Self-hosted secure file storage - Part II
In part I of this series I covered how to set up Docker services for Filebrowser and Authelia, and access them through a Caddy reverse proxy configuration. In this part I will cover how to access your services remotely over the internet in a secure way. We definitely do not want anything to be open to public traffic and be the target for CVEs, so tread with caution when setting things up.
Tools used:
Docker: A platform for running applications in lightweight, isolated containers.
Caddy: A web server that automatically manages HTTPS and reverse proxies with minimal configuration.
Authelia: A single sign-on (SSO) authentication gateway for securing web applications.
Filebrowser: A web-based file manager that lets you browse, upload, and manage files on a server.
Cloudflare: A web hosting service that provides some nifty tools.
Wireguard: A VPN protocol that allows encrypted tunnels between devices.
Before proceeding, ensure you have:
Docker service or Docker Desktop installed and running
A domain name registered (or use a free service like DuckDNS)
Cloudflare account (optional, if you plan on using cloudflared tunneling)
Updating the Caddyfile
Modify the Caddyfile you set up in part I to resolve your custom domain and subpaths. We just replace the local domain (localtest.me) with the actual domain we want to use (example-domain.com).
1files.custom-domain.com {
2 tls internal
3 forward_auth * http://authelia:9091 {
4 uri /api/authz/forward-auth?redirect_url=https://auth.localtest.me
5 copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
6 }
7 reverse_proxy http://filebrowser:80
8}
9
10auth.custom-domain.com {
11 tls internal
12 reverse_proxy http://authelia:9091
13}
14Setting up a Cloudflare tunnel
Buying a domain from Cloudflare or using it as nameserver comes with some advantages:
You don't pay the exorbitant upfront domain prices other DNS providers charge
Renewal prices are not a shock, so no more "$15 for first year, renew at $100"
You get access to some really nice tools like Cloudflare Workers, whois protection, and traffic proxying free of cost
This is in no way a endorsement for CF but just something I considered when setting up my domain.
Moving on to the tunnel setup. From the official site:
With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare's global network.
The simplest way to set up a tunnel is using the Cloudflare dashboard.
The instructions above should be pretty straightforward, and once done you should be able to route requests from outside your network to the correct endpoints in your internal network based on your Caddy config, as simple as that. For example:
A request made to files.custom-domain.com should be first routed to the http://authelia:9091, and once authenticated redirect to http://filebrowser:80.
While a CF tunnel provides a convenient way to access internal services there might be privacy concerns here, since all traffic needs to be proxied through Cloudflare's servers for the tunneling to work. That's where Wireguard and services based on that protocol come in. While going into detail into something like Tailscale or Netbird is beyond the scope of this article, they offer convenience and privacy.
That's all for this post. Based on which method you choose for tunneling and the Caddy config you should now be able to access your Docker services like you would on a local network. Ciao for now!