-
Notifications
You must be signed in to change notification settings - Fork 218
Configuration And Examples
Note
See full config example. I recommend only configuring the settings you need.
Tip
You can also use Environment Variables to specify secrets and config file path.
You will need to define a source for filebrowser to run, here's a minimal example
server
sources:
- path: "/path/to/source"
name: optional-name
auth:
adminUsername: admin
adminPassword: admin
Two source config:
server:
port: 80
sources:
- path: "/path/to/source1" # defaults with name "source1"
- path: "/path/to/source2" # defaults with name "source2"
There are 3 defaults to consider when configuring a source:
- What users get access to the source by default? This is configured via
defaultEnabledconfig. There is always 1 source minimum configured for a user. You can specify exactly which one if you specify this, otherwise, the first source in the list will be considereddefaultEnabled: true. - What is the default user scope for a source? This is configured via
defaultUserScopeconfig. This is the default scope a user gets when a new user is created and the scopes aren't specified. However, when creating a user via the UI, you must define scopes, which mostly apply to API and CLI user creation. - Should a user directory be automatically created? This is configured via the
createUserDirconfig. The default isfalse; it needs to be set totrueto automatically happen on user creation. Whentrue, the defaultUserScope is the base directory.- if you change sources, the new source will create user directories in the scope given on startup if they don't exist.
- the user scope gets modified to be the username sub directory.
Here is an example config for defaults, where source2 is the only default a user gets with a scope in a subfolder.
server:
sources:
- path: "/path/to/source1"
- path: "/path/to/source2"
config:
defaultUserScope: "/subfolder" # include leading slash
defaultEnabled: true
createUserDir: true # "/subfolder/username" directory will be created
with more advanced config including exclusions
server:
port: 80
sources:
- name: "mysource" # optional, otherwise the source gets named the folder name
path: "/mnt/folder"
config:
disableIndexing: false # if set to true, nothing gets indexed but is still viewable in the UI
exclude: # these items will be excluded from both the UI and indexing
filePaths:
- "myfile.txt" # corresponds to "/mnt/folder/myfile.txt"
- "subfolder/another.txt" # corresponds to "/mnt/folder/subfolder/another.txt"
folderPaths:
- "subfolder/ignoreMe" # excludes exact folder path (only one folder)
fileNames:
- "ignoreMe.txt" # excludes all files named this
folderNames:
- "ignoreAllFolders" # excludes all folders named this
fileEndsWith:
- ".zip" # excludes any files that end with ".zip"
- ".tar.gz"
- "-hidden.jpg"
folderEndsWith:
- "-backups" # excludes any folders that end with "-backups"
You can configure multiple auth methods via auth.methods, without any configuration it defaults to password auth:
auth:
methods:
noauth: false
password:
enabled: true
minLength: 7 # set min password length requirement -- defaults to 5 if unset
signup: false
proxy:
enabled: true
header: "proxy-user" # header which should container username
createUser: true # automatically creates user with default user properties
By default, the only configured Auth method will be password if not configured.
integrations:
media:
ffmpegPath: "/usr/local/bin" # wherever you have both ffmpeg and ffprobe installed at
Enabling OIDC on FileBrowser Quantum is easy and requires two main changes:
Firstly, you must add your OIDC provider information to the config.yaml, such as:
issuerUrl is the domain used to fetch the well-known endpoint. This can be different for each provider, but here are some common examples:
-
Authentik/Authelia:
https://domain.com/application/o/filebrowser/wherefilebrowseris the name of the provider. -
Pocket ID:
https://domain.com/(see example)
auth:
methods:
password:
enabled: false # set to false if you only want to allow OIDC
oidc:
enabled: true # whether to enable OIDC authentication
clientId: "xxx" # client id of the OIDC application
clientSecret: "xxx" # client secret of the OIDC application
issuerUrl: "http://localhost/application/o/filebrowser/" # URL of the OIDC provider
scopes: "email openid profile" # scopes to request from the OIDC provider
userIdentifier: "preferred_username" # the attribute used as username. Default/typical is "preferred_username", can also be "email" or "username", or "phone"
disableVerifyTLS: false # disable TLS verification for the OIDC provider. This is insecure and should only be used for testing.
logoutRedirectUrl: "" # if provider logout url is provided, filebrowser will also redirect to logout url. Custom logout query params are respected.
createUser: true # create user if it does not exist
adminGroup: "authentik Admins" # if set, OIDC will manage whether a user is `admin` or not.
Then, the next step is to provide your OIDC provider such as Authelia or Authentik with a valid "callback URL" , so it can redirect a valid login back to filebrowser. Typically, this will be the external URL, but you may also provide an internal callback as well. An example callback URL would be https://localhost:8080/api/auth/oidc/callback, where localhost:8080 is your filebrowser domain.
Note, if you have a non-default baseURL defined in your filebrowser config or proxy, your callback should include that.
- client_id: xxx
client_name: filebrowser
client_secret: xxx
public: false
authorization_policy: two_factor
scopes:
- openid
- email
- profile
grant_types:
- 'authorization_code' # required
redirect_uris:
- https://files.example.com/api/auth/oidc/callback
userinfo_signing_algorithm: none
token_endpoint_auth_method: client_secret_basic
An example frontend configuration in your config.yaml:
frontend:
name: "Your custom name"
disableDefaultLinks: true
externalLinks:
- text: "Your custom link text"
url: "https://example.com"
title: "hover over me text"