101: Network, domain and DNS

Network requirements for self-hosting Nextcloud

Network

Assuming a network where the host running Nextcloud acquires a static local IPv4 address from DHCP/router and the required TCP ports 80 and 443 are enabled and internet facing for that IPv4 address, the routers public IPv4 address must be available via DNS (Domain Name System) request.

  • static local IPv4 address from DHCP/router
  • internet facing TCP ports 80 and 443 for local IPv4 address
  • DNS entry pointing to routers public IPv4 address

Domain name and DNS

While some folks own a domain name like mydomain.com connected to their static public IPv4 address and will probably have a subdomain pointing to the host like cloud.mydomain.com.

Self-hosting users usually have a dynamic IPv4 address which could change under certain circumstances. These users require a DDNS provider (DynamicDNS provider) to keep track of their routers public IPv4 address connecting a domain name like cloud.mydomain.mydnsprovider.xyz pointing to their routers (dynamic) public IPv4 address.

There are plenty DDNS providers out there to choose from. Some come at a fee, some are free, many offer domain names, others don’t. Often you will have a choice of domain names, sometimes you have to take what is available. Do some research and make the right choice for you.

Thus DNS (Domain Name System) resolves a “human readable domain name” to your public IPv4 address. That will be the domain name required by the client to reach your Nextcloud instance.

A DNS entry pointing to your public IPv4 address is a requirement for an SSL certificate for HTTPS encryption.

Multiple domain names, sites, ports and services

TCP ports 80 and 443 are quite the commodity. You only have one of each for your public IPv4 address.

The only way to support multiple sites and services on those ports, without changing the default ports, is to have a local web server or a reverse proxy server that’s responsible for listening on those ports, taking a look at the domain names being visited and forwarding the traffic accordingly. The plus side being, that a reverse proxy server could handle SSL certificates for HTTPS encryption (a.k.a TLS termination) if required.

See official reverse proxy documentation and 101: reverse proxy.

Additional references

Some network configurations could complicate self-hosting scenarios:

CG-NAT

CG-NAT (Carrier Grade Network Address Translation) commonly known as DSLite (Dual Stack Lite) offered by many service providers will technically not provide a public IPv4 address. There are workarounds however.

Contact your service provider and request a public IPv4 address (comp. Full Dual Stack) or do some research for alternative IPv6 to IPv4 tunnels.

What CG-NAT is, how to detect it, why it is bad, what can you do about it

Alternatives to this method:

VPN Services - an alternative access method, which greatly restricts access.

3 Likes