How to Securely Expose an SMB File Server via HTTPS Web Interface: Open Source Solutions for Remote Access


2 views

Many organizations face the need to securely expose Windows SMB file shares through a web interface. While SMB works well internally, it's not ideal for external access due to firewall complications and security concerns. Here's how to implement a robust HTTPS gateway.

Several open-source approaches can bridge this gap:


// Example using FileBrowser (Go-based solution)
docker run -d \
  -v /path/to/smb/mount:/srv \
  -p 8080:80 \
  filebrowser/filebrowser

For a more customized solution using Python:


from smb.SMBConnection import SMBConnection
from flask import Flask, send_file
import io

app = Flask(__name__)

@app.route('/file/<path:filepath>')
def get_file(filepath):
    conn = SMBConnection('user', 'password', 'client', 'server')
    conn.connect('server_ip')
    file_obj = io.BytesIO()
    conn.retrieveFile('share_name', filepath, file_obj)
    file_obj.seek(0)
    return send_file(file_obj, as_attachment=True)

When exposing SMB via web:

  • Always use HTTPS with valid certificates
  • Implement proper authentication (OAuth2, JWT)
  • Set appropriate CORS headers
  • Consider rate limiting

For a complete solution, consider migrating to Nextcloud with external storage support:


# Nextcloud SMB configuration
'smb' => array (
  'enabled' => true,
  'options' => array (
    'host' => 'smb_server',
    'username' => 'user',
    'password' => 'password',
    'share' => 'share_name'
  ),
),

For media streaming, implement chunked transfer and byte-range requests:


@app.route('/video/<path:filepath>')
def stream_video(filepath):
    range_header = request.headers.get('Range')
    # Implement partial content handling
    return Response(stream_with_context(generate()), 206, headers=headers)

Many organizations face the need to access internal SMB shares through web browsers while maintaining security. The traditional Windows file server setup presents limitations when remote access is required. Here's how to bridge this gap with modern solutions.

Before implementation, consider these critical factors:

  • Security implications of exposing file shares to the web
  • Authentication methods (SMB credentials vs web auth)
  • Performance impact of protocol translation
  • File locking mechanisms in web-based access

Here are three proven approaches with implementation details:

1. FileBrowser (Linux/Windows)

A lightweight solution written in Go:


# Installation (Linux)
wget https://github.com/filebrowser/filebrowser/releases/download/v2.23.0/linux-amd64-filebrowser.tar.gz
tar -xvzf linux-amd64-filebrowser.tar.gz
./filebrowser -a 0.0.0.0 -p 443 --ssl --ssl-cert cert.pem --ssl-key key.pem -r /mnt/smb_mount

# Configuration file (config.json)
{
  "port": 443,
  "baseURL": "",
  "address": "",
  "log": "stdout",
  "database": "/etc/filebrowser/database.db",
  "root": "/mnt/smb_mount",
  "ssl": {
    "cert": "/path/to/cert.pem",
    "key": "/path/to/key.pem"
  }
}

2. Samba Web Administration Tool (SWAT)

For direct SMB management through web:


# Install on Debian-based systems
sudo apt install swat
sudo systemctl enable swat
sudo systemctl start swat

# Configure in /etc/samba/smb.conf
[global]
   swat = yes
   interfaces = 127.0.0.1
   hosts allow = 127.0.0.1

3. Nextcloud + SMB/CIFS Plugin

A more comprehensive enterprise solution:


# Install external storage plugin
occ app:install files_external
occ files_external:create "SMB Share" smb password::password -c host=smb.example.com -c share=sharename -c root="" -c username=user

# Typical mount configuration in config.php
$CONFIG = array(
  'files_external_allow_create_new_local' => true,
  'files_external_smb' => [
    'host' => 'smb.example.com',
    'share' => 'sharedfolder',
    'username' => 'user',
    'password' => 'password'
  ]
);
  • Always use HTTPS with valid certificates (Let's Encrypt for testing)
  • Implement IP whitelisting where possible
  • Use read-only mounts for public shares
  • Enable audit logging for all file operations
  • Consider using a reverse proxy (Nginx) for additional security layers

When dealing with large files or many users:


# Nginx proxy configuration for large file support
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_max_body_size 10G;

For better protocol compatibility:


# Using davfs2 to mount SMB as WebDAV
sudo apt install davfs2
sudo mount -t davfs http://webdav.example.com /mnt/webdav -o username=user,uid=1000