# FileRise [![GitHub stars](https://img.shields.io/github/stars/error311/FileRise?style=social)](https://github.com/error311/FileRise) [![Docker pulls](https://img.shields.io/docker/pulls/error311/filerise-docker)](https://hub.docker.com/r/error311/filerise-docker) [![Docker CI](https://img.shields.io/github/actions/workflow/status/error311/filerise-docker/main.yml?branch=main&label=Docker%20CI)](https://github.com/error311/filerise-docker/actions/workflows/main.yml) [![CI](https://img.shields.io/github/actions/workflow/status/error311/FileRise/ci.yml?branch=master&label=CI)](https://github.com/error311/FileRise/actions/workflows/ci.yml) [![Demo](https://img.shields.io/badge/demo-live-brightgreen)](https://demo.filerise.net) [![Release](https://img.shields.io/github/v/release/error311/FileRise?include_prereleases&sort=semver)](https://github.com/error311/FileRise/releases) [![License](https://img.shields.io/github/license/error311/FileRise)](LICENSE) [![Discord](https://img.shields.io/badge/Discord-join_chat-5865F2?logo=discord&logoColor=white)](https://discord.gg/7WN6f56X2e) [![Sponsor on GitHub](https://img.shields.io/badge/Sponsor-❀-red)](https://github.com/sponsors/error311) [![Support on Ko-fi](https://img.shields.io/badge/Ko--fi-Buy%20me%20a%20coffee-orange)](https://ko-fi.com/error311) **FileRise** is a self-hosted web file manager with WebDAV, sharing, and per-folder ACLs. Drag & drop uploads, OnlyOffice integration, and **optional folder-level encryption at rest** β€” all in one PHP app you control. Built for homelabs, teams, and client portals that need fast browsing, strict ACLs, and zero-database simplicity. ## Table of contents - [Quick links](#quick-links) - [Install (Docker – recommended)](#install-docker--recommended) - [Manual install (PHP web server)](#manual-install-php-web-server) - [After install (5 minutes)](#after-install-5-minutes) - [Data & backups](#data--backups) - [First-run security checklist](#first-run-security-checklist) - [Optional dependencies](#optional-dependencies) - [WebDAV & ONLYOFFICE (optional)](#webdav--onlyoffice-optional) - [Security & updates](#security--updates) - [Community, support & contributing](#community-support--contributing) - [AI Disclosure](#ai-disclosure) - [License & third-party code](#license--third-party-code) - [Press](#press) --- ## Highlights - πŸ’Ύ **Self-hosted β€œcloud drive”** – Runs anywhere with PHP (or via Docker). No external database required. - πŸ” **Granular per-folder ACLs** – Manage View (all/own), Upload, Create, Edit, Rename, Move, Copy, Delete, Extract, Share, and more β€” all enforced consistently across the UI, API, and WebDAV. - πŸ” **Folder-level encryption at rest (optional)** – Encrypt entire folders (and all descendants) on disk using modern authenticated encryption. - Opt-in per folder with inherited protection for subfolders - Files are stored encrypted on disk and transparently decrypted on download - Master key can be generated by FileRise or supplied via environment variable - When enabled, incompatible features (WebDAV, sharing, ZIP operations, OnlyOffice) are automatically disabled for safety - πŸ”„ **Fast drag-and-drop uploads** – Chunked, resumable uploads with pause/resume and progress tracking. If your connection drops, FileRise resumes automatically. - πŸͺŸ **Dual-pane mode + keyboard shortcuts** – Optional two-pane file browser for fast workflows (copy/move between panes, compare folders, and operate without the mouse). Shortcut overlay + hotkeys (F3 preview, F4 