to write to them. Please let me know what other info I can provide to clarify the situation. I’m totally fine to uninstall/reinstall the filebrowser app, trash my configs and start fresh.

2

Locally it’s http://[your_dietpi_ip_address]:8084/filebrowser. However following should work if reverse proxy has been setup correctly https://[your.ddns.com]/filebrowser

3

You can even run this without a reverse proxy, it has build in HTTPS support, but it runs then at the port you assigned to filebrowser (default 8084).
Config for https:

/opt/filebrowser/filebrowser config set --cert <path_to_your_cert> --key<path_to_tls_key> -d /mnt/dietpi_userdata/filebrowser/filebrowser.db

Your cert from dietpi-letsencrypt should be in /etc/letsencrypt/live/<YOUR_DOMAIN>/

4

And I just see now, if you want to use a reverse proxy, you need to tell this file browser too:
https://filebrowser.org/configuration/authentication-method

5

This takes me to http://[your_dietpi_ip_address]:8084/files/filebrowser and a 404 inside the filebrowser web interface. I don’t think the baseURL change I tried to make has taken effect and I’m not sure why.

So what would remote access look like? Would I have to open port 8084 on my firewall? And is that reasonable to do, or is the reverse proxy necessary or better?

Thanks for the input so far!

6

I should also mention I ran the following filebrowser config commands:

/opt/filebrowser/filebrowser config set -b /filebrowser

I was prompted to do this because none of the other config commands would let me run them without doing this first.

/opt/filebrowser/filebrowser config init
7

We did similar for Nginx a while back FileBrowser with https connection using duckdns - #9 by Joulinar

I guess you need to switch into filebrowser data directory first, before running the command.

8

These commands seem to run fine as I shared above and they output json content that shows the new baseurl, but then the base doesn’t actually change after restarting file browser.

I also realized I am fine with /files being the base. So I’ve updated my proxy to /files instead of /filebrowser.

Also Let’s Encrypt for my custom domain setup a 000-default-ssl.conf (probably typing and remembering this wrong) but it’s where the virtual host for my domain exists and gets loaded. I moved the proxy config lines into this file and now my-custom-domain.com/files can point to the Filebrowser app, but all the assets (js/css/images) 404.

Getting closer I think.

9

it is quite important to execute the command within filebrowser data directory as stated in my link. Otherwise configuration database will not be created at the correct place.

we don’t use the json file. It’s a databse file created via command line. Therefore it is imported to located within correct directory.

Before going into revers proxy setup, ensure you are able to access filebrowser via sub path.

10

I uninstalled and installed filebrowser again to get it to a default state.
I see the install does the following:

 OK  ] DietPi-Software | cd /mnt/dietpi_userdata/filebrowser
[  OK  ] DietPi-Software | /opt/filebrowser/filebrowser config init
[  OK  ] DietPi-Software | /opt/filebrowser/filebrowser config set -a 0.0.0.0 -p 8084 -r /mnt

So I’m understanding that I need to do the same (cd /mnt/dietpi_userdata/filebrowser) before I run the /opt/filebrowser/filebrowser config commands. However when I do so I get a timeout:

root@rockpi:/mnt/dietpi_userdata/filebrowser# /opt/filebrowser/filebrowser config set -b /files
2023/08/27 17:16:27 timeout

Could it be a permissions issue?

root@rockpi:/mnt/dietpi_userdata/filebrowser# ls -lah
total 48K
drwxr-xr-x 2 filebrowser root   4.0K Aug 27 17:11 .
drwxrwxr-x 9 dietpi      dietpi 4.0K Aug 27 17:11 ..
-rw------- 1 filebrowser root    64K Aug 27 17:11 filebrowser.db
11

You need to stop the service before, like described on the link I shared above. Did you do that?

12

Ah, no I was not. Sorry for that oversight. I was able to set the base URL and can now access Filebrowser at the base URL path. When I try to access it remotely via https://mycustomdomain.duckdns.org/files, it points to Filebrowser but assets fail to load and give 404s.

13

for testing I created a simple proxy conf without SSL, which is working quite well.

<VirtualHost *:80>
	ServerName 192.168.0.17
	
  <Location "/filebrowser/">
    ProxyPass http://127.0.0.1:8084/filebrowser/
    ProxyPassReverse http://127.0.0.1:8084/filebrowser/
  </Location>

  ProxyPreserveHost On
  RewriteEngine On

  # upgrade websocket requests
  RewriteCond %{HTTP:Connection} Upgrade [NC]
  RewriteCond %{HTTP:Upgrade} websocket [NC]
  RewriteRule (.*) ws://127.0.0.1:8084/$1 [P,L]

  # add trailing slash to /filebrowser/
  RewriteRule ^/filebrowser$ /filebrowser/ [L,R=301]
</VirtualHost>

Maybe you have still a challenge with VirtualHost setup. Can you share all config files located on /etc/apache2/sites-available/. Could be some conflicts between the different files.

