What FileBrowser Quantum changes<\/h2>\n\n
The classic File Browser<\/a> is in maintenance mode: security and bug fixes only, no new features. Quantum (the The headline additions for anyone running this for a team:<\/p>\n\n One thing is deliberately gone: the shell command runner and interactive terminal that classic File Browser shipped (disabled by default since 2.33.8) are removed from Quantum entirely. If you relied on event hooks, that workflow does not carry over.<\/p>\n\n Two hostnames and an email repeat across the certificate, Nginx, and OIDC steps. Export them once so you change one block and paste the rest. Use real names you control; the directory and OIDC pieces only work over HTTPS.<\/p>\n\n\n Point an A record for each name at the host before issuing certificates. The Quantum reads its config from Write a minimal Now the Compose file. The container runs as UID 1000, so the mounted folders must be owned by your user (UID 1000 on most single-user hosts). The admin password comes from an environment variable rather than the config file:<\/p>\n\n\n Bring it up and watch the startup log, which confirms the config path, the active auth methods, and the sources it indexed:<\/p>\n\n\n You should see the version, the config file in use, and the source index build:<\/p>\n\n\n That confirms the container is healthy on port 8080. It is only reachable locally for now, so the next step puts a TLS endpoint in front of it.<\/p>\n\n OIDC redirects and directory logins should run over TLS, so we terminate HTTPS at Nginx and proxy to the container on port 8080. Issue a certificate first. The default HTTP-01 challenge works for any DNS provider once port 80 is reachable:<\/p>\n\n\n If the host sits on a private network with no public port 80, use the DNS-01 challenge with your provider’s certbot plugin instead. The Nginx with Let’s Encrypt walkthrough<\/a> covers both paths in detail.<\/p>\n\n Create the server block. The placeholder Substitute the domain, enable the site, and reload. The Open Local accounts work, but the reason to run Quantum is the methods we layer on next. They all live in the same file, so it helps to see how it is organized first.<\/p>\n\n Everything in Quantum is driven by that one file. The top-level keys are The piece that ties the auth methods together lives under A source is a root path Quantum indexes and serves. List more than one under Mount each path in the Compose file (we already mapped Each source can also carry The password method is the local-account path, and Quantum can require time-based 2FA on top of it. Two settings control this: The gotcha here is the secret length. Quantum base64-decodes Pass that value through the environment and turn on enforcement in the config. Add the variable to the Compose Then set the password block under Restart the container and sign in as the admin. Because 2FA is enforced, Quantum interrupts the login with an enrollment screen: it shows a QR code and the Scan it with any authenticator app, enter the code, and the account is protected from then on. Changing OIDC is where Quantum earns its place for a team. We use Keycloak<\/a> or Authentik as the provider; the examples here are Authentik because its issuer URL format is what the Quantum docs reference. The flow is the usual one: Quantum sends the browser to the provider, the user authenticates there, and the provider redirects back with a code Quantum exchanges for the user’s identity.