This has been tested and verified to be working June 2026 on Ubuntu 24.04 and Debian 13, served over HTTPS behind Nginx proxy server.<\/em><\/p>\n\n\n\n You need a server running Linux server with a sudo user, and a domain name with an A record pointing at the server if you want HTTPS, which you do. Port 80 must be reachable for the certificate challenge, plus 443 for the live site. The binary itself is tiny and idles at around 10 MB of memory, so even a 1 vCPU box handles it comfortably.<\/p>\n\n\n\n The whole guide uses shell variables so you edit one block and paste the rest unchanged. Export these at the top of your SSH session and swap the values for your own:<\/p>\n\n\n\n Confirm they are set before running anything that depends on them. These values live only in the current shell, so re-export them if you reconnect or jump into a root shell:<\/p>\n\n\n\n The official installer downloads the right binary for your architecture and drops it in Prefer to inspect what you run? Download the script, read it, then execute it. You can also grab a tagged tarball straight from the releases page<\/a> and drop the binary in place yourself. Either way, confirm the install:<\/p>\n\n\n\n You should see the version string printed back:<\/p>\n\n\n\n FileBrowser keeps its settings and users in a single embedded database file (Bolt), not a separate database server. Create a dedicated system user to own and run the service, then the directories for the database and the folder you want to serve:<\/p>\n\n\n\n Initialize the database as that user so ownership stays clean from the start:<\/p>\n\n\n\n Now set the core options in one shot. Binding to Create your administrator account. Pick a real password (the default minimum length is 12 characters):<\/p>\n\n\n\n A quick note that saves confusion later. The Bolt database allows only one process to open it at a time. Any Running the binary by hand is fine for a quick look, but you want it to start on boot and restart on failure. Create a unit file:<\/p>\n\n\n\n Paste the following. The address, port, and root all come from the database you configured above, so the command line only needs to point at the database. The hardening directives stop the service from writing anywhere except the two paths it actually needs:<\/p>\n\n\n\n Reload systemd, then enable and start the service so it comes up now and on every boot:<\/p>\n\n\n\n Check that it is active and listening on the loopback address only:<\/p>\n\n\n\n The status output should show Before Nginx is in front, you can reach the interface through an SSH tunnel from your laptop, which avoids exposing the port. Run this locally, replacing the host with your server address, then browse to Log in with the administrator account you created. The instance name you set with Inside, the contents of your served folder appear as a familiar file listing with size and modified columns, a sidebar for new files and folders, and a disk usage bar at the bottom. This is the whole point: a remote directory that behaves like a local file manager.<\/p>\n\n\n\n Selecting a file reveals the action toolbar in the top right: share, rename, copy, move, delete, and download. Folders can be downloaded as a zip, text and code files open in a built-in editor with syntax highlighting, and images, audio, and video preview inline. Uploads work by drag and drop or through the upload button, and large transfers resume thanks to the chunked upload protocol FileBrowser uses under the covers.