So… I just intalled this and I can’t use it because I haven’t configured HTTPS. Here’s the thing: I can’t open ports. For that reason I can’t create certificates to enable HTTPS. I don’t have a domain, and I don’t have the required ports open to access the server.
The way I access the server is via ZeroTier, which works like a tunneling service so I can connect with devices that belong to a ZT network. Traffic going through ZT is encrypted and secure, so there’s no problems, however I still can’t enable HTTPS. Is there a way for me to disable this HTTPS check? I’m not on an insecure connection, I simply cannot enable it.
EDIT: Well I just saw this. I understand that HTTPS seems to be a requirement not only for security, but also functionality. Well, in my situation, what can I do about it? Am I completely out of luck if I can’t open ports?
@tralph3
If you do not need HTTPS you must not install or configure HTTPS.
But first of all it is not a Nextcloud problem it is a webserver problem.
Can you access your webserver with HTTP (default port 80)?
Which webserver do you have installed e.g. apache2 or nginx.
Post some configurations, logs and screenshots.
If you can access your webserver with ZeroTier and HTTP then you can try to solve your Nextcloud problems.
Why don’t you just use a normal Nextcloud over the internet? Then it also works with certificates e.g. Lets Encrypt. And if you are afraid for your data, you can improve the security very well with 2FA (login at browser with password and token). Alternatively you can use only nextcloud clients (windows, linux, macos, ios, android). They don’t use passwords at all. If you are using this configuration out of fear, i would say it is pretty unfounded. Also you limit yourself with it e.g. when sharing files with third parties. And if it were all so insecure, there probably wouldn’t be millions of lucky Nextcloud users.
The Passwords App for Nextcloud does, it will work with anything as long as Nextcloud and the browser recognizes it as HTTPS.
I was referring to other apps (e.g. for Android or iOS) that connect to the Passwords app or any of your NC apps. These can sometimes not support self signed certificates.
@tralph3 Ok sorry. Then you really need the for you normally not needed HTTPS e.g. with self-signed certificates. By the way, HTTPS is also a kind of tunnel between client and server, which is actually quite secure. But with self-signed certificates you will use double encryption. A lot helps a lot.
The server doesn’t know it’s using an invalid self-signed certificate. This is really a determination made by the client.
Using a self-signed certificate is still preferable over using HTTP since you can verify yourself that it is your certificate and not some other, and then you keep the other benefits of HTTPS.
By the way… I may regret mentioning this but a while back just as an experiment, I set up a cheap VPS to receive a WireGuard tunnel from a backend mail server (because my ISP blocks port 25), and then set up iptables NAT on the VPS to forward some ports over the tunnel to the mail server. Effectively I could use the VPS public IP and forward any ports I wanted. That experiment was a success. Could in theory work with Nextcloud or anything else.
You didn’t mention any details regarding your situation with not being able to have ports or a domain, so maybe this doesn’t make sense for you.
@devnull@KarlF12@mdw Ok thank you all for the answers. I guess I’ll go with the self signed certificates route.
The reason I don’t just do it over the internet is because I don’t want to pay, and I don’t want to open ports. The server is sitting at a friend’s house, and his dad doesn’t want to open them for security reasons, so I’m stuck with ZT.
I am aware that I would not be able to use features like file sharing this way, but I don’t really have a free workaround to that, so it is what it is.
Why must you pay? You can get a Lets Encrypt certificate for free.
Ok. But the danger is not that great. You only allow access to your web server and the applications allowed there, such as Nextcloud. Of course you have to patch your software regularly. An additional firewall is not necessary.
In case anyone wonders, the solution to this was to get a free certificate from Let’s Encrypt via DNS challenge. I got a free domain from DuckDNS and used the DNS challenge (which requires you to add a TXT record via DuckDNS’s API) and voila, free certificate without open ports.
but a while back just as an experiment, I set up a cheap VPS to receive a WireGuard tunnel from a backend mail server (because my ISP blocks port 25), and then set up iptables NAT on the VPS to forward some ports over the tunnel to the mail server. Effectively I could use the VPS public IP and forward any ports I wanted. That experiment was a success. Could in theory work with Nextcloud or anything else.