### Run Caddy with NGINX Config Adapter Source: https://caddyserver.com/ This command demonstrates Caddy's flexibility by showing how to run it using an NGINX configuration file. The `--adapter nginx` flag enables Caddy to interpret and apply NGINX-style configurations. ```Shell $ caddy run \ --config nginx.conf \ --adapter nginx ``` -------------------------------- ### Configure Nginx Proxy Buffer Sizes for Pocket ID Source: https://context7_llms Nginx configuration snippet to increase proxy buffer sizes. This adjustment is crucial when using Nginx as a reverse proxy for Pocket ID, as SvelteKit can generate larger headers that may exceed default buffer limits. ```conf proxy_busy_buffers_size 512k; proxy_buffers 4 512k; proxy_buffer_size 256k; ``` -------------------------------- ### Nginx Configuration for Pocket ID Well-Known Endpoint Source: https://context7_llms This Nginx configuration block is required when Caddy is disabled (`CADDY_DISABLED=true`) to correctly handle `Access-Control-Allow-Origin` headers for Pocket ID's `.well-known` OpenID Connect discovery endpoint. It hides existing `Access-Control` headers and adds a new one based on the `$http_origin` variable, ensuring proper CORS behavior. ```nginx location /.well-known/ { proxy_hide_header Access-Control-Allow-headers; proxy_hide_header Access-Control-Allow-Origin; add_header Access-Control-Allow-Origin "$http_origin"; } ``` -------------------------------- ### Configure F5 NGINX Website Performance and Visitor Tracking Source: https://www.nginx.com/ Initializes performance markers using `window.performance` and configures F5's visitor tracking settings, primarily integrating with Tealium. It also defines URLs for warming up legacy analytics libraries. ```JavaScript var wperf = window.performance ? window.performance : {}; wperf.mark("PreResources"); window.F5=window.F5||{}; window.F5.VisitorTracking=window.F5.VisitorTracking||{"isConfigEnabled":true,"tealiumScriptAsyncUrl":"//mktg.tags.f5.com/main/prod/utag.js","tealiumScriptSyncUrl":"//mktg.tags.f5.com/main/prod/utag.sync.js","tealiumScriptBasicAsyncUrl":"//mktg.tags.f5.com/basic/prod/utag.js","tealiumScriptBasicSyncUrl":"//mktg.tags.f5.com/basic/prod/utag.js","visitorTrackingService":"tealium","isTealiumActive":true,"isLegacyActive":false,"legacyLibWarmingUrls":["https://assets.adobedtm.com","https://www.google-analytics.com","https://www.googletagmanager.com"]} wperf.mark("clientlib-css-done"); ``` -------------------------------- ### Configure NGINX for X-Forwarded-Proto Header Source: https://healthchecks.io/docs/self_hosted_docker/ This NGINX configuration snippet ensures that the `X-Forwarded-Proto` header is correctly set based on the original request's protocol. This is crucial for applications like Healthchecks using uWSGI to correctly determine if a request is secure, preventing HTTP 403 CSRF verification errors when behind a TLS-terminating reverse proxy. ```NGINX proxy_set_header X-Forwarded-Proto $scheme; ``` -------------------------------- ### Initialize F5 NGINX Digital Data Layers for Analytics Source: https://www.nginx.com/ Sets up `window.digitalData` and `window.utag_data` objects, which serve as data layers for analytics and tag management systems like Tealium. These objects contain page-specific information such as page name, URL, referring URL, language, and category details. ```JavaScript window.digitalData = {"page":{"pageInfo":{"pageName":"www:f5.com:go:product:welcome-to-nginx","destinationUrl":"https://www.f5.com/go/product/welcome-to-nginx.html","subDomain":"www","referringUrl":"https://www.nginx.com/","referringPageName":"","language":"en_US","version":""},"category":{"primaryCategory":"go","subCategory1":"product","subCategory2":"welcome-to-nginx","subCategory3":""}}}; window.utag_data = {"page.pageInfo.pageName":"www:f5.com:go:product:welcome-to-nginx","page.pageInfo.destinationUrl":"https://www.f5.com/go/product/welcome-to-nginx.html","page.pageInfo.subDomain":"www","page.pageInfo.referringUrl":"https://www.nginx.com/","page.pageInfo.referringPageName":"","page.pageInfo.language":"en_US","page.pageInfo.version":"","page.category.primaryCategory":"go","page.category.subCategory1":"product","page.category.subCategory2":"welcome-to-nginx","page.category.subCategory3":""}; ``` -------------------------------- ### Configure