Host files read-only with filebrowser web interface

posted on 2019-11-17

If you want to share files on a local network permanently, a web interface is probably the easiest for other uses to use.

Filebrowser project died is a web interface to files, allowing you to do most things with files: upload, download, edit, etc.

This blogpost will go through the steps of allowing none of those options and allowing only read-only anonymous access to a directory using the filebrowser web interface.

Start your own Dockerfile

The filebrowser project has a docker image, with their binary copied into it. We need to do almost the same, but make it work without authentication and run as a normal user instead of root (bad practice).

In a file called Dockerfile we start by using the full alpine image (easier to work with than scratch) and copying the filebrowser binary from the filebrowser/filebrowser docker image:

FROM filebrowser/filebrowser as fb
FROM alpine:latest
COPY --from=fb /filebrowser /opt/app/filebrowser

We don't want the process to run as root, so we create a new user and update the SSL certificates:

RUN apk --update add ca-certificates bash \
    && adduser -h /opt/app -D app

Now for the entrypoint script: the thing that will start filebrowser. In essence we could use a json file to configure filebrowser when it starts, but I opted to use commands as I also need to add a user to allow for the noauth approach to work (see issue 700):

./filebrowser config init --port 4000 --address "" --baseurl "" --log "stdout" --root="/srv" --auth.method='noauth' --commands "" --lockPassword --perm.admin=false --perm.create=false --perm.delete=false --perm.execute=false --perm.modify=false --perm.rename=false --signup=false
./filebrowser users add anonymous "anonymous"
exec ./filebrowser

These lines configure filebrowser, create a user and then start filebrowser itself.

We can now finish the last pieces of the Dockerfile:

COPY entrypoint /opt/app/entrypoint
RUN chmod a+x /opt/app/entrypoint

USER app
WORKDIR /opt/app

ENTRYPOINT [ "/opt/app/entrypoint" ]

The app user lives at /opt/app and the filebrowser application will now host everything in /srv on port 4000. To run this in docker, we build and run it. Next to the docker file we run:

docker build --tag hostfiles .
docker run -it -p 80:4000 --volume /tmp:/srv:ro hostfiles

This temporary call will host your /tmp folder on your machine on port 80 using the filebrowser docker we just created.

First test the path you want to host with the run command, and if you are done, you can enable it making sure it starts after boot.

docker run --detach -p 80:4000 --restart=always --volume /srv/files:/srv:ro hostfiles