Hi guys!
I wrote a Nextcloud installation Guide for an Ubuntu bare meta installation behind an NGINX proxy. The goal was to follow Nextclouds recommendations and pass the security scan without errors.
Would love to hear your input. Feel free to give me feedback here or open an issue here:
This one is great, I’m gonna do a pull request later where I have added acme for the apache2 on the internal server when your behind nginx proxy.
It’s always good to have ssl all the way even internal.
And with Let’s encrypt it’s easy and if your using wildcard cert it’s even easier as then you don’t need a internal CA and your internal page will not throw SSL warnings for iPhones etc.
Hmm… since the Proxy and the Nextcloud host are the two only hosts in their own VLAN, I never really thought about using SSL internally. Is that not a wast of resources, without any real benefit?
Unfortunately I can’t use wildcard certs.
I solve that in two ways. First of all, I use IPv6. But the macOS desktop client sometimes does not happy eyeball when the laptop wakes from sleep and tries to use IPv4 instead. Then it takes some time for the client to retest connectivity and it shows as offline.
That problem I solve by using hairpin NAT for IPv4.
Using let’s encrypt will not take any resources. If you own your own domain you can use the wildcard certificate and then you don’t need an internal CA.
It’s just a crone job that will renew it when needed.
I was thinking to use acme in the guide.
It’s not mandatory ofc you can still use a self signed certificate but
macOS and iOS is a headache to use against servers with self signed certificates.
I’ll try to write it during this weekend, had the flue this week, so typical as it was my last week on my vacation this year.
The internal traffic will be encrypted ant thous use resources, right?
True, but since my DNS provider is unsupported, manual seems too much of a hassle compared to normal certs.
I don’t need an internal CA. With IPv6 and hairpin NAT, traffic gets to the right place (the proxy not the nextcloud host) to begin with, so no internal certs needed. Yeah, Safari is annoying for not accepting internal certs that are over one year valid.