# NAS Static File Server Setup Documentation ## Introduction This document provides a clear guide for setting up a public static file server on a Synology NAS. The goal is to create a safe and simple way to share research data, including large OME-TIFF files used by tools like Avivator. The guide explains the complete setup process, from preparing a new NAS to deploying Nginx and Cloudflare Tunnel for secure external access. --- ## 1. System Overview The system combines a Synology NAS, Docker, Nginx, and Cloudflare Tunnel to provide a safe and simple public data service. Research files are stored in a dedicated public folder on the NAS, while Nginx delivers these files through HTTP. Cloudflare Tunnel allows external users to reach the server without exposing the NAS to the Internet. This design keeps private lab data separate from public files and removes the need for a public IP address or port forwarding. --- ## 2. Preparing the NAS A shared folder named `PublicData` is created on the NAS through the DSM Control Panel under "Shared Folder." Located at `/volume1/PublicData`, it serves as the root directory for all public files. Permissions must be configured carefully to avoid exposing private lab data and to ensure that only intended files are stored in the public area. --- ## 3. Configuring Nginx A custom Nginx configuration file is created at: ``` /volume1/docker/nginx/default.conf ``` The file contains the following server block: ```nginx server { listen 80; server_name _; root /usr/share/nginx/html; autoindex off; add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'Range' always; add_header 'Access-Control-Expose-Headers' 'Content-Length, Content-Range' always; location / { try_files $uri $uri/ =404; } } ``` Inside the Docker container, this file is mounted to `/etc/nginx/conf.d/default.conf`, so Nginx loads it automatically when the container starts. This configuration disables directory listing and adds the headers required for range requests and CORS. --- ## 4. Deploying Nginx with Docker Nginx is deployed inside a Docker container to keep the web server isolated from the NAS system. The container uses the `PublicData` folder as its document root, mounted in read-only mode to prevent accidental modification. ### Docker Command The container is started with the following command: ``` docker run -d \ --name nginx-public-data \ -p 9000:80 \ -v /volume1/PublicData:/usr/share/nginx/html:ro \ -v /volume1/docker/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro \ nginx:latest ``` This command: * Maps port **9000** on the NAS to port **80** in the container * Mounts `PublicData` as the read-only web root * Loads the custom Nginx configuration automatically This setup ensures that the public URL structure matches the directory layout in `PublicData`. --- ## 5. Setting Up Cloudflare Tunnel Cloudflare Tunnel is used to provide secure public access to the NAS without exposing it directly to the Internet. A tunnel is created in the Cloudflare dashboard, and a hostname such as `storage.ntugarylab.dpdns.org` is assigned to it. The tunnel forwards external traffic to the Nginx server running on the NAS. ### Docker Command The Cloudflare Tunnel client is started on the NAS using the following Docker command: ``` docker run -d \ --name cloudflared \ --restart unless-stopped \ cloudflare/cloudflared:latest \ tunnel run --token <YOUR_TUNNEL_TOKEN> ``` This command runs the `cloudflared` service using the token provided by Cloudflare, keeping the tunnel active at all times. --- ## 6. Publishing the Public Storage URL Cloudflare Tunnel provides a public URL that connects external users to the Nginx server running on the NAS. The assigned hostname, such as `https://storage.ntugarylab.dpdns.org`, is configured in the Cloudflare dashboard and linked to the tunnel. All requests sent to this public URL are forwarded to the internal Nginx service at `http://192.168.8.12:9000`. Once the mapping is complete, files stored in the `PublicData` folder can be accessed directly through the public domain. For example: ``` https://storage.ntugarylab.dpdns.org/temp_test/Golgi.ome.tiff ``` This URL can be used by tools such as Avivator, which require HTTP range support to load large OME-TIFF files. --- ## 7. Security and System Summary The system is designed to provide secure and reliable public access while keeping all private lab data isolated from external users. ### Security Measures * **Autoindex Disabled:** Directory listing is turned off, preventing users from viewing folder contents. * **Read-Only Data Mount:** The public data folder is mounted in read-only mode to avoid accidental modification. * **Isolated Public Root:** Only approved public data is stored in `PublicData`, keeping internal lab files fully separated. ### System Summary The final setup offers: * Secure global access through Cloudflare Tunnel * Support for HTTP range requests required by large OME-TIFF files * CORS compatibility for browser-based tools * HTTPS protection without needing a public IP or port forwarding * A clean and controlled public data environment --- ## 9. Result With the system fully configured, any public URL in the following format: ``` https://storage.ntugarylab.dpdns.org/<path>/<file> ``` is served directly from the corresponding location inside: ``` /volume1/PublicData/<path>/<file> ``` This ensures that only the approved public directory is accessible from the Internet, while all private lab data remains isolated. The system supports reliable long-term data hosting and is compatible with tools that require byte-range access, such as Avivator.