I just installed NextCloud on a Mini PC and it is pretty awesome. I have port forward 80/443 and I am able to access the files from out of home network also.
As I have opened port 80 and 443 on my ATT router, I am regularly getting notifications from ATT home manager App saying “Network attack was blocked”.
Now I am looking to secure my NextCloud network. I see there are two options:
VPN (Wireguard)
Reverse Proxy
Should I implement both of these measures to secure my network? I would like to avoid VPN, as I have to configure each client device to use VPN. But if it makes my network safe and is absolute necessary I can go for it as well.
Also, can someone share wiki to configure reverse proxy on Apache2 for NextCloud?
Any other measures, I should take to safeguard my network?
Thanks @wwe That helped a lot actually. I was able to take care of most the changes required for security, including 2FA and it is working fine.
The only problem I am facing is with reverse proxy on Apache2. I have a bare metal installation of NextCloud with Apache2 and I was trying to setup reverse proxy.
As I have forwarded port 443 and 80, I am trying to forward request to some other port. I am new to reverse proxy and have some confusion.
I am following below URL to setup reverse proxy.
Lets assume my server name is XYZ and I am using duckdns to access NextCloud from outside. So my URL becomes https://xyz.duckdns.org
Lets assume my pcname/hostname is NextCloudHost and local IP is x:x:x:x.
I am trying to setup reverse proxy on the same server as Apache2/NextCloud. This should be fine, right?
Lets assume I will be forwarding my requests to port 8080. So I have used below configuration in my nextcloud-le-ssl.conf.
My first confusion here is, do I need to change the ports Apache is listening to in /etc/apache2/ports.conf and change 443 to 8080?
How to set NextCloud port here and make NextCloud to be accessed at 8080, if we are not changing ports.conf and setting 443 to 8080?
Now if we change 443 to 8080 in ports.conf, will requests from outside still come on 443 and then forward to 8080 as per configuration I made.
I am just curious about workflow of reverse proxy here.
What changes I need to make in my config.php? Are below changes correct?
If I don’t change the port in ports.conf, I get 503, saying sevrice unavailable. But if I changes ports.conf and change 443 to 8080, I get SSl Error. I am trying to access the nextcloud sever with https://NextCloudHost and https://x:x:x:x.
With external URL, I am not able to access the server at all. Failed to load page error comes up.
you can not have valid public certificates issued to ${internal host} or ${ip address}… you need to configure your reverse proxy to serve xyz.duckdns.org (and issue TLS certificates for this domain).
I made all the changes mentioned in the tutorial but now I am getting Service Unavailable error message when I try to access the NextCloud via https://xyz.duckdns.org.
Error - Apache/2.4.58 (Ubuntu) Server at xyz.duckdns.org Port 443
Am I missing anything here?
Do I still need to change the port.conf and change 443 to 8080?
Nobody knows what you need to do as you didn’t provide any information about your system. Please fill the support template, provide reverse proxy config and log lines.