Back to all posts

Self-hosted secure file storage - Part II

Self-hosted secure file storage - title image

In part I of this series I covered how to set up Docker services for Filebrowser and Authelia, and access them through a Caddy reverse proxy configuration. In this part I will cover how to access your services remotely over the internet in a secure way. We definitely do not want anything to be open to public traffic and be the target for CVEs, so tread with caution when setting things up.


Tools used:

  • Docker: A platform for running applications in lightweight, isolated containers.

  • Caddy: A web server that automatically manages HTTPS and reverse proxies with minimal configuration.

  • Authelia: A single sign-on (SSO) authentication gateway for securing web applications.

  • Filebrowser: A web-based file manager that lets you browse, upload, and manage files on a server.

  • Cloudflare: A web hosting service that provides some nifty tools.

  • Wireguard: A VPN protocol that allows encrypted tunnels between devices.

Before proceeding, ensure you have:

  • Docker service or Docker Desktop installed and running

  • A domain name registered (or use a free service like DuckDNS)

  • Cloudflare account (optional, if you plan on using cloudflared tunneling)

Updating the Caddyfile

Modify the Caddyfile you set up in part I to resolve your custom domain and subpaths. We just replace the local domain (localtest.me) with the actual domain we want to use (example-domain.com).

Caddyfile
1files.custom-domain.com {
2  tls internal
3  forward_auth * http://authelia:9091 {
4    uri /api/authz/forward-auth?redirect_url=https://auth.localtest.me
5    copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
6  }
7  reverse_proxy http://filebrowser:80
8}
9
10auth.custom-domain.com {
11  tls internal
12  reverse_proxy http://authelia:9091
13}
14

Setting up a Cloudflare tunnel

Buying a domain from Cloudflare or using it as nameserver comes with some advantages:

  • You don't pay the exorbitant upfront domain prices other DNS providers charge

  • Renewal prices are not a shock, so no more "$15 for first year, renew at $100"

  • You get access to some really nice tools like Cloudflare Workers, whois protection, and traffic proxying free of cost

This is in no way a endorsement for CF but just something I considered when setting up my domain.

Moving on to the tunnel setup. From the official site:

With Tunnel, you do not send traffic to an external IP — instead, a lightweight daemon in your infrastructure (cloudflared) creates outbound-only connections to Cloudflare's global network.

The simplest way to set up a tunnel is using the Cloudflare dashboard.


This is a WIP. Check back later for an updated version.

Tags

#self-hosted#docker

Share this post:

TwitterLinkedInFacebook