Nginx Headers for Linkding Reverse Proxy Source: https://linkding.link/installation These Nginx directives are essential for correctly forwarding `Host` and `X-Forwarded-Proto` headers to the Linkding application when using Nginx as a reverse proxy. This prevents common issues like login failures due to incorrect header rewriting. ```nginx location /linkding { ... proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; } ``` -------------------------------- ### JavaScript Polyfill for CSS Custom Properties Source: https://www.nginx.com/ This snippet checks for native support of CSS Custom Properties (`window.CSS`). If not supported, it dynamically creates and appends a script tag to load a polyfill from a specified path, ensuring broader browser compatibility for CSS variables. ```javascript (function () { if (!window.CSS) { var script = document.createElement("script"); script.type = "text/javascript"; script.src = ("/etc.clientlibs/base/clientlibs/libs/polyfills/customProperties/v1.js"); document.getElementsByTagName("head")[0].appendChild(script); } })(); ``` -------------------------------- ### Mark Client-Side JavaScript Performance Milestones (JavaScript) Source: https://www.nginx.com/ This JavaScript snippet utilizes a `wperf` utility to record specific performance milestones during the loading of client-side libraries. The marks 'clientlib-js-base-done' and 'clientlib-js-components-done' indicate the completion of base and component JavaScript library loading, respectively, which is useful for performance monitoring and analysis. ```JavaScript wperf.mark("clientlib-js-base-done"); wperf.mark("clientlib-js-components-done"); ``` -------------------------------- ### Define Custom Web Fonts for F5 NGINX Website Source: https://www.nginx.com/ Defines custom web fonts, 'Proxima' and 'Neusa', using CSS `@font-face` rules. It specifies the font family names, `font-display` fallback behavior, and the source URLs for different font formats (WOFF2 and WOFF) to ensure broad browser compatibility. ```CSS @font-face { font-family: Proxima; font-display: fallback; src: url(/etc.clientlibs/base/clientlibs/base-resources/resources/fonts/Proxima/Proxima-reg.woff2) format("woff2"), url(/etc.clientlibs/base/clientlibs/base-resources/resources/fonts/Proxima/Proxima-reg.woff) format("woff"); } @font-face { font-family: Neusa; font-display: fallback; src: url(/etc.clientlibs/base/clientlibs/base-resources/resources/fonts/Neusa/Neusa-Reg.woff2) format("woff2"), url(/etc.clientlibs/base/clientlibs/base-resources/resources/fonts/Neusa/Neusa-Reg.woff) format("woff"); } ``` -------------------------------- ### Enable/Disable Paperless-ngx Webserver Compression Source: https://docs.paperless-ngx.com/configuration/ This setting enables or disables compression for responses served by the Paperless-ngx webserver. While useful, it's often more efficient to handle compression at a proxy level (e.g., Nginx) if one is in use. ```APIDOC PAPERLESS_ENABLE_COMPRESSION= - Description: Enables or disables compression of the responses from the webserver. - Type: Boolean (1 for enabled, 0 for disabled) - Default: 1 (enabled) - Note: If you are using a proxy such as nginx, it is likely more efficient to enable compression in your proxy configuration rather than the webserver. ``` -------------------------------- ### Implement Font Loading Observer and Promise Polyfill Source: https://www.nginx.com/ Includes a minified JavaScript utility, likely Font Face Observer (v2.0.13), to detect when web fonts have finished loading and apply a 'fonts-loaded' class to the document body. It also provides a polyfill for `window.Promise` to ensure modern asynchronous operations are supported in older browser environments. The provided code snippet is truncated. ```JavaScript wperf.mark("customheaderlibs-done"); (function() { var loadCls = "fonts-loaded"; /* Font Face Observer v2.0.13 - © Bram Stein. License: BSD-3-Clause */ (function(){'use strict';var f,g=[];function l(a){g.push(a);1==g.length&&f()}function m(){for(;g.length;)g[0](),g.shift()}f=function(){setTimeout(m)};function n(a){this.a=p;this.b=void 0;this.f=[];var b=this;try{a(function(a){q(b,a)},function(a){r(b,a)})}catch(c){r(b,c)}}var p=2;function t(a){return new n(function(b,c){c(a)})}function u(a){return new n(function(b){b(a)})}function q(a,b){if(a.a==p){if(b==a)throw new TypeError;var c=!1;try{var d=b&&b.then;if(null!