Extra security with local login, global share links

Hi,

Is there any practical ways to enable user logins only in certain network like a local network and the same time possibility to share links ( without user ) with password to public internet?

I think that will be security improvement to have only shared links available on public internet.

Perhaps you can use the app Restrict login to IP addresses .
Not in Nextcloud 20 but perhaps it works in Nextcloud 20.
Then you can only login from internal network but can use public share (with and without passwords) from the internal network and internet.

Also you can use perhaps 2FA with TOTP. Then you can with very less security problems login from the internet. But then you must login with password and TOTP also from local network.
See the app Two-Factor TOTP Provider .

1 Like

So, shared links with password will not handled as a login. Good to know.

Other idea was that maybe nginx can be configure to only allow shared link reguest from internet.

I have to investigate that option too, thanks for help!

I think i would not use an external software (nginx) to control nextcloud features.
But i read some time ago that someone filters https://cloud.server.tld/s
Perhaps it is possible to only allow /s from the internet.
But with the correct rights it can also be used to upload files.

Another problem is WebDAV.
I think you can not deny WebDAV from Internet.
Your users could use WebDAV for access from Internet.
Sorry no link. https://docs.nextcloud.com seems down again.

Why is that you cannot deny webdav? Are they just under /remote.php/?

Move remote.php to remote2.php and look if nextcloud works or not. Perhaps you can deny it from the internet.

Yes, You are right. Whole system is seems to use webdav. Maybe I am going to use different server for public share links.

Do anyone have a suggestion for “sync” users between two servers. What is the best way to relay login to another nextcloud server? LDAP, external DB or webdav login?

Can two-factor authentication to be used on any login backend?