Filebrowser is great, it just lacks two things 1) 2FA and 2) the always upcoming OnlyOffice integration. If we got those two nothing else could ever compete with it. It already does pre-views and text editing, but Office documents would be great.
I can split the config to another file, not really a big deal. :)
In the simplest form it might be SSO. It does support multiple users and if you look for instance at the filebrowser it’s very possible to pass the username. But yes, this is very simple, very crude and exactly what a lot of people need.
Hmm… some people are going to say that basic auth would be insecure, I’m not going to be there because in this particular case it’s about the same thing.
However, this might be easier to configure and manage permissions than basic auth. Also this works cross-domain and basic auth will require full re-auth for every domain. Another obvious advantage is that at some point I plan to integrate 2FA.
You can backup the entire file then. I get your point, but it also seems like you’re referring to some container-based approach where you would place this inside a container and then mount the config file to some path. While some people might like that approach, that kind of goes against the original idea here, I didn’t want to run yet another instance of nginx for auth, nor another php-fpm - the ideia was simply to use this on a low power device , no containers, no overhead of duplicate webservers and PHP, just a single nginx running a couple of apps on the same php-fpm alongside this.
Well, it isn’t pretty, but gets the job done.
The thing with PHP in this case is that I was already serving a ton of simple websites / small apps like freshrss that use PHP and by making this tool in PHP it means I don’t need yet another process running and wasting resources, can just re-use the existing php-fpm for this.
For what’s worth PHP is better than it looks, and my implementation is very crude, but also small and auditable and contained to a single file. :)
Alternatives? https://filebrowser.org/
I get the point, but don’t forget those “secrets” are bcrypt hashes. Not really reversible.
If you manage to make it worth with Caddy can you share your config? I can add it to the readme or something. Thanks.
Well, me too. But frankly OpenIAM (24GB of RAM as a requirement) Keycloak, Authelia do too much, require too much and aren’t suitable at all for SBCs and small scale stuff.
Edit: This is targeted at people that run nginx as a standalone server or proxy.
I would go with Prosody or Ejabberd, and here’s a good comparison: https://stackoverflow.com/a/45531372 and Ejabberd is the most used thing out there. https://xmpp.org/software/
Yes, you can use a Cloudflare tunnel but why? Since you’re into self-hosting why should you depend on some random company to tunnel your traffic when you most likely don’t need it? You also have all the potential tracking, spyware, risks and “being hostage” scenarios that may come with that choice.
The following assumes your use case is a simple home server for “standard arr apps, jellyfin, pi-hole” for personal usage that sits inside your network and your objetive is to be able to access those services. If you’re instead trying to host a game server / few services for friends (that doesn’t really need to be “inside” your home network) there’s a more complete comment with other security considerations and recommendations here.
Your basic requirements are:
Quick setup guide and checklist:
Since you’re only allowing access to your services through the VPN and you’ve heavily restricted access to the VPN port you’ll be safe. Just a side note, don’t be afraid to expose the Wireguard port because if someone tried to connect and they don’t authenticate with the right key the server will silently drop the packets.
Now if your ISP doesn’t provide you with a public IP / port forwarding abilities you may want to read this in order to find why you should avoid Cloudflare and how to setup and alternative / more private solution.
Yeah, that’s a good one as well.