How can i use one domain for login and other one for share links?

Dears,

How can i configure NC to work with one domain for logining and with second which is doing sharing in environment like this: Nginx + NC 20.x. Nowaday i work without any proxy and docker. Actulaly I prepared 2 vhost nginx domain1.faik & domian2.faik and users are having possiblity connect to …/s/ links from both domian.

Q1:
Is it possible share links with adres domain2.faik after login as user on primary domain domain1.faik and how can j achive this ?
Q2:
Second question is less important: Is it possible change previusly shared links in domain1.faik to new names in domain2.faik?

Sorry. I do not really see a sense to do so.
But you can configure two or more domains for your nextcloud.
The problem is that if the user login with domain1 the user gets links from domain1.

But perhaps you can configure it in .htaccess .
Perhaps you can write a rewrite rule in .htaccess for /s/ to domain2.
But first you must configure the second domain2 in config/config.php and nginx.

2 Likes

I need to split perrmision to NC : one part for vpn or internall network longin (security reason) and one for outside (WAN) links . That’s why introduced domain two. I think in NC everything is coming via index.php and rewrite. If i have separated shared links i can do that it whitout any kind of hack in vhost conf i.e if conditions
devnull has wtitten:“But first you must configure the second domain2 in config/config.php and nginx”

I think i have it:

array (
0 => ‘domain1.faik’,
1 => ‘domain2.faik’,

vhost2 is accesible how i menssioned.

What about .htaccess /s/ ? Is seem that nginx dosnt like htaccess.

Hi @artur_mis

I can’t quite see the point of all this. Why use a different domain name internally than externally for the same thing? Either it is accessible from outside or not. One security hole in the web server, in the Nextcloud software and your data is vulnerable, regardless of which domain name is used. To me this whole plan sounds a bit like Security by Obsucrity, which is never a good practice. It is better to secure the thing by all means. And if there is actually data on it that needs to be handled completely separate, a separate domain name won’t help you with that. If some data on this server for some reason has to kept separate, keep it separate. :wink:

2 Likes

Thank you for you opinion . Your’s opinions are allways very impotrant for me and your exprinece :).

Probably better to have only part of the NC available from the WAN than the whole is not it? Exposing the login panel and other things from NC to the world seems more bizarre than just links with resources.

1 Like

What you are trying to do here, and for which I don’t have a worked out solution, is not going to get any easier with multiple vhosts and domain names. At the end of the day you need to control access to certain parts of the WebApp (directories and or pages) I think that multiple vhosts and domain names will make it even more complicated to achieve your goal. In the case of Nextcloud you probably have do it somehow with rewrite rules and I have no idea if there really is a clean solution how you can do that, without any side effects. But at the end of the day the source IP address of the request should be the deciding factor whether a request should be allowed, not the domain name someone tries to access.

You need 2 instances of Nextcloud

It is .htaccess in your nextcloud: /path/to/nextcloud/.htaccess
nginx must relay both domains to the nextcloud.

Yes. But maybe it’s enough if he just secures his Nextcloud as good as possible and activates 2FA for all accounts: As a supplement, he could also take a look at this app: Restrict login to IP addresses - Apps - App Store - Nextcloud.

@artur_mis: To a certain extent, you have to trust the software you are using. If you don’t have this trust, or if you have extremely high security requirements or use cases, that a certain software doesn’t cover, the only real options are, to make it only available locally or to use a completely different software, that maybe better suits your needs. In this particular case, the easiest and most pragmatic solution would be, to simply host a separate service for external file sharing. This could be a second Nextcloud, which would probably be overkill, or a specialized file sharing service…

https://github.com/awesome-selfhosted/awesome-selfhosted#single-clickdrag-n-drop-upload

Dears ,

For vhost domain1.faik I decided to add geo localization for LAN ad VPN in location / and in WebdaV section , i have added location /s/ too without any geo so is for WAN.In location /s/ i have added rewrite for index.php the same which is in location /.

It seems to be ok without second vhost. Thank you for you engagement. The main issue was to secure in same way central panel and keep working shared link for WAN. It must be easier do this with apache . I have had something like this when i was using free version of PYDIO .

1 Like

I think if you use end-to-end- TLS/SSL it is not a really security benefit.
Transport Layer Security - Wikipedia

I think it would be more useful to use 2FA because of possible client-side malware.

2 Likes