NextExplorer

NextExplorer

Docker app from MaybeGrim's Repository

Overview

NextExplorer is a modern, self-hosted web-based file explorer with secure access control and a polished UI. Features include fast previews for images, videos, and PDFs, a built-in code/text editor with syntax highlighting, link-based file sharing (read-only or read-write), ripgrep-powered search across filenames and content, and multiple view modes (grid, list, column). Security is built in with local users and groups, optional OIDC/SSO integration, account lockout policies, and session management. Toggle "Show more settings" for advanced options including OIDC single sign-on, reverse proxy trust, and account lockout configuration.

nextExplorer logo

NextExplorer

A modern, self-hosted file explorer with secure access control, polished UX, and a Docker-first deployment.

Docs: explorer.nxz.ai

Demo

Highlights

  • Secure by default: local users & groups, optional OIDC SSO.
  • Fast previews: images, videos, PDFs, thumbnails (FFmpeg), and inline players.
  • Built-in editor: edit text/code with syntax highlighting (extensible via EDITOR_EXTENSIONS).
  • Sharing workflows: link-based sharing (read-only/read-write), guest access, “Shared with me”.
  • Smart search: ripgrep-backed filename + content search with tunable limits.
  • Modern UX: grid/list/column views, drag-and-drop, context menus, keyboard shortcuts.
  • Docker-native: single image, mount volumes under /mnt, reverse-proxy friendly via PUBLIC_URL.

Quickstart (Docker Compose)

services:
  nextexplorer:
    image: nxzai/explorer:latest
    container_name: nextexplorer
    restart: unless-stopped
    ports:
      - '3000:3000'
    volumes:
      - ./config:/config
      - ./cache:/cache
      # Each /mnt/<Label> mount becomes a top-level volume in the UI
      - /path/to/your/files:/mnt/Files
    environment:
      - NODE_ENV=production
      - PUBLIC_URL=http://localhost:3000
Full docker-compose with all configurations
services:
  nextexplorer:
    image: nxzai/explorer:latest
    container_name: nextexplorer
    restart: unless-stopped
    ports:
      - '3000:3000'
    volumes:
      - ./config:/config # contains config files, db, settings etc.
      - ./cache:/cache # contains thumbnail cache and other files which are generated automatically

      # Each /mnt/<Label> mount becomes a top-level volume in the UI
      - /path/to/your/files:/mnt/Files

    environment:
      # Required basics
      NODE_ENV: production # Set to `production` for the Docker image defaults.
      PORT: '3000' # Port the Express API + frontend listen on *inside* the container.
      PUBLIC_URL: 'http://localhost:3000' # External URL (no trailing slash); drives cookies, CORS defaults, and derived callback URLs. Accessing the app via a different URL may cause CORS/cookie/OIDC issues.


      # Reverse proxy / networking (optional)
      # INTERNAL_URL: "http://192.168.1.250:3017" # Extra origin(s) the app may also be reached from (e.g. a LAN IP for fast local uploads), comma-separated. Treated as valid (no public-URL mismatch warning) and accepted by CORS; PUBLIC_URL stays the canonical URL for share links / OIDC.
      # TRUST_PROXY: "loopback,uniquelocal" # Express trust proxy config; set when running behind a reverse proxy (often auto-derived when `PUBLIC_URL` is set).
      # CORS_ORIGINS: "" # Comma-separated allowed origins; aliases: `CORS_ORIGIN`, `ALLOWED_ORIGINS` (defaults to `PUBLIC_URL` origin when set).

      # Logging & debugging (optional)
      # LOG_LEVEL: "info" # `trace|debug|info|warn|error` (defaults to `debug` when `DEBUG=true`).
      # DEBUG: "false" # When `true`, forces `LOG_LEVEL=debug` and enables more verbose diagnostics.
      # ENABLE_HTTP_LOGGING: "false" # When `true`, logs HTTP requests (recommended with centralized logs in production).