<\/p>\n\n In Authentik, create an OAuth2\/OpenID provider and an application bound to it. Three settings have to be right or the handshake breaks:<\/p>\n\n Copy the client ID and client secret from the provider, then add the Restart Quantum and the startup log now reports Now a user in the For an existing directory, the The config names the server, the search base, the bind account, and the filter that matches a login name to a directory entry:<\/p>\n\n\n The After a restart the log adds If you already run a forward-auth proxy such as Authelia, oauth2-proxy, or Traefik’s forward-auth middleware, Quantum can trust the username it injects. The When that header arrives, Quantum logs the request in as the named user with no password prompt. That convenience is also the risk: anyone who can set the header is that user. Two rules make it safe. The reverse proxy must strip any client-supplied With all four methods enabled, the startup log reads Accounts are provisioned on first login, so a user appears in this list only after they have signed in once. The “Login method” column is the quickest audit of which identity source each person came through, and the admin checkmark confirms the OIDC group mapping did its job.<\/p>\n\n Beyond auth, the indexed search is the feature people notice first. Quantum maintains a SQLite index per source, so a query returns matches as you type, scoped to the current source and narrowed by type, size, and date filters:<\/p>\n\n\n Sharing is configurable per link: set an expiry, a password, and whether anonymous visitors or only named users can open it. Directory-level access control sits alongside it, letting you allow or deny a path for a specific user or a whole group, which pairs naturally with the OIDC and LDAP groups you already wired.<\/p>\n\n For automation, an admin can mint long-lived API tokens under Settings, and every API-enabled user gets an interactive Swagger page at That API plus token model is what makes Quantum scriptable in a way the classic build never was, from bulk share creation to monitoring checks.<\/p>\n\n Both are worth running; they target different needs. Classic is frozen but tiny and rock-steady for a single admin browsing files. Quantum is heavier and moving fast, and it earns that weight the moment more than one person needs access.<\/p>\n\n\ngtsteffaniak<\/code> fork, published as the gtstef\/filebrowser<\/code> image) is where active development happens. It keeps the lightweight single-binary model but rebuilds configuration around a single config.yaml<\/code> instead of the classic CLI and database flags covered in the File Browser CLI cheat sheet<\/a>.<\/p>\n\n\n
\/swagger<\/code>.<\/li>\n<\/ul>\n\nSet reusable values<\/h2>\n\n
export FBQ_DOMAIN=\"files.example.com\"\nexport SSO_DOMAIN=\"sso.example.com\"\nexport ADMIN_EMAIL=\"admin@example.com\"<\/code><\/pre>\n\n\nFBQ_DOMAIN<\/code> serves FileBrowser Quantum, and SSO_DOMAIN<\/code> serves the identity provider that issues the OIDC tokens.<\/p>\n\nDeploy Quantum with Docker Compose<\/h2>\n\n
\/home\/filebrowser\/data\/config.yaml<\/code> and keeps the database next to it. Create a working directory with a data<\/code> folder for the config and two folders to serve as sources:<\/p>\n\n\nmkdir -p ~\/filebrowser\/{data,documents,media}\ncd ~\/filebrowser<\/code><\/pre>\n\n\ndata\/config.yaml<\/code> to start. We expand the auth section in later steps; for now this gets the server running with a single admin account:<\/p>\n\n\nserver:\n port: 80\n sources:\n - path: \"\/documents\"\n name: \"Documents\"\nauth:\n adminUsername: admin\n methods:\n password:\n enabled: true\n minLength: 8\nfrontend:\n name: \"Team Files\"<\/code><\/pre>\n\n\nservices:\n filebrowser:\n image: gtstef\/filebrowser:1.3.3-stable\n container_name: filebrowser\n user: \"1000:1000\"\n ports:\n - \"8080:80\"\n volumes:\n - .\/data:\/home\/filebrowser\/data\n - .\/documents:\/documents\n - .\/media:\/media\n environment:\n - FILEBROWSER_ADMIN_PASSWORD=ChangeMe-Strong-2026\n restart: unless-stopped<\/code><\/pre>\n\n\ndocker compose up -d\ndocker logs filebrowser<\/code><\/pre>\n\n\n[INFO ] Initializing FileBrowser Quantum (v1.3.3-stable)\n[INFO ] Using Config file : \/home\/filebrowser\/data\/config.yaml\n[INFO ] Auth Methods : [password]\n[INFO ] Sources : [Documents: \/documents]\n[INFO ] Running at : http:\/\/0.0.0.0\/<\/code><\/pre>\n\n\nPut Quantum behind Nginx with HTTPS<\/h2>\n\n