=b&&"object"==typeof b&&"function"==typeof d){d.call(b,function(b){c||q(a,b);c=!0},function(b){c||r(a,b);c=!0});return}}catch(e){c||r(a,e);return}a.a=0;a.b=b;v(a)}} function r(a,b){if(a.a==p){if(b==a)throw new TypeError;a.a=1;a.b=b;v(a)}}function v(a){l(function(){if(a.a!=p)for(;a.f.length;){var b=a.f.shift(),c=b[0],d=b[1],e=b[2],b=b[3];try{0==a.a?"function"==typeof c?e(c.call(void 0,a.b)):e(a.b):1==a.a&&("function"==typeof d?e(d.call(void 0,a.b)):b(a.b))}catch(h){b(h)}}})}n.prototype.g=function(a){return this.c(void 0,a)};n.prototype.c=function(a,b){var c=this;return new n(function(d,e){c.f.push([a,b,d,e]);v(c)})}; function w(a){return new n(function(b,c){function d(c){return function(d){h[c]=d;e+=1;e==a.length&&b(h)}}var e=0,h=[];0==a.length&&b(h);for(var k=0;k`). This is a common pattern to indicate that JavaScript is enabled and running, allowing CSS to apply different styles based on JS availability. ```javascript document.documentElement.className = document.documentElement.className.replace("js-off","js-on"); ``` -------------------------------- ### JavaScript Font Loading with FontFaceObserver Source: https://www.nginx.com/ This comprehensive JavaScript snippet defines and utilizes the FontFaceObserver library for asynchronously loading web fonts. It provides a robust mechanism to detect when a font has loaded, supporting both the modern 'document.fonts.load' API and a fallback measurement-based approach for older browsers. Upon successful loading, it adds a class to the document element for styling purposes. ```javascript function r(a){this.a=document.createElement("div");this.f=document.createElement("span");this.h=document.createElement("span");this.b=document.createElement("span");this.c=document.createElement("span");this.a.style.cssText="display:block;position:absolute;top:-9999px;left:-9999px;font-size:300px;width:auto;height:auto;line-height:normal;margin:0;padding:0;font-variant:normal;white-space:nowrap;font-stretch:normal";this.f.style.cssText="max-width:none;display:inline-block;position:absolute;height:100%;width:100%;overflow:scroll;font-size:16px;";this.h.style.cssText="display:inline-block;width:200%;height:200%;font-size:16px;max-width:none;";this.b.appendChild(this.h);this.c.appendChild(this.f);this.a.appendChild(this.b);this.a.appendChild(this.c)} function t(a,b){a.a.style.cssText="max-width:none;min-width:20px;min-height:20px;display:inline-block;overflow:hidden;position:absolute;width:auto;margin:0;padding:0;top:-999px;white-space:nowrap;font-synthesis:none;font:"+b+";"}function y(a){var b=a.a.offsetWidth,c=b+100;a.f.style.width=c+"px";a.c.scrollLeft=c;a.b.scrollLeft=a.b.scrollWidth+100;return a.g!==b?(a.g=b,!0):!1}function z(a,b){function c(){var a=k;y(a)&&a.a.parentNode&&b(a.g)}var k=a;l(a.b,c);l(a.c,c);y(a)};function A(a,b){var c=b||{};this.family=a;this.style=c.style||"normal";this.weight=c.weight||"normal";this.stretch=c.stretch||"normal"}var B=null,C=null,E=null,F=null;function G(){if(null===C)if(J()&&/Apple/.test(window.navigator.vendor)){var a=/AppleWebKit\\/([0-9]+)(?:\\.([0-9]+))(?:\\.([0-9]+))/.exec(window.navigator.userAgent);C=!!a&&603>parseInt(a[1],10)}else C=!1;return C}function J(){null===F&&(F=!!document.fonts);return F} function K(){if(null===E){var a=document.createElement("div");try{a.style.font="condensed 100px sans-serif"}catch(b){}E=""!==a.style.font}return E}function L(a,b){return[a.style,a.weight,K()?a.stretch:"","100px",b].join(" ")} A.prototype.load=function(a,b){var c=this,k=a||"BESbswy",q=0,D=b||3E3,H=(new Date).getTime();return new Promise(function(a,b){if(J()&&!G()){var M=new Promise(function(a,b){function e(){(new Date).getTime()-H>=D?b():document.fonts.load(L(c,'"'+c.family+'"'),k).then(function(c){1<=c.length?a():setTimeout(e,25)},function(){b()})}e()}),N=new Promise(function(a,c){q=setTimeout(c,D)});Promise.race([N,M]).then(function(){clearTimeout(q);a(c)},function(){b(c)})}else m(function(){function u(){var b;if(b=-1!