edit, F5 copy, F6 move, F7 new folder, Del delete, `/` search). - 🌳 **Scales to huge trees** – Tested with **100k+ folders** in the sidebar tree without choking the UI. - 🌈 **Visual organization** – Color-code folders in the tree, inline list, and folder strip, plus tag files with color-coded labels for fast visual scanning. - πŸ‘€ **Hover preview β€œpeek” cards** – On desktop, hover files or folders to see thumbnails (images/video), quick metadata (size, timestamps, tags), and effective permissions. Per-user toggle stored in `localStorage`. - 🎬 **Smart media handling** – Track per-file video watch progress with a β€œwatched” indicator, remember last volume/mute state, and reset progress when needed. - 🧩 **OnlyOffice support (optional)** – Edit DOCX/XLSX/PPTX using your own Document Server; ODT/ODS/ODP supported as well. PDFs can be viewed inline. - 🌍 **WebDAV (ACL-aware)** – Mount FileRise as a drive from macOS, Windows, Linux, or Cyberduck/WinSCP. Listings, uploads, overwrites, deletes, and folder creation all honor the same ACLs as the web UI. - 🏷️ **Tags, search & trash** – Tag files, search by name/tag/uploader/content via fuzzy search, and recover mistakes using a Trash with time-based retention. - πŸ“š **API + live docs** – OpenAPI spec served at `api.php?spec=1` (from `openapi.json.dist`) with a Redoc UI at `api.php` (login required). - πŸ“Š **Storage / disk usage summary** – CLI scanner with snapshots, total usage, and per-volume breakdowns surfaced in the admin panel. - 🎨 **Polished, responsive UI** – Dark/light mode, mobile-friendly layout, in-browser previews, and a built-in code editor powered by CodeMirror. - 🌐 **Internationalization** – English, Spanish, French, German, Polish, Russian, Japanese and Simplified Chinese included; community translations welcome. - πŸ”‘ **Login + SSO** – Local users, TOTP 2FA, and OIDC (Auth0 / Authentik / Keycloak / etc.) with optional auto-provisioning, IdP-driven admin role assignment, and Pro user-group mapping. - πŸ›‘οΈ **ClamAV virus scanning (Core) + Pro virus log** – Optional ClamAV upload scanning, with a Pro virus detection log in the admin panel and CSV export. - 🌐 **Reverse proxy & subpath aware** – Designed to run cleanly behind Nginx, Traefik, Caddy, or Apache: - Supports installs under a subpath (e.g. `https://example.com/files`) - Correct URL generation for assets, APIs, portals, PWA, and share links - If the proxy strips the prefix, set `FR_BASE_PATH` or send `X-Forwarded-Prefix` - Explicit β€œPublished URL” setting for proxy / firewall environments - Works with `X-Forwarded-*` headers and Kubernetes ingress setups - πŸ‘₯ **Pro: user groups, client portals, global search, storage explorer & audit logs** – Group-based ACLs, brandable client upload portals, **ACL-aware global search across files, folders, users, and permissions**, an ncdu-style storage explorer for identifying large folders/files and reclaiming disk space directly from the UI, and **Pro Audit Logs** (configurable activity logging with filters + CSV export for tracking key actions across web, WebDAV, shares, and portals). - 🌐 **Pro: Sources (multi-storage adapters)** – Turn FileRise into a storage hub by connecting multiple backends and switching between them in the UI: - Multiple local roots (additional local paths) - **S3-compatible** (AWS S3 / MinIO / Wasabi / Backblaze B2 S3 / etc.) - **SMB/CIFS**, **SFTP**, **FTP** - **WebDAV** (Nextcloud / ownCloud / FileRise) - **Google Drive**, **OneDrive**, **Dropbox** - Works with **dual-pane** so