sudo certbot certonly --nginx -d \"${FBQ_DOMAIN}\" \\\n --non-interactive --agree-tos -m \"${ADMIN_EMAIL}\"<\/code><\/pre>\n\n\nFBQ_DOMAIN_HERE<\/code> gets substituted from your shell variable in the next command, and the WebSocket headers keep the live-update connection open:<\/p>\n\n\nserver {\n listen 443 ssl;\n http2 on;\n server_name FBQ_DOMAIN_HERE;\n\n ssl_certificate \/etc\/letsencrypt\/live\/FBQ_DOMAIN_HERE\/fullchain.pem;\n ssl_certificate_key \/etc\/letsencrypt\/live\/FBQ_DOMAIN_HERE\/privkey.pem;\n client_max_body_size 5000m;\n\n location \/ {\n proxy_pass http:\/\/127.0.0.1:8080;\n proxy_set_header Host $host;\n proxy_set_header X-Forwarded-Proto $scheme;\n proxy_set_header X-Real-IP $remote_addr;\n proxy_http_version 1.1;\n proxy_set_header Upgrade $http_upgrade;\n proxy_set_header Connection \"upgrade\";\n }\n}\nserver {\n listen 80;\n server_name FBQ_DOMAIN_HERE;\n return 301 https:\/\/$host$request_uri;\n}<\/code><\/pre>\n\n\nX-Forwarded-Proto<\/code> header is what lets Quantum build correct https<\/code> OIDC redirect URLs behind the proxy:<\/p>\n\n\nsudo sed -i \"s\/FBQ_DOMAIN_HERE\/${FBQ_DOMAIN}\/g\" \/etc\/nginx\/sites-available\/filebrowser.conf\nsudo ln -s \/etc\/nginx\/sites-available\/filebrowser.conf \/etc\/nginx\/sites-enabled\/\nsudo nginx -t && sudo systemctl reload nginx<\/code><\/pre>\n\n\nhttps:\/\/files.example.com<\/code> and you land on the Quantum login. With only the password method enabled so far, it shows the username and password fields and nothing else:<\/p>\n\n\n![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-quantum-login-oidc.png\" "\\"\\"")
<\/figure>\n\n\nRead the config.yaml layout<\/h2>\n\n
server<\/code> (port, sources, TLS), auth<\/code> (the admin account and every login method), frontend<\/code> (branding and links), and optional integrations<\/code> (for example an OnlyOffice server). The whole file is read on startup, so a change means a restart of the container.<\/p>\n\nauth.methods<\/code>. Each method is its own block with an enabled<\/code> flag, and they coexist: a user can sign in with OIDC while a service account uses LDAP and an admin keeps a local password. The login page renders a button or form for each enabled method automatically.<\/p>\n\nServe multiple sources<\/h2>\n\n
server.sources<\/code>, each with a display name and its own config. Mark the ones every user should see with defaultEnabled: true<\/code>:<\/p>\n\n\nserver:\n port: 80\n sources:\n - path: \"\/documents\"\n name: \"Documents\"\n config:\n defaultEnabled: true\n - path: \"\/media\"\n name: \"Media Library\"\n config:\n defaultEnabled: true<\/code><\/pre>\n\n\n.\/media:\/media<\/code> above), then restart. Both sources now appear in the sidebar with their own usage bars, and the listing renders real thumbnails for images, video, and office files:<\/p>\n\n\n![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-quantum-thumbnails-multisource.png\" "\\"\\"")
<\/figure>\n\n\ncreateUserDir: true<\/code> to give every user a private home folder, or private: true<\/code> to keep it off the default list. That makes one instance serve shared and per-user storage at the same time.<\/p>\n\nAdd password logins with enforced 2FA<\/h2>\n\n
enforcedOtp<\/code> makes every password user enroll an authenticator, and totpSecret<\/code> is the key Quantum uses to encrypt stored TOTP secrets.<\/p>\n\ntotpSecret<\/code> and the result must be exactly 32 bytes for AES-256, or OTP generation fails with a 500 and the enrollment screen shows “Generation Failed”. Generate a correct key with one command:<\/p>\n\n\nopenssl rand -base64 32<\/code><\/pre>\n\n\nenvironment<\/code> list:<\/p>\n\n\n- FILEBROWSER_TOTP_SECRET=PASTE_BASE64_32_BYTE_KEY_HERE<\/code><\/pre>\n\n\nauth.methods<\/code>:<\/p>\n\n\n password:\n enabled: true\n minLength: 8\n enforcedOtp: true<\/code><\/pre>\n\n\notpauth<\/code> URI to scan, then asks for the first six-digit code to confirm:<\/p>\n\n\n![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-quantum-2fa-totp-enrollment.png\" "\\"\\"")
<\/figure>\n\n\ntotpSecret<\/code> later invalidates every enrolled user, so set it once and back it up.<\/p>\n\nWire single sign-on with Authentik (OIDC)<\/h2>\n\n