= f&&-1!=g||-1!=f&&-1!=h||-1!=g&&-1!=h)(b=f!=g&&f!=h&&g!=h)||(null===B&&(b=/AppleWebKit\\/([0-9]+)(?:\\.([0-9]+))/.exec(window.navigator.userAgent),B=!!b&&(536>parseInt(b[1],10)||536===parseInt(b[1],10)&&11>=parseInt(b[2],10))),b=B&&(f==v&&g==v&&h==v||f==w&&g==w&&h==w||f==x&&g==x&&h==x)),b=!b;b&&(d.parentNode&&d.parentNode.removeChild(d),clearTimeout(q),a(c))}function I(){if((new Date).getTime()-H>=D)d.parentNode&&d.parentNode.removeChild(d),b(c);else{var a=document.hidden;if(!0===a||void 0===a)f=e.a.offsetWidth, g=n.a.offsetWidth,h=p.a.offsetWidth,u();q=setTimeout(I,50)}}var e=new r(k),n=new r(k),p=new r(k),f=-1,g=-1,h=-1,v=-1,w=-1,x=-1,d=document.createElement("div");d.dir="ltr";t(e,L(c,"sans-serif"));t(n,L(c,"serif"));t(p,L(c,"monospace"));d.appendChild(e.a);d.appendChild(n.a);d.appendChild(p.a);document.body.appendChild(d);v=e.a.offsetWidth;w=n.a.offsetWidth;x=p.a.offsetWidth;I();z(e,function(a){f=a;u()});t(e,L(c,'"'+c.family+'",sans-serif'));z(n,function(a){g=a;u()});t(n,L(c,'"'+c.family+'",serif')); z(p,function(a){h=a;u()});t(p,L(c,'"'+c.family+'",monospace'))})})};"object"===typeof module?module.exports=A:(window.FontFaceObserver=A,window.FontFaceObserver.prototype.load=A.prototype.load);}()); var PrimaryFont = new FontFaceObserver('Proxima'); var DisplayFont = new FontFaceObserver('Neusa'); Promise.all([PrimaryFont.load(null, 6000), DisplayFont.load(null, 6000)]).then(function () { document.documentElement.classList.add(loadCls); wperf.mark(loadCls); }).catch(e => { console.log("fonts failed to load."); }); ``` -------------------------------- ### Define Kubernetes Pod with Projected Service Account Token Source: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ This YAML manifest defines a Kubernetes Pod named 'nginx' that utilizes service account token projection. It mounts a token from the 'build-robot' service account into the container at '/var/run/secrets/tokens'. The token is configured with an audience of 'vault' and an expiration of 7200 seconds (2 hours), allowing secure, time-limited access to external systems like Vault. ```yaml apiVersion: v1 kind: Pod metadata: name: nginx spec: containers: - image: nginx name: nginx volumeMounts: - mountPath: /var/run/secrets/tokens name: vault-token serviceAccountName: build-robot volumes: - name: vault-token projected: sources: - serviceAccountToken: path: vault-token expirationSeconds: 7200 audience: vault ``` -------------------------------- ### Create Kubernetes Pod from Remote Manifest Source: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ This `kubectl` command deploys a Kubernetes Pod by fetching its manifest from a remote URL. It's used to create the 'nginx' Pod defined with service account token projection, enabling the Pod to access external services with a projected token. ```bash kubectl create -f https://k8s.io/examples/pods/pod-projected-svc-token.yaml ``` -------------------------------- ### Caddyfile Reusable Reverse Proxy Function Source: https://github.com/gtsteffaniak/filebrowser/issues/816 This Caddyfile snippet defines a reusable named function '(reverse-proxy)' for configuring a reverse proxy. It takes three arguments: a subdomain, a top-level domain, and the destination address (host:port). The function sets up a host matcher and then proxies requests to the specified backend, simplifying common reverse proxy configurations. ```Caddyfile (reverse-proxy) { # [0] subdomain [1] top domain [2] destination and port @{args[0]} host {args[0]}.{args[1]} handle @{args[0]} { reverse_proxy {args[2]} } } ``` -------------------------------- ### Define a Reusable Reverse Proxy Function in Caddyfile Source: https://github.com/gtsteffaniak/filebrowser/issues/816 This Caddyfile snippet defines a reusable named snippet `(reverse-proxy)` that can be imported to easily configure a reverse proxy. It takes arguments for subdomain, top-level domain, and the destination address with port, simplifying common proxy setups. ```Caddyfile (reverse-proxy) {\n\t# [0] subdomain [1] top domain [2] destination and port \n\t@{args[0]} host {args[0]}.