Secure Access to Nextcloud

Hi there,

Posting this here as well as on STH, maybe someone has encountered the problem before.

I’ve set up a small nextcloud instance on my home server.
In the meantime, I connect directly via port forwarding and HTTP / HTTPS Port to the web interface of nextcloud.
But because forwarding ports in the router could be a possible security risk, I want to avoid this practice.

My Idea:

I want to bypass the traffic, which is going to my nextcloud server over a vserver in the cloud. ( like a reverse proxy with user authentication )​

Also, it would be nice, if users could authenticate first on the vserver in the cloud and then get forwarded via VPN to my local net.​

To do this, I’ve read of TACACS and RADIUS as authentication protocols.​

Final Question: Is it possible to realize my idea and host nextcloud on the public internet, but with an authentication server.

kindly regards from Germany:

Benedikt

1 Like

Get a VPS (maybe use L1T affiliate link for Linode, wink, wink, nudge, nudge :wink:) and setup Wireguard or IPSec (I prefer the former) between your home network or directly on your NextCloud server to the VPS.

I believe both Apache and nginx have an authentication method when you access the web server from a browser, you just have to enable it. And also remember to redirect http to https, then proxypass https to your nextcloud instance.

Why would that be? It’s not like you are port forwarding the SSH or RDC or even worse, SMB port on the internet. Port forwarding the https port (or any port TO 443 on your local network) should be fine. Just make sure you keep both your OS, your nextcloud instance and your reverse proxy up to date, to avoid getting exploited by security vulnerabilities.

3 Likes

I believe there is a level1techs video on exactly this. Wendell goes over using a cloud proxy for security.

1 Like

If you mean this:

and its forum entry / tutorial:

then this is not exactly the way I would make it. HAProxy is good stuff, don’t get me wrong. I cannot vouch for HAProxy-WI, as I have not used it, but Wendell vouches for it as being slightly-more normie friendly, so I trust Wendell with his recommendation.

Why is it “not the way I would make it”? Because I have autism and would not open a service from my home network directly on the internet, even if it is “hidden” behind a VPS “gateway.” Redirecting traffic to your home directly through the internet is asinine. Even if your home connection is set to only answer to requests coming from the VPS and on custom ports, that is not enough. This is security through obscurity which is not security.

The redirect ought to be done through a VPN. And Wireguard makes it dead easy to do so, with very little overhead. If I were to open services available through the Internet, I would do so either through a classical DMZ directly in my home network, or through a VPS acting as a gateway (yet still have separate vlans for the stuff that is accessible through the VPS, because I’m paranoid like that).

One other thing you can do to redirect traffic (instead of running a reverse-proxy in a VPS) is just to set a VPS with its public IP(s), configure DNS entries to point to it, have it connected through a VPN with your home connection and the VPS itself (aside from Wireguard) just have iptables or rinetd (easier, but only tcp) port redirect to your actual reverse-proxy or directly to your web server (or other server), through the VPN tunnel. But I would say this is slightly less secure, but opens the door for more local configurations, as in, not having to leave your network and go through the internet in order to access your reverse-proxy (I know some services which will not allow you to login if you don’t have a TLS connection), thus avoiding of having 2 r-proxies (one local and one remote).

All my knowledge about reverse-proxies, DMZ and firewall rules has been acquired from my job (which is one reason why I would like to do some tutorials on slightly-enterprise level network setups), but I’ve tried to adapt some of the good-practices to home-use, because some stuff (like double firewall with DMZ for example) doesn’t really make sense for home users. And I am of the more extreme kind which won’t really compromise on security.

Maybe I should actually do a tutorial about a secure network. PhaseLockedLoop did some good tutorials over the years with his Infrastructure Series. So did oO.o with his OPNsense Wiki. But I’m thinking about a more “general” good-practice Wiki, not a tutorial / how-to. But I’m too lazy to start doing stuff, so I won’t make any promises.

I usually cater to medium-advanced users (which is why I’m not always pointing at how-to’s, but just give general directions). I believe being more generic gives people the freedom to implement stuff using their preferred tools (and if they don’t know what they are doing, they will learn with a trial by fire). I do give some examples of tools to make my point, but I don’t usually give config files or commands (exceptions may apply, but these cases are rare).

3 Likes

Passwords. Storage of access tokens. …
Operating system. Give PHP read access to /dev/urandom. …
Deployment. …
Use HTTPS. …
Use a dedicated domain for Nextcloud.
Ensure that your Nextcloud instance is installed in a DMZ.
Serve security related headers by the Web server.
Connections to remote servers.

1 Like