you can copy/move via drag & drop or toolbar actions **between sources**, with **per-source Trash** Full list of features: [Full Feature Wiki](https://github.com/error311/FileRise/wiki/Features) ![FileRise](https://raw.githubusercontent.com/error311/FileRise/master/resources/filerise-v3.0.0.png) ![Sources](https://raw.githubusercontent.com/error311/FileRise/master/resources/FileRisePro-Sources.gif) > πŸ’‘ Looking for **FileRise Pro** (brandable header, **user groups**, **client upload portals**, license handling)? > Check out [filerise.net](https://filerise.net) – FileRise Core stays fully open-source (MIT). --- ## Quick links - πŸš€ **Live demo:** [Demo](https://demo.filerise.net) (username: `demo` / password: `demo`) - 🧩 **FileRise Pro:** [filerise.net](https://filerise.net) - πŸ“š **Docs & Wiki:** [Wiki](https://github.com/error311/FileRise/wiki) - [Features overview](https://github.com/error311/FileRise/wiki/Features) - [FAQ](https://github.com/error311/FileRise/wiki/FAQ) - [Troubleshooting and common errors](https://github.com/error311/FileRise/wiki/Troubleshooting-and-Common-Errors) - [Logs and diagnostics](https://github.com/error311/FileRise/wiki/Logs-and-Diagnostics) - [Screenshots](https://github.com/error311/FileRise/wiki/Screenshots) - [Installation & setup](https://github.com/error311/FileRise/wiki/Installation-Setup) - [Common env vars](https://github.com/error311/FileRise/wiki/Common-Env-Variables) - [Env vars (full reference)](https://github.com/error311/FileRise/wiki/Environment-Variables-Full-Reference) - [Admin Panel](https://github.com/error311/FileRise/wiki/Admin-Panel) - [ACL & permissions](https://github.com/error311/FileRise/wiki/ACL-and-Permissions) - [ACL recipes](https://github.com/error311/FileRise/wiki/ACL-Recipes) - [WebDAV (mount)](https://github.com/error311/FileRise/wiki/WebDAV) - [WebDAV via curl](https://github.com/error311/FileRise/wiki/Accessing-FileRise-via-curl%C2%A0(WebDAV)) - [ONLYOFFICE](https://github.com/error311/FileRise/wiki/ONLYOFFICE) - [OIDC & SSO](https://github.com/error311/FileRise/wiki/OIDC-and-SSO) - [Nginx setup](https://github.com/error311/FileRise/wiki/Nginx-Setup) - [Kubernetes / k8s](https://github.com/error311/FileRise/wiki/Kubernetes---k8s-deployment) - [Backup & restore](https://github.com/error311/FileRise/wiki/Backup-and-Restore) - [Upgrade & migration](https://github.com/error311/FileRise/wiki/Upgrade-and-Migration) - [Maintenance scripts](https://github.com/error311/FileRise/wiki/Maintenance-Scripts) - [Reverse proxy & subpath](https://github.com/error311/FileRise/wiki/Reverse-Proxy-and-Subpath) - 🐳 **Docker image:** - Docker Hub: [Docker](https://hub.docker.com/r/error311/filerise-docker) - Build pipeline / tags: [Workflow](https://github.com/error311/filerise-docker) - πŸ’¬ **Discord:** [Discord](https://discord.gg/7WN6f56X2e) - πŸ“ **Changelog:** [Changelog](https://github.com/error311/FileRise/blob/master/CHANGELOG.md) ### Support checklist (please include) If you open an issue/discussion, please include: - FileRise version + install method (Docker tag / release ZIP / git) - Reverse proxy (Nginx / Traefik / Caddy) + subpath (yes/no) - Browser console errors (if any) - Server/container logs around the error --- ## Install (Docker – recommended) The easiest way to run FileRise is the official Docker image. > βœ… **Tip:** For stability, pin a version tag (example: `error311/filerise-docker:vX.Y.Z`) instead of `:latest`. See [Releases](https://github.com/error311/FileRise/releases) for