Secure Remote Filesystem Mounting for Web Apps: NFS Implementation Across Ubuntu Servers Over Internet


2 views

When developing web applications with file upload functionality, the requirement often evolves to store files on-premises rather than on the web server. In this scenario, we have:

  • Web App Server: Ubuntu 11.04 VPS
  • Client Storage: Ubuntu 12.04 Server in Windows Hyper-V environment
  • Requirement: Direct filesystem mounting instead of file transfer protocol

While NFS works beautifully on local networks, internet-based mounting introduces several challenges:

# Standard NFS mount (LAN example)
mount -t nfs 192.168.1.100:/shared /mnt/remote

This won't work securely over the internet due to:

  • Unencrypted traffic vulnerable to sniffing
  • Port forwarding security risks
  • Latency and connection stability issues

We'll implement this through an SSH tunnel combined with NFS:

# On the web server (client side):
ssh -f -N -L 2049:localhost:2049 user@office-server-ip -p 22
sudo mount -t nfs -o port=2049,mountport=2049 localhost:/remote/path /local/mount

Key configuration steps on the office server (NFS host):

# /etc/exports configuration:
/remote/path web-server-ip(rw,sync,no_subtree_check,no_root_squash)

# Restart NFS service:
sudo service nfs-kernel-server restart

For better performance over internet connections:

# Recommended mount options:
mount -t nfs -o \
  rw,hard,intr,rsize=8192,wsize=8192,timeo=14,retrans=2 \
  localhost:/remote/path /local/mount

Additional recommendations:

  • Use persistent SSH connections (autossh)
  • Implement monitoring for connection drops
  • Consider compression for the SSH tunnel

If NFS proves problematic, consider these alternatives:

# SSHFS implementation:
sudo apt-get install sshfs
sshfs user@office-server:/remote/path /local/mount -o reconnect,ServerAliveInterval=15

Or WebDAV implementation:

# On the office server:
sudo apt-get install apache2
# Configure /etc/apache2/sites-available/webdav.conf
# Mount on web server:
sudo mount -t davfs https://office-server/webdav/path /local/mount

Essential security measures:

# Firewall rules example (UFW):
sudo ufw allow from web-server-ip to any port 22
sudo ufw allow from web-server-ip to any port 2049

Additional recommendations:

  • Implement fail2ban on both servers
  • Use certificate-based SSH authentication
  • Regularly audit access logs

When building web applications for clients, we often face requests to store uploaded files on the client's local infrastructure rather than on the hosting server. This presents both technical and security challenges, especially when dealing with internet-based connections between systems.

While NFS works well in local networks, exposing it directly to the internet is problematic:

  • NFS wasn't designed with internet security in mind
  • Protocol vulnerabilities can expose the entire filesystem
  • Performance suffers over high-latency connections

For Ubuntu systems, SSHFS provides a secure alternative:


# On the web server (Ubuntu 11.04):
sudo apt-get install sshfs
mkdir /mnt/remote_files
sshfs user@office_server:/path/to/files /mnt/remote_files -o allow_other

To ensure the mount persists after reboots:


# Create systemd unit file
sudo nano /etc/systemd/system/mnt-remote_files.mount

[Unit]
Description=SSHFS mount for client files
Requires=network-online.target
After=network-online.target

[Mount]
What=user@office_server:/path/to/files
Where=/mnt/remote_files
Type=fuse.sshfs
Options=allow_other,reconnect,ServerAliveInterval=15,ServerAliveCountMax=3

[Install]
WantedBy=multi-user.target

Always implement these security measures:

  • Use SSH key authentication instead of passwords
  • Restrict SSH access to specific IPs
  • Implement fail2ban on both servers
  • Consider a VPN tunnel for additional security

For more complex scenarios, consider:


# Samba over SSH (when Windows servers are involved)
sudo apt-get install cifs-utils
ssh -f -N -L 445:localhost:445 user@office_server
sudo mount -t cifs //localhost/share /mnt/remote_files -o user=username,pass=password

To improve transfer speeds:


# Add these options to your SSHFS mount:
-o compression=no -o cache_timeout=3600 -o attr_timeout=3600

Set up monitoring to ensure the connection remains stable:


# Simple connection test script
#!/bin/bash
if ! grep -qs '/mnt/remote_files' /proc/mounts; then
    echo "Remote filesystem not mounted. Remounting..."
    systemctl restart mnt-remote_files.mount
fi