1 Like
14

I should have also mentioned that filebrowser works perfectly fine on my local IP after changing the baseURL, it’s only via mydomain.duckdns.org/files that assets fail to load.

Here is what’s in the /etc/apache2/sites-available directory and permisisons

root@rockpi:/etc/apache2/sites-available# ls -lah
total 72K
drwxr-xr-x 2 root root 4.0K Aug 27 15:49 .
drwxr-xr-x 8 root root 4.0K Aug  1 08:24 ..
-rw-r--r-- 1 root root  897 Aug 27 15:49 000-default-le-ssl.conf
-rw-r--r-- 1 root root  463 Aug  1 08:24 000-default.conf
-rw-r--r-- 1 root root 1.3K Apr 12 21:14 000-default.conf.dpkg-dist
-rw-r--r-- 1 root root 6.1K Apr 12 21:24 default-ssl.conf
-rw-r--r-- 1 root root  155 Jul 25 19:46 dietpi-pihole-block_public_admin.conf
-rw-r--r-- 1 root root 1.3K Jul 25 19:46 dietpi-pihole.conf

And here are the contents of each file

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName mysite.duckdns.org

SSLCertificateFile /etc/letsencrypt/live/mysite.duckdns.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.duckdns.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyPreserveHost On
    ProxyRequests Off

    # Proxy for Filebrowser with baseURL as /files
    ProxyPass /files/ http://localhost:8084/files
    ProxyPassReverse /files/ http://localhost:8084/files

    Header edit Location ^http://mysite.duckdns.org/ https://mysite.duckdns.org/
</VirtualHost>

</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName myothersite.duckdns.org

SSLCertificateFile /etc/letsencrypt/live/mysite.duckdns.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.duckdns.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

root@rockpi:/etc/apache2/sites-available# cat 000-default.conf
# /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
	ServerName mysite.duckdns.org
RewriteEngine on
RewriteCond %{SERVER_NAME} =mysite.duckdns.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:80>
        ServerName myothersite.duckdns.org
RewriteEngine on
RewriteCond %{SERVER_NAME} =myothersite.duckdns.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

root@rockpi:/etc/apache2/sites-available# cat 000-default.conf.dpkg-dist 
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

root@rockpi:/etc/apache2/sites-available# cat default-ssl.conf 
<VirtualHost *:443>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	#   SSL Engine Switch:
	#   Enable/Disable SSL for this virtual host.
	SSLEngine on

	#   A self-signed (snakeoil) certificate can be created by installing
	#   the ssl-cert package. See
	#   /usr/share/doc/apache2/README.Debian.gz for more info.
	#   If both key and certificate are stored in the same file, only the
	#   SSLCertificateFile directive is needed.
	SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
	SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key

	#   Server Certificate Chain:
	#   Point SSLCertificateChainFile at a file containing the
	#   concatenation of PEM encoded CA certificates which form the
	#   certificate chain for the server certificate. Alternatively
	#   the referenced file can be the same as SSLCertificateFile
	#   when the CA certificates are directly appended to the server
	#   certificate for convinience.
	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

	#   Certificate Authority (CA):
	#   Set the CA certificate verification path where to find CA
	#   certificates for client authentication or alternatively one
	#   huge file containing all of them (file must be PEM encoded)
	#   Note: Inside SSLCACertificatePath you need hash symlinks
	#	  to point to the certificate files. Use the provided
	#	  Makefile to update the hash symlinks after changes.
	#SSLCACertificatePath /etc/ssl/certs/
	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

	#   Certificate Revocation Lists (CRL):
	#   Set the CA revocation path where to find CA CRLs for client
	#   authentication or alternatively one huge file containing all
	#   of them (file must be PEM encoded)
	#   Note: Inside SSLCARevocationPath you need hash symlinks
	#	  to point to the certificate files. Use the provided
	#	  Makefile to update the hash symlinks after changes.
	#SSLCARevocationPath /etc/apache2/ssl.crl/
	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

	#   Client Authentication (Type):
	#   Client certificate verification type and depth.  Types are
	#   none, optional, require and optional_no_ca.  Depth is a
	#   number which specifies how deeply to verify the certificate
	#   issuer chain before deciding the certificate is not valid.
	#SSLVerifyClient require
	#SSLVerifyDepth  10