<\/p>\n\n\n\n The real value of FileBrowser shows up when several people share one server but should not see each other’s files. Each user gets a scope<\/em>, a path they are locked into, plus a set of permissions. Stop the service first so the CLI can open the database:<\/p>\n\n\n\n Add a user confined to a subfolder, with delete turned off so they cannot remove anything:<\/p>\n\n\n\n For a read-only account, strip every write permission and leave only download:<\/p>\n\n\n\n List what you have, then start the service again:<\/p>\n\n\n\n Everything you just did on the command line is also available under Settings, User Management, where admins can add, edit, and scope accounts without stopping the service. The list shows each user’s admin flag and the folder they are pinned to:<\/p>\n\n\n\n Scopes decide which folder a user sees. Rules decide which files are hidden inside it, using either a literal path or a regular expression. They apply globally by default and can be overridden per user. Two rules worth setting on almost any server hide environment files and dotfiles from the listing:<\/p>\n\n\n\n Those same rules appear under Settings, Global Settings, alongside the signup toggle, default permissions, and branding controls. This is also where you set the minimum password length and decide whether new accounts get a home folder automatically:<\/p>\n\n\n\n Select a file or folder and click the share icon to generate a public link that needs no account. You can set an expiry (in minutes, hours, or days) and an optional password, which is the difference between a link that leaks forever and one that dies on schedule:<\/p>\n\n\n\n Anyone who opens the link gets a minimal download page with the file name, size, a download button, and a QR code for grabbing it on a phone. No sidebar, no login, nothing else on your server is exposed:<\/p>\n\n\n\n Every active link is listed under Settings, Share Management, where you can copy it again or revoke it. Deleting a share kills the link immediately, even if the expiry has not passed.<\/p>\n\n\n\n You already set the instance name. You can go further with a custom logo, a theme color, and a stylesheet of your own. Point FileBrowser at a branding directory that holds your assets:<\/p>\n\n\n\n Drop a FileBrowser is bound to localhost, so the last piece is a reverse proxy that terminates TLS and forwards traffic to it. Make sure your domain’s A record points at the server and that port 80 is reachable, then install Nginx:<\/p>\n\n\n\n Create a server block for the site:<\/p>\n\n\n\n Add the following. The Substitute your real domain from the variable, enable the site, drop the default, and reload Nginx:<\/p>\n\n\n\n Now issue the certificate. The Nginx plugin handles the HTTP-01 challenge, rewrites the server block for TLS, and adds the redirect from port 80 in one step:<\/p>\n\n\n\n Confirm automatic renewal is wired up, then browse to your domain over HTTPS and log in with the padlock showing:<\/p>\n\n\n\n If you want to open the firewall explicitly, allow HTTP and HTTPS through UFW and you are done with the proxy. The same pattern works for any app you put behind Nginx, and it is covered in more depth in our Nginx with Let’s Encrypt walkthrough<\/a>.<\/p>\n\n\n\n If the server sits on a private network or behind NAT where port 80 is not reachable, swap the HTTP-01 challenge for DNS-01. Certbot has plugins for Cloudflare, Route 53, DigitalOcean, Google Cloud DNS, Linode, and more. With a Cloudflare-managed domain, install the plugin, drop an API token in a credentials file, and request the certificate over DNS:<\/p>\n\n\n\n Substitute your own provider’s plugin if you are not on Cloudflare, then reference the issued certificate in your Nginx If you would rather run it in a container, the official image covers it. This Compose file uses the s6 variant, which respects the Bring it up and check the container is healthy:<\/p>\n\n\n\n On first start the container prints a randomly generated admin password to its logs, shown only once. Read it, then change it after you log in:<\/p>\n\n\n\n Put the same Nginx and Let’s Encrypt setup in front of the container, pointing the proxy at This means the service already holds the database open. The Bolt store is single-writer, so the running server and a CLI command cannot touch it at the same time. Stop the service with The hook runner (commands that fire on upload, copy, rename, and so on) and the in-browser shell have shipped disabled by default since v2.33.8 because of repeated security problems. That default is correct: an exposed shell on a file manager is a remote code execution surface. If you genuinely need a hook on an internal-only instance, you re-enable execution explicitly and allowlist exactly which commands are permitted, never the whole shell. Treat it as the sharp tool it is and leave it off unless you have a specific, contained reason.