Serving files from a network drive

I have a NAS.

I want to run a simple web server on it, to make my files accessible over the internet.

I also want to be able to share files from my daily driver windows machine via that same server.

I’m a noob with linux, so I need help to do that :pray:


I am running Ubuntu 22.04. I installed something called webinoly, which seems an easy way to keep a simple web server running and up to date.

Next I tried to mount a folder on my windows machine and serve that mounted location.

I run the following command

sudo mount -t cifs -o credentials=~/.smbcredentials,uid=www-data,gid=www-data,mfsymlinks //192.168.0.2/c$/users/martixy/srv/ /mnt/http_mount/nas/main

Initially, I had a small permissions issue - the server runs with user www-data, so I mount with uid=www-data to not get 403 Forbidden responses from my shared folder.

That mount goes away when the server is restarted. So I have to run the command manually. How do I make it persistent? (I assume fstab will somehow be involved) Nvm, figured out that bit by myself.

But the bigger remaining issue is:

How do I share symlinked files?
Here’s a listing for the directory with a symlink:

lrwxr-xr-x 1 www-data www-data  47 Aug 29 22:50 'Killing Catgirls.gif' -> '/??/E:/DnD/Killing Catgirls.gif'

Searching on the internet seemed to indicate mfsymlinks option might help, but it didn’t.

I want to be able to share files without having to copy them.


Alternatively, I am open to other home-lab cloud solutions :slight_smile:

Also, I am looking for a recommendation for a different web server package (i.e. LEMP) - this webinoly thing is crazy poorly documented. I desperately want to get rid of it. (Actually I think the guy just decided to hide the docs behind a paywall. Then claim he’s “Making NGINX easy for everyone” on twitter. What an asshole. Thank god for the web archive.)

Please don’t…

VPN to your network then access the files as if on LAN.

Unless you plan on hosting a site for everyone to access EVERYTHING on that server, this is the way.

1 Like

Ok, let me put it like this: I want to run a web server to do web things with (incl. php, mysql and the like).

I also want to access my files.

Why not?

Currently I run a VPN from my router, but it’s performance is too poor for large file transfers. Also, it only supports PPTP, so I cannot connect from my phone which is on Android 14 (some internet searches hinted PPTP support was removed in Android 12).

I welcome suggestions.

Is it possible to run a VPN from the NAS? I.e. a device on the network rather than the gateway to the network…? I’m not a network whiz, but I’ve always been curious about networking, please educate me.

You could but it would involve something like running a host OS like Ubuntu, running your NAS OS in a VM, hosting a wireguard server on the host OS, then creating wireguard clients with routing to the NAS VM storage pool

Wendell made a forbidden router video that I think will point you in the right direction

I’m a noob. This sounds above my paygrade.

And my hardware is dacade+ old. Wendell is talking about shit that’s way too expensive for the purpose. He says it himself that the idea is that the router is a toaster. This sounds very not toastery to me.

what I mentioned above I think could be done on literally a chromebook

but what you’re asking to do requires a bit of learning unless you want your NAS auto-hacked by an A.I. bot on the other side of the world

1 Like

Overall I don’t recommend exposing any of what you’ve posted to the internet. You’ll expose your network/information to all kinds of attacks for minimal benefit.

I do think it is best to setup a VPN and to then VPN into your home network.

Thankfully wireguard is not very resource intensive, but if you are already hitting the limits of your hardware and would like a cheaper solution then I’d recommend buying a refurbed micro PC or a raspberry pi then running the VPN off of there.

For the raspberry Pi here are two very good guides:

https://www.jeffgeerling.com/blog/2023/build-your-own-private-wireguard-vpn-pivpn

Here is a decent guide for installing it on Ubunutu x86 system: https://www.cyberciti.biz/faq/ubuntu-20-04-set-up-wireguard-vpn-server/

I’m personally partial to the raspberrypi option. Very easy and the overall power usage should be lower.

2 Likes
  1. My budget is precisely 0$. Software or bust.
  2. I still need a new web server package.
  3. Still need an answer if the symlinks can be fixed. Or some other solution… NTFS is a decently feature-rich filesystem. Hardlinks can’t span volumes, but junctions can. There has to be some thing or another that can extend to individual files…
  4. I’m not opposed to learning a bit; or a lot. But I need a starting point. Or preferably a clear path to the goal.

Wrt to VPN I think updating my router to the newest build of dd-wrt is probably my best bet. I’ve been putting it off because it’d require so much manual config to set up my network config back to its present state.

Yeah, as other have pointed out this is a really really really bad idea.

Look into overlay network, it’s free and easy to setup. Both of these have free tier with 100 devices. They achieve this by facilitating direct connections between your devices, without requiring the use of their own bandwidth for networking.

1 Like

I was going to recommend tailscale, or you could use something like syncthing and access some files like a cache outside network. Might not be real access to 100% but most of the time it doesnt matter.

Please do not run an open public webserver on the internet youll own not only yourself but everyone on your network in probably hours (because you dont know what your doing).