{args[1]}\n\thandle @{args[0]} {\n\t\treverse_proxy {args[2]}\n\t}\n} ``` -------------------------------- ### Download Rallly repository with Curl Source: https://support.rallly.co/self-hosting/installation/docker Provides an alternative method to download the Rallly self-hosted repository using `curl` if Git is not installed. This downloads the master branch as a tarball. ```shellscript curl -L https://github.com/lukevella/rallly-selfhosted/archive/master.tar.gz | ``` -------------------------------- ### Caddy Website Configuration with Templates, Rewrites, and Proxy Source: https://caddyserver.com/ This Caddyfile snippet provides a comprehensive example for configuring a website. It covers serving static files, processing templates, applying compression, handling redirects, performing URL rewrites, and setting up a reverse proxy to a backend service. ```Caddyfile caddyserver.com root * src file_server templates # markdown & syntax highlighting! encode zstd gzip redir /docs/json /docs/json/ rewrite /docs/json/* /docs/json/index.html rewrite /docs/* /docs/index.html reverse_proxy /api/* localhost:9002 ``` -------------------------------- ### Clone Rallly Repository using Curl and Tar Source: https://support.rallly.co/self-hosting/installation/docker Downloads and extracts the Rallly self-hosted repository using curl and tar. This method is an alternative if Git is not available. ```shellscript curl -L https://github.com/lukevella/rallly-selfhosted/archive/master.tar.gz | tar -xz cd rallly-selfhosted-main ``` -------------------------------- ### Define Reusable Caddyfile Reverse Proxy Import Source: https://github.com/gtsteffaniak/filebrowser/issues/816 This Caddyfile snippet defines a reusable import block named after `args[0]`. It sets up a reverse proxy directive that forwards requests to the backend address specified by `args[2]`. This modular approach allows for easy reuse of common reverse proxy configurations across multiple sites or services. ```Caddyfile define @{args[0]} { reverse_proxy {args[2]} } } ``` -------------------------------- ### Caddy Server Configuration for example.com Source: https://caddyserver.com/ This Caddyfile configuration defines various behaviors for `example.com`. It includes serving PHP applications, proxying to an autoscaling API with dynamic backend discovery, load balancing and health checks for a distributed service, and a catch-all reverse proxy to an HTTPS upstream. It showcases Caddy's versatility in handling different types of web traffic within a single domain configuration. ```Caddyfile example.com # Serve PHP sites handle /blog/* { root * /var/www/wordpress php_fastcgi localhost:9000 file_server } # Proxy an autoscaling API with dynamic backends reverse_proxy /api/* { dynamic srv _api._tcp.example.com } # Proxy a compute-heavy distributed service # with load balancing and health checks reverse_proxy /service/* { to 10.0.1.1:80 10.0.1.2:80 10.0.1.3:80 lb_policy least_conn lb_try_duration 10s fail_duration 5s } # Proxy everything else to an HTTPS upstream reverse_proxy https://service.example.com { header_up Host {upstream_hostport} } ``` -------------------------------- ### Install OAuth2 Proxy using Go Source: https://oauth2-proxy.github.io/oauth2-proxy/installation This command installs the latest stable version of the OAuth2 Proxy binary directly from its Go module. The binary will be placed in your `$GOPATH/bin` directory. Ensure that `$GOPATH` is correctly set and included in your system's `$PATH` environment variable for the binary to be executable from any location. ```Shell $ go install github.com/oauth2-proxy/oauth2-proxy/v7@latest ``` -------------------------------- ### Verify Image Pull Secrets on New Pods Source: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ These commands demonstrate how to confirm that the configured `imagePullSecrets` are automatically inherited by new Pods using the default Service Account. A test Nginx Pod is created, and then `jsonpath` is used to extract and display the name of the image pull secret from