<\/p>\n\n\n\n Nginx is up but cannot reach FileBrowser. Confirm the service is running and that Reset it from the CLI. Stop the service, then update the user:<\/p>\n\n\n\n FileBrowser hands out file access over the web, so the defaults matter. Before you point real users at it, walk this list:<\/p>\n\n\n\n With that in place you have a fast, single-binary file manager that you fully control, serving a real directory over HTTPS with scoped users and expiring links. If your needs grow toward team collaboration, versioning, or single sign-on, FileBrowser Quantum, Nextcloud<\/a>, and Seafile<\/a> pick up where the original leaves off, but for putting a folder on the web quickly and safely, this is hard to beat.<\/p>\n","protected":false},"excerpt":{"rendered":" FileBrowser turns any directory on a Linux server into a clean web interface for uploading, downloading, editing, and sharing files. It is a single static Go binary with no database server and no PHP stack behind it. Point it at a folder, open a browser, and you have a working file manager in a couple … Read more<\/a><\/p>\n","protected":false},"author":7,"featured_media":168279,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[47,50,349],"tags":[282,209,2254],"cfg_series":[39875],"class_list":["post-168280","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-linux-tutorials","category-web-hosting","tag-linux","tag-storage","tag-ubuntu","cfg_series-filebrowser-self-hosting"],"_links":{"self":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/168280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/comments?post=168280"}],"version-history":[{"count":2,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/168280\/revisions"}],"predecessor-version":[{"id":168283,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/168280\/revisions\/168283"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media\/168279"}],"wp:attachment":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media?parent=168280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/categories?post=168280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/tags?post=168280"},{"taxonomy":"cfg_series","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/cfg_series?post=168280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Prerequisites<\/h2>\n\n\n\n
\n
sudo<\/code><\/li>\n\n\n\nStep 1: Set reusable shell variables<\/h2>\n\n\n\n
export FB_DB=\"\/etc\/filebrowser\/filebrowser.db\"\nexport FB_ROOT=\"\/srv\/filebrowser\"\nexport FB_ADDR=\"127.0.0.1\"\nexport FB_PORT=\"8080\"\nexport SITE_DOMAIN=\"files.example.com\"\nexport ADMIN_USER=\"admin\"\nexport ADMIN_PASS=\"ChangeThis-To-Something-Strong\"\nexport ADMIN_EMAIL=\"admin@example.com\"<\/code><\/pre>\n\n\n\necho \"DB: ${FB_DB}\"\necho \"Root: ${FB_ROOT}\"\necho \"Listen: ${FB_ADDR}:${FB_PORT}\"\necho \"Domain: ${SITE_DOMAIN}\"<\/code><\/pre>\n\n\n\nStep 2: Install FileBrowser<\/h2>\n\n\n\n
\/usr\/local\/bin<\/code>. It always pulls the latest stable release, so there is no version to keep current in the command:<\/p>\n\n\n\ncurl -fsSL https:\/\/raw.githubusercontent.com\/filebrowser\/get\/master\/get.sh | sudo bash<\/code><\/pre>\n\n\n\nfilebrowser version<\/code><\/pre>\n\n\n\nFile Browser v2.63.5\/a1e442ef<\/code><\/pre>\n\n\n\nStep 3: Create the database and base configuration<\/h2>\n\n\n\n