\n
https:\/\/files.example.com\/api\/auth\/oidc\/callback<\/code><\/li>\nauthorization_code<\/code>. If this list is empty, the authorize request bounces straight back with invalid_request<\/code> and “The request is otherwise malformed”, before any login screen appears.<\/li>\nopenid<\/code>, email<\/code>, profile<\/code>, and a groups<\/code> mapping so Quantum can read group membership.<\/li>\n<\/ul>\n\noidc<\/code> block. The adminGroup<\/code> maps an IdP group to FileBrowser admin, and userIdentifier<\/code> picks which claim becomes the username:<\/p>\n\n\n oidc:\n enabled: true\n clientId: \"filebrowser-client\"\n clientSecret: \"PASTE_OIDC_CLIENT_SECRET_HERE\"\n issuerUrl: \"https:\/\/sso.example.com\/application\/o\/filebrowser\/\"\n scopes: \"openid email profile groups\"\n userIdentifier: \"preferred_username\"\n adminGroup: \"filebrowser-admins\"<\/code><\/pre>\n\n\nOIDC Auth configured successfully<\/code>. The login page grows an “OpenID Connect” button below the password form. Click it and the browser hands off to Authentik, which authenticates the user and shows a consent screen before redirecting back:<\/p>\n\n\n![\"Authentik](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-quantum-authentik-oidc-consent.jpg\" "\\"\\"")
<\/figure>\n\n\nfilebrowser-admins<\/code> group lands in Quantum as an administrator with no local password ever created. Keep clientSecret<\/code> out of the file in production by passing it through the environment and referencing a secret store.<\/p>\n\nConnect an LDAP directory<\/h2>\n\n
ldap<\/code> method binds Quantum to your server with a service account and looks users up by a filter. The same username and password form handles it: Quantum tries the local database first, then falls through to LDAP. Set up the directory itself with the OpenLDAP and phpLDAPadmin guide<\/a> if you do not already run one.<\/p>\n\n ldap:\n enabled: true\n server: \"ldap:\/\/ldap.example.com:389\"\n baseDN: \"dc=example,dc=com\"\n userDN: \"cn=admin,dc=example,dc=com\"\n userPassword: \"PASTE_LDAP_BIND_PASSWORD_HERE\"\n userFilter: \"(&(uid=%s)(objectClass=inetOrgPerson))\"<\/code><\/pre>\n\n\n%s<\/code> in the filter is replaced with the login name. The example above is the OpenLDAP convention. For Active Directory, swap the filter to (sAMAccountName=%s)<\/code> and point userDN<\/code> at a domain service account. Use ldaps:\/\/<\/code> on port 636 for an encrypted bind once you confirm the plain bind works.<\/p>\n\nLDAP Auth configured successfully<\/code>. A directory user such as jdoe<\/code> now signs in with their LDAP password and no local account is needed.<\/p>\n\nTrust a reverse-proxy header<\/h2>\n\n
proxy<\/code> method reads a single header:<\/p>\n\n\n proxy:\n enabled: true\n header: \"X-Forwarded-User\"<\/code><\/pre>\n\n\nX-Forwarded-User<\/code> and set its own after it authenticates the request, and the Quantum container must only be reachable through that proxy, never directly. Bind the container to localhost and let only Nginx reach it.<\/p>\n\nVerify every login method end to end<\/h2>\n\n
Auth Methods: [password proxy oidc ldap]<\/code>. The cleanest way to confirm the wiring is the user list under Settings, which records how each account authenticated. After signing in once through each path, the table shows a local admin on password, an OIDC user promoted to admin through the group mapping, an LDAP user, and a proxy user, all in one view:<\/p>\n\n\n![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-quantum-user-management-auth-methods.png\" "\\"\\"")
<\/figure>\n\n\nSearch, thumbnails, shares, and the API<\/h2>\n\n
![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-quantum-indexed-search.png\" "\\"\\"")
<\/figure>\n\n\n\/swagger<\/code> that documents the endpoints for access, shares, users, and resources:<\/p>\n\n\n![\"FileBrowser](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/06\/wm-filebrowser-quantum-swagger-api.png\" "\\"\\"")
<\/figure>\n\n\nClassic File Browser or Quantum: which to run<\/h2>\n\n