filebrowser/www/docs/deployment.md
Henrique Dias 1fb05d65de
docs,cmd: warn about broad scope for self-signup users (GHSA-6759-996p-gpj6)
When Signup is enabled with the default scope and createUserDir off, every
self-registered user inherits the served root and can read/modify/delete all
files. Add a startup WARNING for this configuration and document the risk and
the --createUserDir mitigation. No behavior or default change.
2026-06-27 08:18:18 +02:00

46 lines
1.6 KiB
Markdown

## Self-Registration (Signup)
File Browser allows you to enable user self-registration (signup). This can be enabled via **Settings → Global Settings**, or with `filebrowser config set --signup`. Self-registered users inherit the configured **user defaults**, including the scope.
> [!WARNING]
>
> By default, the user scope is the server's root, so a self-registered user could read,
> modify, and delete every file File Browser serves. To prevent this, either:
>
> a. Enable `createUserDir` so each user gets their own directory; or
> b. If users are meant to share files, set the default scope to something other than the root.
## Fail2ban
File Browser does not natively support protection against brute force attacks. Therefore, we suggest using something like [fail2ban](https://github.com/fail2ban/fail2ban), which takes care of that by tracking the logs of your File Browser instance. For more information on how fail2ban works, please refer to their [wiki](https://github.com/fail2ban/fail2ban/wiki).
### Filter Configuration
An example filter configuration targeted at matching File Browser's logs.
```ini
[INCLUDES]
before = common.conf
[Definition]
datepattern = `^%%Y\/%%m\/%%d %%H:%%M:%%S`
failregex = `\/api\/login: 403 <HOST> *`
```
### Jail Configuration
An example jail configuration. You should fill it with the path of the logs of File Browser, as well as the port where it is running at.
```ini
[filebrowser]
enabled = true
port = [your_port]
filter = filebrowser
logpath = [your_log_path]
maxretry = 10
bantime = 10m
findtime = 10m
banaction = iptables-allports
banaction_allports = iptables-allports
```