sudo useradd --system --no-create-home --shell \/usr\/sbin\/nologin filebrowser\nsudo mkdir -p \/etc\/filebrowser \"${FB_ROOT}\"\nsudo chown filebrowser:filebrowser \/etc\/filebrowser \"${FB_ROOT}\"<\/code><\/pre>\n\n\n\nsudo -u filebrowser filebrowser -d \"${FB_DB}\" config init<\/code><\/pre>\n\n\n\n127.0.0.1<\/code> keeps FileBrowser off the public network so that Nginx is the only thing facing the internet, which is exactly what you want behind a reverse proxy:<\/p>\n\n\n\nsudo -u filebrowser filebrowser -d \"${FB_DB}\" config set \\\n --address \"${FB_ADDR}\" \\\n --port \"${FB_PORT}\" \\\n --root \"${FB_ROOT}\" \\\n --branding.name \"My Files\"<\/code><\/pre>\n\n\n\nsudo -u filebrowser filebrowser -d \"${FB_DB}\" users add \"${ADMIN_USER}\" \"${ADMIN_PASS}\" --perm.admin<\/code><\/pre>\n\n\n\nfilebrowser config<\/code> or filebrowser users<\/code> command run while the service is live returns Error: timeout<\/code>. During this first setup the service is not running yet, so you are fine. Once it is, stop it before using the CLI, or make those changes from the web interface instead.<\/p>\n\n\n\nStep 4: Run FileBrowser as a systemd service<\/h2>\n\n\n\n
sudo nano \/etc\/systemd\/system\/filebrowser.service<\/code><\/pre>\n\n\n\n[Unit]\nDescription=File Browser\nAfter=network.target\n\n[Service]\nUser=filebrowser\nGroup=filebrowser\nExecStart=\/usr\/local\/bin\/filebrowser -d \/etc\/filebrowser\/filebrowser.db\nRestart=on-failure\nRestartSec=5\nNoNewPrivileges=true\nProtectSystem=full\nProtectHome=true\nPrivateTmp=true\nReadWritePaths=\/etc\/filebrowser \/srv\/filebrowser\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\nsudo systemctl daemon-reload\nsudo systemctl enable --now filebrowser<\/code><\/pre>\n\n\n\nsudo systemctl status filebrowser --no-pager\nsudo ss -tlnp | grep \"${FB_PORT}\"<\/code><\/pre>\n\n\n\nactive (running)<\/code>, and the socket should be bound to 127.0.0.1<\/code>, not 0.0.0.0<\/code>:<\/p>\n\n\n\n![\"Terminal](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-version-service-status-ubuntu.png\" "\\"\\"")
<\/figure>\n\n\n\nStep 5: First login<\/h2>\n\n\n\n
http:\/\/localhost:8080<\/code>:<\/p>\n\n\n\nssh -L 8080:127.0.0.1:8080 jdoe@10.0.1.50<\/code><\/pre>\n\n\n\nbranding.name<\/code> shows above the form, which is the first sign your configuration took effect:<\/p>\n\n\n\n![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-login-page-ubuntu-2404.png\" "\\"\\"")
<\/figure>\n\n\n\n![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-dashboard-file-listing-ubuntu.png\" "\\"\\"")
<\/figure>\n\n\n\nWork with files<\/h2>\n\n\n\n
![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-file-actions-toolbar-ubuntu.png\" "\\"\\"")
<\/figure>\n\n\n\nAdd users and scope them to a folder<\/h2>\n\n\n\n
sudo systemctl stop filebrowser<\/code><\/pre>\n\n\n\nsudo -u filebrowser filebrowser -d \"${FB_DB}\" users add jdoe 'StrongPass-Here' \\\n --scope \/documents --perm.admin=false --perm.delete=false<\/code><\/pre>\n\n\n\nsudo -u filebrowser filebrowser -d \"${FB_DB}\" users add viewer 'StrongPass-Here' \\\n --scope \/photos --perm.create=false --perm.modify=false \\\n --perm.rename=false --perm.delete=false --perm.share=false<\/code><\/pre>\n\n\n\nsudo -u filebrowser filebrowser -d \"${FB_DB}\" users ls\nsudo systemctl start filebrowser<\/code><\/pre>\n\n\n\n![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-user-management-scopes-ubuntu.png\" "\\"\\"")
<\/figure>\n\n\n\nBlock files with access rules<\/h2>\n\n\n\n
sudo systemctl stop filebrowser\nsudo -u filebrowser filebrowser -d \"${FB_DB}\" rules add --allow=false '.*\\.env$'\nsudo -u filebrowser filebrowser -d \"${FB_DB}\" rules add --allow=false --regex '^\\.'\nsudo -u filebrowser filebrowser -d \"${FB_DB}\" rules ls\nsudo systemctl start filebrowser<\/code><\/pre>\n\n\n\n![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-global-settings-access-rules.png\" "\\"\\"")
<\/figure>\n\n\n\nShare files with public links<\/h2>\n\n\n\n
![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-create-share-link-expiry.png\" "\\"\\"")
<\/figure>\n\n\n\n![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-public-share-download-qr.png\" "\\"\\"")
<\/figure>\n\n\n\nBrand the interface<\/h2>\n\n\n\n