	#   SSL Engine Options:
	#   Set various options for the SSL engine.
	#   o FakeBasicAuth:
	#    Translate the client X.509 into a Basic Authorisation.  This means that
	#    the standard Auth/DBMAuth methods can be used for access control.  The
	#    user name is the `one line' version of the client's X.509 certificate.
	#    Note that no password is obtained from the user. Every entry in the user
	#    file needs this password: `xxj31ZMTZzkVA'.
	#   o ExportCertData:
	#    This exports two additional environment variables: SSL_CLIENT_CERT and
	#    SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
	#    server (always existing) and the client (only existing when client
	#    authentication is used). This can be used to import the certificates
	#    into CGI scripts.
	#   o StdEnvVars:
	#    This exports the standard SSL/TLS related `SSL_*' environment variables.
	#    Per default this exportation is switched off for performance reasons,
	#    because the extraction step is an expensive operation and is usually
	#    useless for serving static content. So one usually enables the
	#    exportation for CGI and SSI requests only.
	#   o OptRenegotiate:
	#    This enables optimized SSL connection renegotiation handling when SSL
	#    directives are used in per-directory context.
	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
	<FilesMatch "\.(?:cgi|shtml|phtml|php)$">
		SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory /usr/lib/cgi-bin>
		SSLOptions +StdEnvVars
	</Directory>

	#   SSL Protocol Adjustments:
	#   The safe and default but still SSL/TLS standard compliant shutdown
	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
	#   the close notify alert from client. When you need a different shutdown
	#   approach you can use one of the following variables:
	#   o ssl-unclean-shutdown:
	#    This forces an unclean shutdown when the connection is closed, i.e. no
	#    SSL close notify alert is send or allowed to received.  This violates
	#    the SSL/TLS standard but is needed for some brain-dead browsers. Use
	#    this when you receive I/O errors because of the standard approach where
	#    mod_ssl sends the close notify alert.
	#   o ssl-accurate-shutdown:
	#    This forces an accurate shutdown when the connection is closed, i.e. a
	#    SSL close notify alert is send and mod_ssl waits for the close notify
	#    alert of the client. This is 100% SSL/TLS standard compliant, but in
	#    practice often causes hanging connections with brain-dead browsers. Use
	#    this only for browsers where you know that their SSL implementation
	#    works correctly.
	#   Notice: Most problems of broken clients are also related to the HTTP
	#   keep-alive facility, so you usually additionally want to disable
	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
	#   "force-response-1.0" for this.
	# BrowserMatch "MSIE [2-6]" \
	#	nokeepalive ssl-unclean-shutdown \
	#	downgrade-1.0 force-response-1.0

</VirtualHost>

root@rockpi:/etc/apache2/sites-available# cat dietpi-pihole-block_public_admin.conf

# Block public access to admin panel

<Directory ~ /var/www(/html)?/admin>

Require ip 127 192.168 10 172.16.0.0/12 ::1/128 fe80::/10 fc00::/7

</Directory>

root@rockpi:/etc/apache2/sites-available# cat dietpi-pihole.conf 
# Based on: https://github.com/pi-hole/pi-hole/blob/fb831b5f48393b29609148f8404358a8d2e7a058/advanced/pihole-admin.conf

# Admin panel
<Directory ~ /var/www(/html)?/admin>
	# Assure Referrer-Policy is not set to "no-referrer" since
	# HTTP_ORIGIN != null is required for CORS check: https://github.com/MichaIng/DietPi/issues/3675
	# In case it's set, replace by second strict policy "same-origin".
	Header edit Referrer-Policy "no-referrer" "same-origin"
	Header always edit Referrer-Policy "no-referrer" "same-origin"

	# Add response headers
	Header set X-Pi-hole "The Pi-hole Web interface is working!"
	Header set X-Frame-Options "deny"
	Header set Content-Security-Policy "default-src 'self' 'unsafe-inline'"

	# Allow teleporter and API QR code iframes on settings page
	Header set Referrer-Policy "same-origin"
	<FilesMatch "^(teleporter|api_token)\.php$">
		Header set X-Frame-Options "sameorigin" "expr=%{HTTP_REFERER} =~ m#/admin/settings\.php#"
	</FilesMatch>

	# Block . files from being served, such as .git, .github, .gitignore
	<FilesMatch "^\.">
		Require all denied
	</FilesMatch>
</Directory>

# Block public access to 404 page
<Directory ~ /var/www(/html)?/pihole>
	Require ip 127 192.168 10 172.16.0.0/12 ::1/128 fe80::/10 fc00::/7
</Directory>
15

My robot friend (chatGPT) helped me figure out that the issue was in the reverse proxy configuration (that it provided me). I removed the trailing slash from /files/ in the following lines:

    ProxyPass /files/ http://localhost:8084/files
    ProxyPassReverse /files/ http://localhost:8084/files

Now remote access over HTTPS is working!

16

This was exactly the aim of this line to bypass the trailing slash challange :wink: