Setup Filebrowser-Quantum with Cloudflare on Docker

Setup Filebrowser-Quantum with Cloudflare on Docker

Khusika published in Blogs

2026-01-08 CC BY-NC 4.0 1441 words 7 minutes

Contents

Learn to deploy a secure personal cloud with Filebrowser-Quantum, OnlyOffice, and Cloudflare Tunnel using Docker.

Introduction to the Components

Filebrowser-Quantum: A web-based file manager that lets you upload, download, manage, and share your files. We’ll be using the gtstef/filebrowser fork, which includes some nice enhancements.
OnlyOffice Document Server: An open-source office suite that provides online editors for text documents, spreadsheets, and presentations. We’ll integrate it with Filebrowser to edit documents directly in the browser.
Cloudflare Tunnel: A service that creates a secure, outbound-only connection between your server and the Cloudflare network. This allows you to expose your services to the internet without opening up any ports on your firewall, protecting you from direct attacks.

Prerequisites

Before you begin, make sure you have the following installed on your server:

Docker: Install Docker
Docker Compose: Install Docker Compose
A Cloudflare account and a domain name connected to it. You will need two separate subdomains (or domains): one for Filebrowser and one for OnlyOffice.

1. Project Structure

First, let’s create a directory for our project and the necessary subdirectories and files.

1
2
3
4
mkdir my-cloud
cd my-cloud
mkdir -p filebrowser
touch docker-compose.yml .env filebrowser/config.json

This will be the structure:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
my-cloud/
├── docker-compose.yaml
├── .env
├── filebrowser/
│   ├── data/
│   │   └── config.json
│   └── Home/
├── onlyoffice/
│   ├── data/
│   ├── log/
│   └── welcome/
└── postgresql/
    └── data/

2. Docker Compose Configuration

Now, let’s set up our docker-compose.yml. This file defines all the services, networks, and volumes needed for our application stack. Instead of one large file, we’ll break it down by service to make it easier to understand.

Create a docker-compose.yml file and add the following services one by one.

Cloudflared

This service creates a secure tunnel from your server to the Cloudflare network, exposing your local services to the internet without opening any firewall ports.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
services:
  cloudflared:
    env_file: "./.env"
    image: cloudflare/cloudflared:latest
    container_name: cloudflare-tunnel
    hostname: "cloudflare-tunnel"
    restart: unless-stopped
    pull_policy: missing
    logging:
      driver: "json-file"
      options:
        max-size: "100m"
        max-file: "10"
    network_mode: "host"
    command: tunnel run
    environment:
      TUNNEL_TOKEN: ${CLOUDFLARE_SECRET}
      TUNNEL_METRICS: 127.0.0.1:61616
    volumes:
      - /etc/localtime:/etc/localtime:ro
    healthcheck:
      test: ["CMD", "cloudflared", "tunnel", "--metrics", "localhost:61616", "ready"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

TUNNEL_TOKEN: This is the secret token you get from the Cloudflare Zero Trust dashboard to authenticate your tunnel.
network_mode: "host": This is required for the tunnel to correctly route traffic to your other Docker containers.

Filebrowser

This is the core file manager service. It’s a feature-rich web application for managing your files.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
  filebrowser:
    env_file: "./.env"
    image: gtstef/filebrowser:latest
    pull_policy: missing
    container_name: filebrowser
    networks:
      - onlyoffice-network
    environment:
      FILEBROWSER_CONFIG: ${FB_CONFIG}
      FILEBROWSER_DATABASE: ${FB_DB}
      FILEBROWSER_ADMIN_PASSWORD: ${FB_PWD}
      FILEBROWSER_ONLYOFFICE_SECRET: ${OFFICE_SECRET}
      TZ: ${TZ_ID}
    volumes:
      - ./filebrowser:/srv
      - ./filebrowser/data:/home/filebrowser/data
      - ./filebrowser/data/icons:/home/filebrowser/http/dist/img/icons
      - ./filebrowser/Home:/srv/Home
      - /path/to/your/external/drive:/srv/External
    healthcheck:
      test: ["CMD", "wget", "-qO-", "http://localhost:80/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    ports:
      - '80:80'
    restart: unless-stopped

environment: We pass several variables to configure Filebrowser, including the path to the config file, database, admin password, and the OnlyOffice JWT secret.
volumes: We mount several directories, including one for your main files (/srv/Home) and another for an external drive (/srv/External).
ports: We expose port 80 so it’s accessible locally for Cloudflare Tunnel to pick up.

OnlyOffice Document Server

This service provides the powerful document editing suite that integrates with Filebrowser.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
  onlyoffice:
    image: onlyoffice/documentserver:latest
    container_name: onlyoffice
    depends_on:
      - postgres
      - rabbitmq
    environment:
      DATABASE_URL: "postgres://onlyoffice:onlyoffice@postgres/onlyoffice"
      AMQP_URI: "amqp://guest:guest@rabbitmq"
      JWT_ENABLED: "true"
      JWT_SECRET: ${OFFICE_SECRET}
    ports:
      - '81:80'
    restart: unless-stopped
    networks:
      - onlyoffice-network
    volumes:
      - ./onlyoffice/data:/var/www/onlyoffice/Data
      - ./onlyoffice/log:/var/log/onlyoffice
      - ./onlyoffice/welcome:/var/www/onlyoffice/documentserver-example/welcome:rw
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/info/info.json"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 60s

depends_on: This ensures that postgres and rabbitmq are started before OnlyOffice.
JWT_SECRET: This must be the same secret key provided to Filebrowser to secure the integration.
ports: We map the internal port 80 to the host’s port 81, which Cloudflare Tunnel will use.