sudo mkdir -p \/etc\/filebrowser\/branding\/img\nsudo systemctl stop filebrowser\nsudo -u filebrowser filebrowser -d \"${FB_DB}\" config set \\\n --branding.files \/etc\/filebrowser\/branding \\\n --branding.color \"#2d7ff9\"\nsudo systemctl start filebrowser<\/code><\/pre>\n\n\n\nlogo.svg<\/code> inside the img<\/code> subfolder to replace the default mark, and a custom.css<\/code> in the branding root to override colors and spacing. The branding directory must be readable by the filebrowser<\/code> user, and browsers cache the old logo aggressively, so a hard refresh is sometimes needed before the new one shows.<\/p>\n\n\n\nPut FileBrowser behind Nginx with HTTPS<\/h2>\n\n\n\n
sudo apt update\nsudo apt install -y nginx<\/code><\/pre>\n\n\n\nsudo nano \/etc\/nginx\/sites-available\/filebrowser<\/code><\/pre>\n\n\n\nclient_max_body_size 0<\/code> line lifts the upload limit so large files are not rejected by the proxy, and the upgrade headers let the editor and any websocket features work. Leave the placeholder for now, it gets replaced in the next command:<\/p>\n\n\n\nserver {\n listen 80;\n server_name SITE_DOMAIN_HERE;\n\n client_max_body_size 0;\n\n location \/ {\n proxy_pass http:\/\/127.0.0.1:8080;\n proxy_set_header Host $host;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n proxy_set_header X-Forwarded-Proto $scheme;\n proxy_set_header Upgrade $http_upgrade;\n proxy_set_header Connection \"upgrade\";\n }\n}<\/code><\/pre>\n\n\n\nsudo sed -i \"s\/SITE_DOMAIN_HERE\/${SITE_DOMAIN}\/\" \/etc\/nginx\/sites-available\/filebrowser\nsudo ln -s \/etc\/nginx\/sites-available\/filebrowser \/etc\/nginx\/sites-enabled\/\nsudo rm -f \/etc\/nginx\/sites-enabled\/default\nsudo nginx -t\nsudo systemctl reload nginx<\/code><\/pre>\n\n\n\nsudo apt install -y certbot python3-certbot-nginx\nsudo certbot --nginx -d \"${SITE_DOMAIN}\" --redirect \\\n --non-interactive --agree-tos -m \"${ADMIN_EMAIL}\"<\/code><\/pre>\n\n\n\nsudo certbot renew --dry-run<\/code><\/pre>\n\n\n\nsudo ufw allow 'Nginx Full'<\/code><\/pre>\n\n\n\nNo public port 80? Use a DNS challenge instead<\/h3>\n\n\n\n
sudo apt install -y python3-certbot-dns-cloudflare\necho \"dns_cloudflare_api_token = YOUR_API_TOKEN\" | sudo tee \/etc\/letsencrypt\/cloudflare.ini\nsudo chmod 600 \/etc\/letsencrypt\/cloudflare.ini\nsudo certbot certonly --dns-cloudflare \\\n --dns-cloudflare-credentials \/etc\/letsencrypt\/cloudflare.ini \\\n -d \"${SITE_DOMAIN}\" --non-interactive --agree-tos -m \"${ADMIN_EMAIL}\"<\/code><\/pre>\n\n\n\nssl_certificate<\/code> and ssl_certificate_key<\/code> directives.<\/p>\n\n\n\nRun FileBrowser with Docker Compose instead<\/h2>\n\n\n\n
PUID<\/code> and PGID<\/code> values so files written through the UI land with the right ownership on the host. Create a project directory and a docker-compose.yml<\/code>:<\/p>\n\n\n\nservices:\n filebrowser:\n image: filebrowser\/filebrowser:s6\n container_name: filebrowser\n restart: unless-stopped\n ports:\n - \"8080:80\"\n environment:\n - PUID=1000\n - PGID=1000\n volumes:\n - .\/srv:\/srv\n - .\/database:\/database\n - .\/config:\/config<\/code><\/pre>\n\n\n\ndocker compose up -d\ndocker compose ps<\/code><\/pre>\n\n\n\ndocker compose logs filebrowser | grep -i password<\/code><\/pre>\n\n\n\n127.0.0.1:8080<\/code>, and the container path is identical to the native one from the browser’s point of view.<\/p>\n\n\n\nTroubleshooting<\/h2>\n\n\n\n
Error: timeout when running a CLI command<\/h3>\n\n\n\n
sudo systemctl stop filebrowser<\/code>, run your config<\/code> or users<\/code> command, then start it again. For day-to-day user changes, the web interface avoids the dance entirely.<\/p>\n\n\n\nThe command runner and shell are disabled<\/h3>\n\n\n\n
502 Bad Gateway from Nginx<\/h3>\n\n\n\n
proxy_pass<\/code> matches the address and port FileBrowser is bound to. If you changed the listen address in the database, restart the service and re-check ss -tlnp<\/code>.<\/p>\n\n\n\nForgotten admin password<\/h3>\n\n\n\n
sudo systemctl stop filebrowser\nsudo -u filebrowser filebrowser -d \"${FB_DB}\" users update admin --password 'NewStrongPass'\nsudo systemctl start filebrowser<\/code><\/pre>\n\n\n\nSecurity hardening checklist<\/h2>\n\n\n\n
\n
0.0.0.0<\/code> bind skips your TLS and proxy protections.<\/li>\n\n\n\n403<\/code> responses on \/api\/login<\/code> and bans the source after a handful of failures.<\/li>\n\n\n\n