current versions. ### Option A – Quick start (docker run) ```bash docker run -d \ --name filerise \ -p 8080:80 \ -e TIMEZONE="America/New_York" \ -e TOTAL_UPLOAD_SIZE="10G" \ -e SECURE="false" \ -e PERSISTENT_TOKENS_KEY="default_please_change_this_key" \ -e SCAN_ON_START="true" \ -e CHOWN_ON_START="true" \ -v ~/filerise/uploads:/var/www/uploads \ -v ~/filerise/users:/var/www/users \ -v ~/filerise/metadata:/var/www/metadata \ error311/filerise-docker:latest ``` Then visit: ```text http://your-server-ip:8080 ``` On first launch you’ll be guided through creating the **initial admin user**. > πŸ’‘ After the first run, you can set `CHOWN_ON_START="false"` if permissions are already correct and you don’t want a recursive `chown` on uploads/metadata on every start. > > ⚠️ **Uploads folder recommendation** > > It’s strongly recommended to bind `/var/www/uploads` to a **dedicated folder** > (for example `~/filerise/uploads` or `/mnt/user/appdata/FileRise/uploads`), > not the root of a huge media share. > > If you really want FileRise to sit β€œon top of” an existing share, use a > subfolder (e.g. `/mnt/user/media/filerise_root`) instead of the share root, > so scans and permission changes stay scoped to that folder. ### Option B – docker-compose.yml ```yaml services: filerise: image: error311/filerise-docker:latest container_name: filerise ports: - "8080:80" environment: TIMEZONE: "America/New_York" TOTAL_UPLOAD_SIZE: "10G" SECURE: "false" PERSISTENT_TOKENS_KEY: "default_please_change_this_key" SCAN_ON_START: "true" # auto-index existing files on startup CHOWN_ON_START: "true" # fix permissions on uploads/metadata on startup volumes: - ./uploads:/var/www/uploads - ./users:/var/www/users - ./metadata:/var/www/metadata ``` Bring it up with: ```bash docker compose up -d ``` ### Common environment variables | Variable | Required | Example | What it does | |-------------------------|----------|----------------------------------|--------------| | `TIMEZONE` | βœ… | `America/New_York` | PHP / container timezone. | | `TOTAL_UPLOAD_SIZE` | βœ… | `10G` | Max total upload size per request; also used to set PHP/Apache upload limits. | | `SECURE` | βœ… | `false` | `true` when running behind HTTPS / a reverse proxy, else `false`. | | `PERSISTENT_TOKENS_KEY` | βœ… | `change_me_super_secret` | Secret used to encrypt stored secrets (tokens, permissions, admin config). **Do not leave this at the default.** | | `SCAN_ON_START` | Optional | `true` | If `true`, runs a scan once on container start to index existing files. | | `CHOWN_ON_START` | Optional | `true` | If `true`, recursively normalizes ownership/permissions on `uploads/` + `metadata/`. | | `PUID` | Optional | `99` | If running as root, remap `www-data` user to this UID (e.g. Unraid’s 99). | | `PGID` | Optional | `100` | If running as root, remap `www-data` group to this GID (e.g. Unraid’s 100). | | `FR_PUBLISHED_URL` | Optional | `https://example.com/files` | Public URL when behind proxies/subpaths (share links, portals, redirects). | | `FR_BASE_PATH` | Optional | `/files` | Force a subpath when the proxy strips the prefix (overrides auto-detect). | | `FR_TRUSTED_PROXIES` | Optional | `127.0.0.1,10.0.0.0/8` | Comma-separated IPs/CIDRs for trusted proxies; only these can supply the client IP header. | | `FR_IP_HEADER` | Optional | `X-Forwarded-For` | Header to trust for the real client IP when the proxy is trusted. | > Full list of common env variables: [Common Environment variables](https://github.com/error311/FileRise/wiki/Common-Env-Variables) > Full reference: [Environment Variables (Full Reference)](https://github.com/error311/FileRise/wiki/Environment-Variables-Full-Reference) > > Other useful env vars (optional): > `FR_WEBDAV_MAX_UPLOAD_BYTES` (WebDAV upload cap in bytes; `0` = unlimited), > `FR_ENCRYPTION_MASTER_KEY` (32-byte key: hex or `base64:...