I am working in a lab at the moment at a university that has a small internal cluster that I have deployed and manage. We run most of our simulations at national labs around the US and generate hundreds of TB of data that we want to preserve locally when the project is finished. All of the machines we connect to offer Globus as a transfer method.
We recently had the university install a fiber line, since our miniR was ordered with a fiber NIC from ixSystems direct.
Goals of this NAS:
- Transfer data from national labs, via Globus (ideal case) or ssh/rsync. This should be transferred over the fiber line.
- Mount to our internal cluster via ethernet so this data is available to our workstations and compute environment.
We have requested a public IP from the university for this NAS so that we can directly connect to these machines at national labs and be able to initiate transfers from outside the university. Their response is the following
“Can we set up a server in front of the NAS to act as a proxy? Its not a great idea to expose a storage array to the public internet. We are fine exposing a server with a public IP on port 443 however.”
I am not a network engineer by trade so I am lacking in my understanding of how to achieve this goal.
I would greatly appreciate if anyone has some suggestions on how to achieve this setup, thanks!
Still looking for some guidance on this topic, has anyone setup their TrueNAS machine to operate as a public facing repository as well as an internally mounted storage for several workstations in an office? Thanks!
Look up reverse proxies (things like Nginx-Proxy-Manager or Traefik/Caddy), you can just set that up on the NAS, will secure your port 443, and give SSL. You can then use SMB/NFS and etc locally / internally
You really need to talk to your university’s IT department, specifically their network and security teams (UK university network/security staff here! 
).
I would assume that the “fiber line” your university has provided you with is actually connected to the unversity’s campus network and, as such, will have a firewall between it and the public internet, likely set to deny access by default. Your IT department should be able to open up holes for specific services in the firewall to allow external access, but they’ll hopefully want to periodically scan the server for security vulnerabilities.
The key here is working with the people on the network/security team. If you’re not a network engineer (and I don’t know what your experience is like with other tools like ssh and rsync)
I don’t know anything about Globus, so I’m going to focus on using rysnc over ssh here, as that can be configured in a very secure manner.
Your IT people mention that they’d like to set up a proxy, and seem to be happy to expose port 443 (which is encrypted HTTP, or HTTPS). If they’re happy with HTTPS they should also be happy with SSH (tcp port 22), as it’s basically using the same technology. rysnc over SSH can (and should!) also be configured to not use passwords, but instead rely on “ssh keys”.
This is a good guide on setting up rysnc over ssh jobs:
I do exactly this to backup a couple of servers at home to a TrueNAS scale server at work. All over the public Internet, using rsync over ssh.
