Best measures to take to secure NextCloud when forwarding 80/443

Hi All,

I just installed NextCloud on a Mini PC and it is pretty awesome. I have port forward 80/443 and I am able to access the files from out of home network also.

As I have opened port 80 and 443 on my ATT router, I am regularly getting notifications from ATT home manager App saying “Network attack was blocked”.

Now I am looking to secure my NextCloud network. I see there are two options:

  1. VPN (Wireguard)
  2. Reverse Proxy

Should I implement both of these measures to secure my network? I would like to avoid VPN, as I have to configure each client device to use VPN. But if it makes my network safe and is absolute necessary I can go for it as well.

Also, can someone share wiki to configure reverse proxy on Apache2 for NextCloud?

Any other measures, I should take to safeguard my network?

Thanks,
GeekyDevil

hi @GeekyDevil welcome to the forum :handshake:

Please use the search - lot of issues have been discussed already you wil find many relevant topics following reverseproxy and security tags.

Pay attention to How to maintain, check and improve the security of your Nextcloud installation

2 Likes

Thanks @wwe That helped a lot actually. I was able to take care of most the changes required for security, including 2FA and it is working fine.

The only problem I am facing is with reverse proxy on Apache2. I have a bare metal installation of NextCloud with Apache2 and I was trying to setup reverse proxy.

As I have forwarded port 443 and 80, I am trying to forward request to some other port. I am new to reverse proxy and have some confusion.

I am following below URL to setup reverse proxy.

Lets assume my server name is XYZ and I am using duckdns to access NextCloud from outside. So my URL becomes https://xyz.duckdns.org
Lets assume my pcname/hostname is NextCloudHost and local IP is x:x:x:x.

  1. I am trying to setup reverse proxy on the same server as Apache2/NextCloud. This should be fine, right?

  2. Lets assume I will be forwarding my requests to port 8080. So I have used below configuration in my nextcloud-le-ssl.conf.

     	ProxyPass / http://localhost:8080/ nocanon
     	ProxyPassReverse / http://localhost:8080/
    
  3. My first confusion here is, do I need to change the ports Apache is listening to in /etc/apache2/ports.conf and change 443 to 8080?
    How to set NextCloud port here and make NextCloud to be accessed at 8080, if we are not changing ports.conf and setting 443 to 8080?
    Now if we change 443 to 8080 in ports.conf, will requests from outside still come on 443 and then forward to 8080 as per configuration I made.
    I am just curious about workflow of reverse proxy here.

  4. What changes I need to make in my config.php? Are below changes correct?

    'trusted_domains' =>
    array (
    	0 => '127.0.0.1',
    	1 => 'NextCloudHost',
    	2 => 'x:x:x:x',
    ),
    'trusted_proxies' =>
    array (
    	0 => '127.0.0.1',
    	1 => 'NextCloudHost',
    	2 => 'x:x:x:x'
    ),
    'overwritehost' => 'xyz.duckdns.org',
        'overwriteprotocol' => 'https',
        'overwritewebroot' => '/',
    'overwritecondaddr' => 'xyz.duckdns.org',
    'overwrite.cli.url' => 'https://xyz.duckdns.org',
    
  5. If I don’t change the port in ports.conf, I get 503, saying sevrice unavailable. But if I changes ports.conf and change 443 to 8080, I get SSl Error. I am trying to access the nextcloud sever with https://NextCloudHost and https://x:x:x:x.
    With external URL, I am not able to access the server at all. Failed to load page error comes up.

Please help me with this.

you are lucky we just created a 101: reverse proxy post explaining basic concepts of reverseproxy

your config.php settings look almost good for a reverse proxy

usually this is not required…

trusted_domains should contain your public domain xyz.duckdns.org…

nextcloud/all-in-one/blob/main/reverse-proxy.md - AiO is a specific installation method and the doc you used likely doesn’t fit you bare-metal installation.

you can not have valid public certificates issued to ${internal host} or ${ip address}… you need to configure your reverse proxy to serve xyz.duckdns.org (and issue TLS certificates for this domain).

Thanks @wwe, this was super helpful.

I made all the changes mentioned in the tutorial but now I am getting Service Unavailable error message when I try to access the NextCloud via https://xyz.duckdns.org.

Error - Apache/2.4.58 (Ubuntu) Server at xyz.duckdns.org Port 443

Am I missing anything here?

Do I still need to change the port.conf and change 443 to 8080?

Nobody knows what you need to do as you didn’t provide any information about your system. Please fill the support template, provide reverse proxy config and log lines.