Supporting Services (Postgres & RabbitMQ)

OnlyOffice requires a database and a message broker to function correctly.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  postgres:
    image: postgres:15
    container_name: postgres
    environment:
      POSTGRES_DB: onlyoffice
      POSTGRES_USER: onlyoffice
      POSTGRES_PASSWORD: onlyoffice
    volumes:
      - ./postgresql/data:/var/lib/postgresql/data
    networks:
      - onlyoffice-network
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U onlyoffice"]
      interval: 10s
      retries: 3
      start_period: 10s
      timeout: 10s

  rabbitmq:
    image: rabbitmq:3
    container_name: rabbitmq
    networks:
      - onlyoffice-network
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "rabbitmq-diagnostics", "status"]
      interval: 10s
      retries: 3
      start_period: 10s
      timeout: 10s

PostgreSQL: A robust open-source object-relational database system.
RabbitMQ: A popular message broker.

Networks

Finally, we define the network that allows the containers to communicate with each other.

1
2
3
networks:
  onlyoffice-network:
    driver: bridge

The onlyoffice-network is a bridge network that Filebrowser, OnlyOffice, Postgres, and RabbitMQ use to communicate internally. cloudflared does not need to be on this network as it uses the host network.

3. Filebrowser Configuration

Next, create the configuration file for Filebrowser. This file, which we named config.json, controls various aspects of Filebrowser’s behavior.

Paste the following into config.json:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
{
    "server": {
        "port": 80,
        "baseURL": "/",
        "internalUrl": "http://YOUR_SERVER_IP:80",
        "logging": {
            "levels": "info|warning|error",
            "output": "data/drive.log",
            "noColors": true
        },
        "sources": [
            {
                "path": "/srv/Home",
                "name": "Home",
                "config": {
                    "indexingIntervalMinutes": 5,
                    "disableIndexing": false,
                    "defaultUserScope": "/",
                    "defaultEnabled": true,
                    "createUserDir": true
                }
            }
        ]
    },
    "auth": {
        "adminUsername": "admin"
    },
    "userDefaults": {
        "darkMode": true,
        "viewMode": "list",
        "disableSettings": false,
        "singleClick": false,
        "dateFormat": true,
        "preview": {
            "disableHideSidebar": false,
            "highQuality": false,
            "image": true,
            "video": true,
            "motionVideoPreview": false,
            "office": false,
            "popup": false,
            "autoplayMedia": false
        },
        "permissions": {
            "api": false,
            "admin": false,
            "modify": false,
            "share": false,
            "realtime": false
        },
        "loginMethod": "password",
        "fileLoading": {
            "maxConcurrentUpload": 10,
            "uploadChunkSizeMb": 99
        },
        "disableOnlyOfficeExt": ".html .md .pdf .xps .epub .mobi .fb2 .cbz .svg .txt .hwp .hwpx"
    },
    "integrations": {
        "media": {
            "ffmpegPath": "/usr/local/bin"
        },
        "office": {
            "url": "https://docs.yourdomain.com",
            "internalUrl": "http://YOUR_SERVER_IP:81"
        }
    }
}

Note: You’ll need to customize the internalUrl in both the server and integrations.office sections to match your server’s local IP address. Also, change integrations.office.url to the public URL for your OnlyOffice instance (which we’ll set up with Cloudflare).

4. Environment Variables

Create a .env file to store your secrets and environment-specific configurations.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# Cloudflare Tunnel Token
CLOUDFLARE_SECRET=YOUR_CLOUDFLARE_TUNNEL_TOKEN

# Filebrowser Config
FB_CONFIG=~/my-cloud/filebrowser/config.json
FB_DB=~/my-cloud/filebrowser/data/filebrowser.db
FB_PWD=your_strong_admin_password

# OnlyOffice JWT Secret
OFFICE_SECRET=your_strong_jwt_secret

# Timezone
TZ_ID=Asia/Jakarta

Info

For more available environment variables, you can refer to the Filebrowser-Quantum environment-variables.

5. Cloudflare Tunnel Configuration

Go to the Cloudflare Zero Trust dashboard.
Navigate to Nerworks -> Connectors.
Create a tunnel, give it a name, and select “Docker” as the connector.
Copy the token provided and paste it into your .env file under CLOUDFLARE_SECRET.
After creating the tunnel, go to the “Public Hostnames” tab and add hostnames for Filebrowser (e.g., drive.yourdomain.com) and OnlyOffice (e.g., docs.yourdomain.com).
- Point the Filebrowser hostname to the service http://YOUR_SERVER_IP:80.
- Point the OnlyOffice hostname to the service http://YOUR_SERVER_IP:81.

Info

For a more detailed guide, refer to the official cloudflare-tunnel documentation.

6. Running the Stack

With all the configuration in place, you can now start all the services.

1
docker-compose up -d

This command will pull the necessary images and start all the containers in the background. You can check the logs to ensure everything is running correctly:

1
docker-compose logs -f

Conclusion

You should now have a fully functional personal cloud accessible at the domain you configured in Cloudflare. You can log in to Filebrowser with the admin username (admin as per the config) and the password you set in the .env file. From there, you can create new users, manage your files, and edit documents with the integrated OnlyOffice suite.

This setup provides a secure and private alternative to commercial cloud storage, giving you full control over your data. Enjoy your new personal cloud!

Contents