1 Like

Check follow symlinks=yes is in the /etc/samba/smb.conf for the share.

There’s a ton of other advice not to host locally. It’s really really difficult to assess the risk of a thing you can’t imagine going wrong – but if it goes wrong, what’s the budget for cleaning up or what’s the budget for recovering data?

K3n.

1 Like

Whyyyyyyyyyyyyyyyyyyyyyyy?

Please tell me why already!

How many times do I have to ask?

I still need a server. Everyone is avoiding my questions and spouting canned responses. It’s like I’m talking to AI…

@k3ninho You’ve confused the server-client relationship here.

You all keep suggesting all these enterprise looking solutions that require accounts and pricing plans and sit in the cloud and that’s literally the thing I want to avoid. I don’t want to contact fucking sales. I don’t want to setup another fucking account in another cloud service.

Syncthing looks interesting tho.

Why do you all try to make it sound so scary? I’ve been running a web server for literally years without having anything pwned. It used to be on my personal machine previously. Now I want to set it up on my NAS.

On windows it was super easy using Wampserver - it helps manage and update the server, and makes everything simple to setup and configure.

Please help me find something similar for linux! (Tho I want to try nginx, not apache.)

@vivante Thanks for your post. I have not heard of Netbird.io. I will try either Netbird or Tailscale to solve my issue with sharing my movie collection outside of my home network.

Now for the reason for my post. @martixy, I know you are upset and feel you are getting the runaround. Please take a breath. I can assure you none of the advice you have received is generated by AI. Level 1 Techns has a non-AI generation policy; it is against forum rules to use AI to help develop any posts here. Just because you have never had a problem with getting pwned using Windows doesn’t mean the same wouldn’t happen using Linux.

I will share an event that happened about six weeks ago to the company I work for, which should help with understanding Windows isn’t the same as Linux. lot of the details I can not share because of company policy. One of our remote employees ignored company policy and replaced the company-provided gateway with his own device, which used Kail Linux as its underlying OS. He was pwned, which caused the company’s network to get pwned. Because of company policy, I had to replace all of the company’s gateways. Because of this, one person disregarding of company policy, the company lost several man-hours of productivity and had to spend a few million dollars replacing equipment. I had to fire this person which I hated to do because he was such a good worker and only had this one mistake against him.

You have to ask yourself a few basic questions, maybe our criticism is not well placed:

  1. If files you serve get downloaded by 3rd party is that a problem? Are these files secret/private in any way?
  2. When you get hacked, will you know you got hacked?
  3. When you get hacked, do you have a way of protecting other machines on the same network as your hacked device?
  4. If it is exposed to the internet without restrictions, can you handle keeping it protected? Remember, there is a new xzUtils or EthernalBlue just around the corner.

I suggest you take free credit for Linode (L1 affiliate link) and spin up a web server. Then watch the logs and see how long it takes for bots to attack it.

People who make NAS devices for a living have teams dealing with security issues every day, for example Synology or QNAP and they can barely keep up. Can you DIY that?

And I think you mentioned you want free, well seriously consider overlay networking.

2 Likes

Was the BYO device or the company device on Kali?

Also, am I getting this right? That the implication here is that Windows is more secure? I’ve always seen the sentiment that it’s the other way around.

So, would the advice now be to simply keep using wampserver?


Also, I’ve been reading up on netbird. Apparently it can do self-hosted, but they mention a VM. And it wants ports 80 and 443 and my public domain, which clash with running a server on the same machine.

My NAS is just an ubuntu install with samba shares of the drives inside set up. Nothing fancy. No proxmox or truenas or the like…

And I still want a web server I can tinker with, test PHP code, mess around with database things and server configs… For example I would love to try setting up HTTP3 and see how it works. Wampserver let me easily swap out PHP versions, to try new features, update components, switch between databases like MySQL and MariaDB. That’s something I want to be able to do on linux. Is that possible?


@vivante

And what should I be looking for in the logs? I don’t need linode, I can look at my own logs. Sure, there’s a constant stream of requests from all manner of IPs, but they’re all malformed "\x05\x01\x00" 400 150 "-" "-" or looking to exploit third party files I will never put on the server. So they get 400 responses. What else do I need to fear then?

Meanwhile you make it sound as if nobody should even be on the internet in the first place…

To respond to the questions:

  1. No, the files I want to serve are not private. The worst I risk getting leaked is my D&D campaign notes and how much I like anime. But no one has ever looked at that in all the years I’ve had it public - I occasionally check the logs. Bots usually look for exploitable shit like bad wordpress installs.
  2. Any suggestions for monitoring the state of my NAS? On windows I run a small, very old program called bwmeter, that puts small graph of my network traffic on my desktop and keeps network statistics - like this:
    bwmeter graph
    I put vnstat on my nas, which is good for keeping stats, but fails at giving me a convenient real-time view of traffic. (Convenient being the key word here. That widget lives on my desktop and is always a glance away. Sadly the program is windows only, so I cannot run it on linux and conveniently plop another graph on my windows desktop. I’d ask for a cross-platform alternative, but I doubt anyone can give me anything that has configurable enough graphs.)
  3. I have no way to answer such a broad question. What does hacked even mean?
  4. I don’t want things exposed willy-nilly, obviously. Right now I expose a single folder and put only specific things I want shared there.