      # Paths & volumes (optional)
      # VOLUME_ROOT: "/mnt" # Root directory that houses all mounted volumes. App will display all directores inside this directory as volumes.
      # CONFIG_DIR: "/config" # Location for SQLite, `app-config.json`, extensions, and settings.
      # CACHE_DIR: "/cache" # Location for thumbnails, ripgrep indexes, and temporary data.
      # USER_ROOT: "/mnt/_users" # Root directory for per-user personal folders (defaults to `<VOLUME_ROOT>/_users` when unset). Make sure you persist this path if you use USER_DIR_ENABLED.

      # Authentication (optional)
      # AUTH_MODE: "both" # `local|oidc|both|disabled` what authentication methods you want to enable.
      # AUTH_ENABLED: "true" # Deprecated: use `AUTH_MODE=disabled` to skip login.
      # SESSION_SECRET: "please-change-me" # Session cookie secret (alias: `AUTH_SESSION_SECRET`); set a long, random, stable value (>= 32 chars) to keep sessions valid across restarts/replicas.
      # AUTH_MAX_FAILED: "5" # Failed login attempts before temporary lockout.
      # AUTH_LOCK_MINUTES: "15" # Lockout duration (minutes) when max failures reached.
      # AUTH_ADMIN_EMAIL: "" # First-run bootstrap (local auth): when set with `AUTH_ADMIN_PASSWORD`, creates an admin user on startup and skips setup.
      # AUTH_ADMIN_PASSWORD: "" # Password for `AUTH_ADMIN_EMAIL` bootstrap; overrides/resets password on startup if the user already exists.

      # OIDC & SSO (optional)
      # OIDC_ENABLED: "false" # Enable Express OpenID Connect auth flow.
      # OIDC_ISSUER: "https://auth.example.com/application/o/next/" # IdP issuer URL (discovery).
      # OIDC_AUTHORIZATION_URL: "" # Optional discovery override.
      # OIDC_TOKEN_URL: "" # Optional discovery override.
      # OIDC_USERINFO_URL: "" # Optional discovery override.
      # OIDC_CLIENT_ID: "nextexplorer" # IdP client ID.
      # OIDC_CLIENT_SECRET: "" # IdP client secret.
      # OIDC_CALLBACK_URL: "http://localhost:3000/callback" # Explicit callback URL (defaults to `${PUBLIC_URL}/callback` when `PUBLIC_URL` is set).
      # OIDC_SCOPES: "openid profile email" # Add `groups` to propagate group claims.
      # OIDC_ADMIN_GROUPS: "" # Space/comma-separated group names that grant admin rights (matched in `groups`, `roles`, or `entitlements`).
      # OIDC_REQUIRE_EMAIL_VERIFIED: "false" # When `true`, requires IdP to verify user email before allowing user creation/auto-linking.
      # OIDC_AUTO_CREATE_USERS: "true" # When `false`, denies OIDC login unless the user already exists in the DB.

      # Feature toggles (optional)
      # SEARCH_DEEP: "false" # Enables deep content search (ripgrep used when `SEARCH_RIPGREP=true`).
      # SEARCH_RIPGREP: "true" # Prefer ripgrep for fast searches; fallback search used when unavailable.
      # SEARCH_MAX_FILESIZE: "" # Skip ripgrep for files larger than this (e.g., `5MB`).
      # SHOW_VOLUME_USAGE: "false" # Show volume usage badges in the sidebar.
      # USER_DIR_ENABLED: "false" # Enables per-user “My Files” spaces under `USER_ROOT`.
      # USER_VOLUMES: "false" # Restrict non-admin users to only volumes assigned by an admin.
      # SKIP_HOME: "false" # When `true`, `/browse/` redirects into the first volume.

      # Editor (optional)
      # EDITOR_EXTENSIONS: "" # Extra file extensions supported by the inline editor (comma-separated, added to built-in defaults).

      # OnlyOffice & thumbnails (optional)
      # ONLYOFFICE_URL: "" # Public URL for OnlyOffice Document Server (must reach your app's `PUBLIC_URL`).
      # ONLYOFFICE_SECRET: "" # JWT secret shared with OnlyOffice Document Server for `/api/onlyoffice`.
      # ONLYOFFICE_LANG: "en" # Language code for the editor UI.
      # ONLYOFFICE_FORCE_SAVE: "false" # When `true`, OnlyOffice forces users to save via the editor UI.
      # ONLYOFFICE_FILE_EXTENSIONS: "" # Extra file extensions to surface to the Document Server.
      # FFMPEG_PATH: "" # Point to a custom ffmpeg binary (defaults to bundled binary).
      # FFPROBE_PATH: "" # Point to a custom ffprobe binary (defaults to bundled binary).