`), > `VIRUS_SCAN_ENABLED` / `VIRUS_SCAN_CMD` / `VIRUS_SCAN_EXCLUDE_DIRS` / `CLAMAV_AUTO_UPDATE`, > `LOG_STREAM` (`error`/`access`/`both`/`none`), > `HTTP_PORT` / `HTTPS_PORT` / `SERVER_NAME`, > `SHARE_URL` (override share endpoint; `FR_PUBLISHED_URL` preferred). > > 🧩 **Traefik + subpath note (Kubernetes):** use `StripPrefix` and rely on `X-Forwarded-Prefix` + `FR_PUBLISHED_URL`. > See: [Deployments Wiki](https://github.com/error311/FileRise/wiki/Kubernetes---k8s-deployment) > More deployment docs: [Install Setup](https://github.com/error311/FileRise/wiki/Installation-Setup) --- ## Manual install (PHP web server) Short version: FileRise expects data at `/var/www/{uploads,users,metadata}` and your web server must point to the **public/** folder (for example `DocumentRoot /var/www/filerise/public`). Full guide + troubleshooting: [Installation & setup](https://github.com/error311/FileRise/wiki/Installation-Setup) β€’ [Upgrade & migration](https://github.com/error311/FileRise/wiki/Upgrade-and-Migration) β€’ [Reverse proxy & subpath](https://github.com/error311/FileRise/wiki/Reverse-Proxy-and-Subpath) ### Requirements - PHP **8.3+** - Web server (Apache / Nginx / Caddy + PHP-FPM) - PHP extensions: `json`, `curl`, `zip` (and usual defaults) - No database required ### Quick start (release ZIP) 1) Create data directories: ```bash sudo mkdir -p /var/www/uploads /var/www/users /var/www/metadata sudo chown -R www-data:www-data /var/www/uploads /var/www/users /var/www/metadata # adjust web user if needed sudo chmod -R 775 /var/www/uploads /var/www/users /var/www/metadata ``` 2) Download a release and extract: ```bash cd /var/www sudo mkdir -p filerise sudo chown -R $USER:$USER /var/www/filerise cd /var/www/filerise VERSION="vX.Y.Z" # replace with the tag you want ASSET="FileRise-${VERSION}.zip" curl -fsSL "https://github.com/error311/FileRise/releases/download/${VERSION}/${ASSET}" -o "${ASSET}" unzip "${ASSET}" ``` 3) Point your web server at `/var/www/filerise/public`, then visit `http://serverip/`. If you install FileRise outside `/var/www/filerise`, keep the data dirs in `/var/www` or update the paths in `config/config.php`. --- ## After install (5 minutes) - Log in and create your first admin account (prompted on first run). - Open Admin β†’ Users to add accounts, then Admin β†’ Folder Access to set permissions. - If you’re behind a reverse proxy or subpath, set `FR_PUBLISHED_URL` (and `FR_BASE_PATH` if needed). - Optional: enable WebDAV or ONLYOFFICE in Admin and follow the wiki guides. --- ## Data & backups Back up these paths (Docker volumes or host directories): - `/var/www/uploads` (file data) - `/var/www/users` (users, ACLs, admin config, Pro license) - `/var/www/metadata` (indexes, tags, logs) Notes: - Logs live in `/var/www/metadata/log` and can be rotated or pruned. - Keep your `PERSISTENT_TOKENS_KEY` consistent when restoring backups. ## First-run security checklist - Set a strong `PERSISTENT_TOKENS_KEY` (encrypts tokens, permissions, admin config). - Use HTTPS and set `SECURE="true"` when behind TLS/reverse proxy. - If behind a proxy, set `FR_TRUSTED_PROXIES` and `FR_IP_HEADER`. - Set `FR_PUBLISHED_URL` (and `FR_BASE_PATH` if needed) so