I feel the comparison to Synology and the like is disingenuous. They deal with problems they create in the first place. Of course no one is gonna write bug free code, so there will be bugs in their firmware and custom software. It seems weird to me there isn’t a simple, agreed upon way to set up a personal web server on the linux side.

But yes, ultimately I think I will find the time this weekend to finally update my router firmware and setup a wireguard server.

There is nothing inherently wrong with running a public webserver, obviously the internet exists. If you’re aware of the risks and keeping it up-to-date and secure then go for it. I and everyone else are assuming you don’t because that’s the safe and likely assumption.

As why its not recommended, well my home firewall has blocked 90,000 packets today… and since you mentioned samba there are at least 174k open samba servers without authentication, lets hope they fix that soon :grimacing:

If your not familiar with shodan heres a random blog with some interesting searches that may make you cautious about exposing your home network Fascinating & Frightening Shodan Search Queries (AKA: The Internet of Sh*t) – Jake Jarvis

2 Likes

I thought it was apparent which device was running Kali Linux. Kali Linux (a Linux distro that should never be exposed to the Internet; it should only be used for pen testing the LAN network) was the underlining OS for the non-company-provided gateway.

No, you are not getting the correct implication. I shared my experience with Kali Linux because exposing a server to the Internet is just asking for trouble without proper consideration and respect for the Internet and the need for appropriate protection in place (you need to know what you are doing). Obviously, you don’t know what to do.

As to your implied question, which is more secure, Windows or Linux? They both have strengths and weaknesses and can be hacked. If I had to choose one over the other, I would choose Linux because of the future direction Microsoft seems to want to take Windows. Microsoft is setting itself up to be shot in the foot with the forcing of Copliot and its new feature, Recall.

Can all the features Wampserver provides for @martixy be available to him on Linux? Yes, but it would require @martixy to create his application, which would offer the same features on Linux. He would also have to write this application to ensure compatibility with whichever Linux distro he chooses. My advice would be to stay with Wampserver. It seems to be working for you, but I don’t understand why.

I have heard about Kali and its purpose. I have never used it, so it was unclear whether that should make it more secure or less.
Out of curiousity, give me an example of why Kali should never be exposed to the internet and how that vulnerability is helpful for pen-testing or the like.

And are you able to give more details about what this pwning entailed? Nothing identifying, but like, was some software breached, or some network infrastructure backdoored or something?

@trezamere Shodan is a neat thing.
But there is a pattern you can spot here - these are all default configs, where attacks can target a known thing.
Meanwhile I actually spent some time making a custom config of my server. On top of using a package that presumably has sensible and secure defaults. And updating (I’m on the bleeding edge).
For example I send the root to 403 directly. And actually pouring through the logs, I am unable to find a 200 response that is not me.
So (presumably) I don’t have any dumb defaults that a wide net might catch (no default passwords like mysql), and I’m not important enough to warrant special attention.

And worrying about earning someone’s attention seems kinda pointless, my online presence probably has much greater vulnerabilities elsewhere.


Also, please suggest to me ways of monitoring linux! On windows I have the network monitor I spoke about above and process explorer constantly running in the background. Plus I am constantly using the machine, so I can notice slowdowns or weird behaviours as they happen.

Give me something that can fulfill similar roles for my “remote machine” (in quotes because it’s actually still within arms reach of my desk).

Sounds like its totally fine then. Again I think people were just taking the safe default assumption approach, if you mentioned all that already I must have glazed over and I apologize.

Also its not people you have to worry about because your right, you’re probably extremely unlikely to gather an individuals attention and ire. Bots make up half of internet traffic globally, which is why it is such a risk to run a public server, having ANY open ports will be probed for vulns almost immediately which can be a bad time… IF you’re not keeping it up to date with sane settings (which it sounds like you, specifically, are).

As to monitoring utils thats an entire field of business… a good starting point for your whole network would be security onion, its a bunch of foss utils bundled together in an easily consumable fashion. There are a million blogs you can read for setting it up in your environment but basically create a span port on your router to mirror traffic to a security onion vm/appliance and configure it to your liking. It has dashboards, alerts, etc.

I understood you to be asking about how to share symlinked files from one part of your samba host machine so that the full file can be downloaded by a client. No worries if that’s not what you need.

Ubuntu is on systemd, the stack of ElasticSearch/Logstash/Kibana was an old favourite (docs at elastic.co, guide at Digital Ocean), but Grafana alone will do dashboards off the output from systemd and journalctl (docs at grafana.com, guide at Digital Ocean). I think both are externally-sourced containers you would add to the server, and have both community and paid-for tiers of features. The Digital Ocean guides are from virtual machines you might rent from cloud provider Digital Ocean, and both walk through adding Nginx as a reverse proxy to serve the tools’ dashboards as well as securing the plumbing of this service.

k3n.