      # Container user mapping (optional)
      # PUID: "1000" # Map container processes to host UID so created files have consistent ownership.
      # PGID: "1000" # Map container processes to host GID so created files have consistent ownership.

Documentation

Install NextExplorer on Unraid in a few clicks.

Find NextExplorer in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.

Open the Apps tab on your Unraid server Search Community Apps for NextExplorer Review the template variables and paths Click Install

Categories

Download Statistics

936,634
Total Downloads
165,734
This Month
190,335
Avg / Month

Total Downloads Over Time

Loading chart...

Related apps

Explore more like this

Explore all

Details

Repository
nxzai/explorer:latest
Last Updated2026-06-02
First Seen2026-03-29

Runtime arguments

Web UI
http://[IP]:[PORT:3000]
Network
bridge
Shell
bash
Privileged
false

Template configuration

Web UI PortPorttcp

Port for the NextExplorer web interface.

Target
3000
Default
3000
Value
3000
Config PathPathrw

Persistent storage for database, settings, and session data. Do not delete.

Target
/config
Default
/mnt/user/appdata/nextexplorer/config
Value
/mnt/user/appdata/nextexplorer/config
Cache PathPathrw

Thumbnail cache and search indexes. Safe to clear if troubleshooting.

Target
/cache
Default
/mnt/user/appdata/nextexplorer/cache
Value
/mnt/user/appdata/nextexplorer/cache
Data PathPathrw

Root directory to browse. Mounted paths appear as top-level volumes in the UI. Add more by clicking 'Add another Path'.

Target
/mnt/Data
Default
/mnt/user
Value
/mnt/user
PUBLIC_URLVariable

External URL used for cookies, CORS, and callback URLs. Set this to your reverse proxy URL if using one (no trailing slash).

Default
http://[IP]:3000
Value
http://[IP]:3000
Admin EmailVariable

Email for the admin account created on first launch. Only used during initial setup.

Target
AUTH_ADMIN_EMAIL
Admin PasswordVariable

Password for the admin account created on first launch. Only used during initial setup.

Target
AUTH_ADMIN_PASSWORD
Session SecretVariable

Random string (32+ chars) used to sign session cookies. Set a stable value to keep sessions valid across container restarts. Leave blank to auto-generate (sessions reset on restart).

Target
SESSION_SECRET
NODE_ENVVariable

Runtime environment. Leave as production.

Default
production
Value
production
Container PortVariable

Internal container port. Should match the Web UI Port mapping.

Target
PORT
Default
3000
Value
3000
Enable OIDCVariable

Set to 'true' to enable OpenID Connect single sign-on. Requires OIDC provider configuration below.

Target
OIDC_ENABLED
Default
false
Value
false
OIDC Client IDVariable

Client ID from your OIDC identity provider (e.g. Authentik, Authelia, Keycloak).

Target
OIDC_CLIENT_ID
OIDC Client SecretVariable

Client secret from your OIDC identity provider.

Target
OIDC_CLIENT_SECRET
OIDC Issuer URLVariable

OIDC issuer/discovery URL from your identity provider (e.g. https://auth.example.com).

Target
OIDC_ISSUER
Trust ProxyVariable

Express trust proxy setting for running behind a reverse proxy. Usually auto-derived from PUBLIC_URL. Set to 'true', a number of hops, or a CIDR range if needed.

Target
TRUST_PROXY
Max Failed LoginsVariable

Number of failed login attempts before the account is temporarily locked.

Target
AUTH_MAX_FAILED
Default
5
Value
5
Lockout Duration (minutes)Variable

Duration in minutes that an account stays locked after exceeding failed login attempts.

Target
AUTH_LOCK_MINUTES
Default
15
Value
15