share links are correct. - Block direct HTTP access to `/uploads` (serve only `public/` and deny access to `/uploads`, `/users`, `/metadata`). ## Optional dependencies - **FFmpeg** – video thumbnails (set `FR_FFMPEG_PATH` if not on PATH). - **ClamAV** – upload scanning (`VIRUS_SCAN_ENABLED=true`), optional `VIRUS_SCAN_EXCLUDE_DIRS` path excludes. - **PHP sodium (libsodium)** – required for encryption-at-rest. - **ONLYOFFICE Document Server** – document editing in the browser. --- ## WebDAV & ONLYOFFICE (optional) ### WebDAV Once enabled in the Admin panel, FileRise exposes a WebDAV endpoint (e.g. `/webdav.php`). Use it with: - **macOS Finder** – Go β†’ Connect to Server β†’ `https://your-host/webdav.php/` - **Windows File Explorer** – Map Network Drive β†’ `https://your-host/webdav.php/` - **Linux (GVFS/Nautilus)** – `dav://your-host/webdav.php/` - Clients like **Cyberduck**, **WinSCP**, etc. WebDAV operations honor the same ACLs as the web UI. Docs: [WebDAV Wiki](https://github.com/error311/FileRise/wiki/WebDAV) ### ONLYOFFICE integration If you run an ONLYOFFICE Document Server you can open/edit Office documents directly from FileRise (DOCX, XLSX, PPTX, ODT, ODS, ODP; PDFs view-only). Configure it in **Admin β†’ ONLYOFFICE**: - Enable ONLYOFFICE - Set your Document Server origin (e.g. `https://docs.example.com`) - Configure a shared JWT secret - Copy the suggested Content-Security-Policy header into your reverse proxy Docs: [ONLYOFFICE Wiki](https://github.com/error311/FileRise/wiki/ONLYOFFICE) --- ## Security & updates - FileRise is actively maintained and has published security advisories. - See **SECURITY.md** and GitHub Security Advisories for details. ### Upgrading - **Docker:** pull the new tag and recreate the container with the same volumes. Example: ```bash docker pull error311/filerise-docker:latest # or pin a specific version from Releases ``` - **Manual:** replace app files with the latest release ZIP (keep `/var/www/uploads`, `/var/www/users`, `/var/www/metadata`, and your config). Please report vulnerabilities responsibly via the channels listed in **SECURITY.md**. --- ## Community, support & contributing Contributions are welcome β€” from bug fixes and docs to translations and UI polish. See `CONTRIBUTING.md` for guidelines. If FileRise saves you time or becomes your daily driver, a ⭐ on GitHub or sponsorship is hugely appreciated: - ❀️ [GitHub Sponsors](https://github.com/sponsors/error311) - β˜• [Ko-Fi](https://ko-fi.com/error311) --- ## AI Disclosure FileRise is my project. I use AI like a tool for some tasks (e.g., translations/snippets), but the architecture, core code, and ongoing maintenance are mine. --- ## License & third-party code FileRise Core is released under the **MIT License** – see `LICENSE`. It bundles a small set of well-known client and server libraries (Bootstrap, CodeMirror, DOMPurify, Fuse.js, Resumable.js, sabre/dav, etc.). All third-party code remains under its original licenses. The official Docker image includes the **ClamAV** antivirus scanner (GPL-2.0-only) for optional upload scanning. See `THIRD_PARTY.md` and the `licenses/` folder for full details. --- ## Press - [Heise / iX Magazin – β€œFileRise 2.0: Web-Dateimanager mit Client Portals” (DE)](https://www.heise.de/news/FileRise-2-0-Web-Dateimanager-mit-Client-Portals-11092171.html) - [Heise / iX Magazin – β€œFileRise 2.0: Web File Manager with Client Portals” (EN)](https://www.heise.de/en/news/FileRise-2-0-Web-File-Manager-with-Client-Portals-11092376.html)