the Pod's specification, confirming its presence. ```bash kubectl run nginx --image=/nginx --restart=Never kubectl get pod nginx -o=jsonpath='{.spec.imagePullSecrets[0].name}{"\n"}' ``` -------------------------------- ### Clone Rallly Self-Hosted Repository Source: https://support.rallly.co/self-hosting/installation/docker Instructions to clone the Rallly self-hosted repository from GitHub using Git, or alternatively, download and extract it using cURL if Git is not installed. These commands prepare the local environment for further installation steps. ```Bash git clone https://github.com/lukevella/rallly-selfhosted.git cd rallly-selfhosted ``` ```Bash curl -L https://github.com/lukevella/rallly-selfhosted/archive/master.tar.gz | tar -xz cd rallly-selfhosted-main ``` -------------------------------- ### Configure X-Forwarded-Port Usage Source: https://docs.paperless-ngx.com/configuration/ Configures Django's `USE_X_FORWARDED_PORT` setting, which is often necessary when Paperless-ngx is hosted behind a reverse proxy to correctly identify the port. ```APIDOC PAPERLESS_USE_X_FORWARD_PORT= - Description: Configures Django's USE_X_FORWARDED_PORT setting. - Type: boolean - Default: false - Purpose: May be needed for hosting behind a proxy. ``` -------------------------------- ### Restrict user access to a single email address Source: https://support.rallly.co/self-hosting/installation/docker This configuration sets the `ALLOWED_EMAILS` environment variable to a single email address. Only users with this specific email will be able to register and log in to the instance, effectively securing it for individual use. ```Shell ALLOWED_EMAILS="john.doe@example.com" ``` -------------------------------- ### YAML Server Configuration for OIDC Authentication Source: https://github.com/gtsteffaniak/filebrowser/issues/816 This YAML snippet configures a server to serve content from the `/mnt` path and integrates OpenID Connect (OIDC) for authentication. It specifies the OIDC client ID, client secret, issuer URL, requested scopes, and how to identify users. It also enables automatic user creation upon successful authentication. ```YAML server: sources: - path: /mnt auth: methods: oidc: enabled: true clientId: "redacted" clientSecret: "redacted" issuerUrl: "https://id.mydomain.com/authorize" scopes: "email openid profile" userIdentifier: "username" disableVerifyTLS: false createUser: true ``` -------------------------------- ### Importing and Using the Caddyfile Reverse Proxy Function Source: https://github.com/gtsteffaniak/filebrowser/issues/816 These Caddyfile lines demonstrate how to import and utilize the previously defined `(reverse-proxy)` function. They show configurations for 'Filebrowser' and 'Pocket-ID' applications, mapping specific subdomains to internal service addresses. ```Caddyfile import reverse-proxy fb domain.com 10.123.123.123:1234 # Filebrowserq ``` ```Caddyfile import reverse-proxy id example.com 1.2.3.4:1234 # Pocket-ID ``` -------------------------------- ### Minimal Filebrowser Server Configuration Source: https://github.com/gtsteffaniak/filebrowser/wiki/Configuration-And-Examples This snippet demonstrates a basic server configuration for filebrowser, defining a single file source with an optional name and enabling it by default for all users. It also includes default administrative authentication credentials. ```YAML server: sources: - path: "/path/to/source" name: optional-name config: defaultEnabled: true # this gives the source to all users by default. auth: adminUsername: admin adminPassword: admin ``` -------------------------------- ### Filebrowser Server Configuration with Multiple Sources Source: https://github.com/gtsteffaniak/filebrowser/wiki/Configuration-And-Examples This example illustrates how to configure the filebrowser server to expose multiple file sources. It sets the server port to 80 and defines two distinct paths, which will default to names 'source1' and 'source2' respectively. ```YAML server: port: 80 sources: - path: "/path/to/source1" # defaults with name "source1" - path: "/path/to/source2" # defaults with name "source2" ``` -------------------------------- ### Configure