Description
I'm hosting Filebrowser at https://stuff.example.com/sub/

There's an Authelia frontend that's configured to do authentication for Filebrowser, and it works as expected. Authelia is hosted at https://auth.example.com/.

Now I'm trying to share a folder for 3rd-parties to be able to access my data without authentication -- use the button, set up the share, generate a link of the form https://stuff.example.com/sub/files/share/XXXXX and enjoy life. It kind of works, as in: I am able to access the main share site.

But I cannot click on specific images (that's what the folder I'm sharing contains) to view them. I'm receiving the following logs:

2024-11-17T21:32:13.203161764+02:00 stdout F time="2024-11-17T19:32:13Z" level=debug msg="Check authorization of subject username= groups= ip=2001:4090:a240:802d:239:62c0:fdf7:a892 and object https://example.com/api/public/dl/elzXCpUI/IMG_20241117_153536_772.jpg?token= (method GET)."
2024-11-17T21:32:13.203201194+02:00 stdout F time="2024-11-17T19:32:13Z" level=info msg="Access to https://stuff.example.com/api/public/dl/elzXCpUI/IMG_20241117_153536_772.jpg?token= (method GET) is not authorized to user <anonymous>, responding with status code 401 with location redirect to https://auth.example.com/?rd=https%3A%2F%2Fstuff.example.com%2Fapi%2Fpublic%2Fdl%2FelzXCpUI%2FIMG_20241117_153536_772.jpg%3Ftoken%3D&rm=GET" method=GET path=/api/authz/forward-auth remote_ip="2001:4090:a240:802d:239:62c0:fdf7:a892"

(This is a real log entry, I just edited the original domain name to replace it with stuff.example.com instead.)

Note that the URL here is ...example.com/api..., while it should actually be ...example.com/sub/api....

Expected behaviour

I'd expect to be able to freely interact with the shared folder. In particular, I'd expect th e file IMG_20241117...jpg to be accessible via ...example.com/sub/api/..., and NOT via ...example.com/api....

(Note that the fact that the URL above is blocked by the authenticator here just a useless symptom. Even if I was to allow that through it wouldn't solve the problem, as Filebrowser isn't at /, it's at /sub within the stuff.example.com domain.)

What is happening instead?

FIlebrowser frontend links to the wrong, non-existent URL (...stuff.example.com/api...).

Additional context

The relevant part of the Caddy reverse proxy for Filebrowser:

stuff.example.com {
              @allow_files_pubshare {
                  not path /sub/api/public/dl/*
                  not path /sub/api/public/share/*
                  not path /sub/share/*
                  not path /sub/static/*
              }

              forward_auth @allow_files_pubshare https://auth.example.com {
                  header_up Host {upstream_hostport}
                  uri /api/authz/forward-auth
                  copy_headers Remote-User Remote-Groups Remote-Name Remote-Email \n\
              }

              redir /sub /sub/
              handle_path /sub/* {
                  reverse_proxy http://portal-files-%i:8080
              }
}

The filebrowser config .json looks like this:

{
  "port": 8080,
  "baseURL": "/sub",
  "address": "",
  "log": "stdout",
  "root": "/var/syncthing",
  "auth" : {
    "method": "proxy",
    "header": "Remote-User"
  }
}

Any ideas?

It looks like there's a {baseURL} missing at one particular instance in the code :-)

I've tried to find out where, but I'm neither an expert in Go nor in Web Development. getDownloadURL from filebrowser/frontend/src/api/pub.ts looks suspicious to me, but then again... I didn't