Apache Rewrite Rule for OpenID Connect Service Discovery Source: https://doc.owncloud.com/server/10.15/admin_manual/configuration/user/oidc/oidc.html This snippet provides an Apache `RewriteRule` to expose the OpenID Connect app's service discovery endpoint (`/index.php/apps/openidconnect/config`) under the standard `.well-known/openid-configuration` path. This is crucial for ownCloud clients to automatically discover and utilize OIDC. Ensure `mod_rewrite` is enabled, and `mod_proxy`, `mod_proxy_http`, `mod_proxy_connect` if SSL is used. Redirect rules must be avoided as they violate the OIDC specification. ```Apache Configuration RewriteEngine on RewriteRule "^/.well-known/openid-configuration" "/index.php/apps/openidconnect/config" [P] SSLProxyEngine On #This can be omitted if no SSL is used ``` -------------------------------- ### Pin Docker image version in docker-compose.yml Source: https://support.rallly.co/self-hosting/installation/docker Rallly uses semantic versioning, with releases published on Docker Hub. While -------------------------------- ### Test Pocket ID Instance Connectivity with Curl Source: https://github.com/gtsteffaniak/filebrowser/issues/816 This snippet shows a `curl` command used to verify connectivity and retrieve the `/authorize` endpoint from a Pocket ID instance. It includes verbose output, detailing the TLS handshake, HTTP/2 negotiation, request headers, and the full HTML response, confirming successful access. ```bash root@localhost ~ % curl -v https://id.example.com/authorize\n* Host id.example.com:443 was resolved.\n* IPv6: redacted\n* IPv4: redacted\n* Trying redacted...\n* Connected to id.example.com (redacted) port 443\n* ALPN: curl offers h2,http/1.1\n* (304) (OUT), TLS handshake, Client hello (1):\n* CAfile: /etc/ssl/cert.pem\n* CApath: none\n* (304) (IN), TLS handshake, Server hello (2):\n* (304) (IN), TLS handshake, Unknown (8):\n* (304) (IN), TLS handshake, Certificate (11):\n* (304) (IN), TLS handshake, CERT verify (15):\n* (304) (IN), TLS handshake, Finished (20):\n* (304) (OUT), TLS handshake, Finished (20):\n* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF\n* ALPN: server accepted h2\n* Server certificate:\n* subject: CN=example.com\n* start date: redacted\n* expire date: redacted\n* subjectAltName: host \"id.example.com\" matched cert's \"*.example.com\"\n* issuer: C=US; O=Google Trust Services; CN=WE1\n* SSL certificate verify ok.\n* using HTTP/2\n* [HTTP/2] [1] OPENED stream for https://id.example.com/authorize\n* [HTTP/2] [1] [:method: GET]\n* [HTTP/2] [1] [:scheme: https]\n* [HTTP/2] [1] [:authority: id.example.com]\n* [HTTP/2] [1] [:path: /authorize]\n* [HTTP/2] [1] [user-agent: curl/8.7.1]\n* [HTTP/2] [1] [accept: */*]\n\u ``` -------------------------------- ### Path and URL Configuration Variables Source: https://docs.paperless-ngx.com/configuration/ These environment variables control the base URL path and static file URL for Paperless-ngx, useful when hosting the application under a subpath or behind a reverse proxy. ```APIDOC PAPERLESS_FORCE_SCRIPT_NAME= - Description: Sets the subpath URL under which Paperless-ngx is hosted (e.g., /paperless for example.com/paperless). - Constraints: No trailing slash. - Default: None (hosts Paperless-ngx at "/") - Note: Required when hosting behind a reverse proxy at a subpath (e.g., Traefik or Nginx). PAPERLESS_STATIC_URL= - Description: Overrides the default STATIC_URL. Useful if static files are served from a different path. - Constraints: Be sure to include the trailing slash if changed. - Default: "/static/" ``` -------------------------------- ### Authelia OIDC Client Configuration for FileBrowser Source: https://github.com/gtsteffaniak/filebrowser/wiki/Configuration-And-Examples This YAML snippet configures an OIDC client for Authelia, specifying client details, authentication policy, scopes, grant types, and redirect URIs for integration with FileBrowser. ```YAML - client_id: xxx client_name: filebrowser client_secret: xxx public: false authorization_policy: two_factor scopes: - openid - email - profile grant_types: - 'authorization_code' # required redirect_uris: - https://files.example.com/api/auth/oidc/callback userinfo_signing_algorithm: none token_endpoint_auth_method: client_secret_basic ``` -------------------------------- ### Grant instance access to an entire email domain Source: https://support.rallly.co/self-hosting/installation/docker This configuration uses a wildcard (`*`) in the `ALLOWED_EMAILS` environment variable to permit all users from a specified domain to register and log in. This is useful for organizations wanting to grant access to all their employees. ```Shell ALLOWED_EMAILS="*@example.com" ``` -------------------------------- ### Caddyfile Import for Pocket ID Reverse Proxy Source: https://github.com/gtsteffaniak/filebrowser/issues/816 Another practical example of importing the reverse proxy block, specifically configured for a Pocket ID instance. This snippet shows the flexibility of the `define` and `import` mechanism, using 'id' as the import name, 'example.com' as the domain, and '1.2.3.4:1234' as the backend address for Pocket ID. ```Caddyfile import reverse-proxy id example.com 1.2.3.4:1234 # Pocket-ID ``` -------------------------------- ### Local RDP Gateway Testing with Docker Compose and OpenID Source: https://github.com/bolkedebruin/rdpgw Instructions for setting up a local RDP Gateway testing environment using Docker Compose, integrating Keycloak for OpenID and xrdp. This setup exposes services on port 9443 and requires adding `127.0.0.1 keycloak` to the `/etc/hosts` file for DNS resolution. Self-signed certificates are used, which may require browser configuration (e.g., `chrome://flags/#allow-insecure-localhost`). ```Shell cd dev/docker docker-compose -f docker-compose.yml up ``` ```Shell docker-compose -f docker-compose-arm64.yml up ``` -------------------------------- ### Perform OpenID Connect Discovery with Curl Source: https://github.com/gtsteffaniak/filebrowser/issues/816 This snippet captures the verbose output of a `curl` command performing an OpenID Connect discovery request. It includes details of the TLSv1.3 handshake, HTTP/2 negotiation, request headers sent, and response headers received, demonstrating the full communication flow to retrieve the OIDC configuration. ```HTTP offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (IN), TLS handshake, Server hello (2): * (304) (IN), TLS handshake, Unknown (8): * (304) (IN), TLS handshake, Certificate (11): * (304) (IN), TLS handshake, CERT verify (15): * (304) (IN), TLS handshake, Finished (20): * (304) (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF * ALPN: server accepted h2 * Server certificate: * subject: CN=example.com * start date: May 25 13:07:17 2025 GMT * expire date: Aug 23 14:05:42 2025 GMT * subjectAltName: host "id.example.com" matched cert's "*.example.com" * issuer: C=US; O=Google Trust Services; CN=WE1 * SSL certificate verify ok. * using HTTP/2 * [HTTP/2] [1] OPENED stream for https://id.example.com/.well-known/openid-configuration * [HTTP/2] [1] [:method: GET] * [HTTP/2] [1] [:scheme: https] * [HTTP/2] [1] [:authority: id.example.com] * [HTTP/2] [1] [:path: /.well-known/openid-configuration] * [HTTP/2] [1] [user-agent: curl/8.7.1] * [HTTP/2] [1] [accept: */*] > GET /.well-known/openid-configuration HTTP/2 > Host: id.example.com > User-Agent: curl/8.7.1 > Accept: */* > * Request completely sent off < HTTP/2 200 < date: Fri, 20 Jun 2025 22:20:30 GMT < content-type: application/json; charset=utf-8 < cf-ray: redacted-SEA < access-control-allow-headers: Authorization < access-control-allow-methods: GET, POST < access-control-allow-origin: * < alt-svc: h3=":443"; ma=86400 < vary: Accept-Encoding < via: 1.1 Caddy < cf-cache-status: DYNAMIC < report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=redacted"}],"group":"cf-nel","max_age":604800} < nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} < strict-transport-security: max-age=15552000; includeSubDomains < server: cloudflare < server-timing: cfL4;desc="?proto=TCP&rtt=25025&min_rtt=8123&rtt_var=10615&sent=7&recv=12&lost=0&retrans=0&sent_bytes=2914&recv_bytes=595&delivery_rate=351755&cwnd=69&unsent_bytes=0&cid=4a67e378f22d06ba&ts=836&x=0" < * Connection #0 to host id.example.com left intact ```