I have set up NC behind Nginx Proxy Manger and Cloudflare, with Let’s Encrypt certificates, in Docker on a QNAP NAS. Works well.
However, I need a way to access NC locally via the server’s IP address, with the connection still being via https. I can’t for the life of me figure out how to do that. Do I need to generate my own certificates, even set up my own Certificate Authority, etc.?
The alternative is to access NC (only locally!) via http. It’s my reasonably secure home network. What kinds of risks are involved here?
What do you mean by “and Cloudflare”? just DNS, or something like Argo…?
If your Reverse Proxy is hosted local, you could connect to the reverse Proxy using the name instead of connecting directly to your Nextcloud server using the IP address. But you have to make sure that local DNS for cloud.yourdomain.tld points to the loacal IP adress of the reverse proxy to make it work.
In general TLS certificates are always issued for an fqdn. Public certificate authorities (CA) only issue certificates for valid public fqdn. for local FQDN You can setup your own CA and issue certificates for internal FQDN as well (or you use self-signed certificates). in case on self-signed certificate or internal Ca you need to import the issuer certificate into each client to make them trust this certificate…
but if you just want to avoid going through the internet if you access your NC from internal network you might be looking for split-brain DNS pointing your public domain to the local IP (and still using public LE TLS cert).
Beware of “rebind protection” implemented in some routers…
While this would work, it would also be less than ideal for various reasons. First mobile devices must be able to switch between external and internal network without changing the address every time. Second, if you share something from your PC with someone outside the local network, you don’t want to share a https://192.168.10.10 or https://nextcloud.local link
The proper solution is either Split DNS or Hairpin NAT. The first one is preferable, because the latter is kind of a hack itself and not all routers do support it.
It really is a shame I didn’t know how to ask the right questions a few months ago. The split-brain DNS recommendation and the picture would have made my life a lot easier!
So yes, I already have DNS rewrites in place via Adguardhome. Works well. But I need a solution for the following edge cases: all devices on the network usually connect to the Internet via a VPN (which means access to the local NC then also takes a detour via the Internet). The VPN client has the option to split traffic, but only for: specific apps, specific (external) IP addresses, or all local IP addresses. I added all NC clients as exceptions, so they omit the VPN and therefore stay local thanks to Adguardhome DNS-rewrites. But for the NC web interface, which is used quite extensively, also in combination with Collabora, I need a local IP that can be typed into the browser (since I don’t want to add the entire browser as an exception), or else traffic goes out via the VPN.
I hope I managed to explain myself better now and my use case is clearer now. If somebody has an idea how to solve this without an IP, I’m all ears!
Can you even reach your Nextcloud server via local IP address from the browser on that machine, when all the traffic is forced to go through the VPN? I mean what’s the diffrence between using the domain name in order to connect to your local reverse proxy or using the IP address in order to connect directly to the local Nextcloud server, when all the traffic coming from that machine / browser is forced to go through the VPN anyways? Sorry but I’m not an expert on that topic and you would probably have to provide more detailed information on how you set that all up…
If you can reach the server via IP, you could simply use self-signed certificates. If the warnings they generate in the browser don’t bother you, you don’t need to import the CA to your browser. But you have to keep one thing in mind: The URLs for shares you generate in such a session, will look like this: https://192.168.10.10/s/zJzs6yAeZNTeB5F. So you won’t be able to create shares directly from such a session. You would have to manually adjust the links if you want to send them to someone who needs access via domain name.
depending on your usage this might be not a big deal… until you don’t share large amounts of data all the time this should be not a big deal…
sounds little strange there is no option to bypass specific FQDN… I would still recommend to search for the way to keep the access to your real domain local rather setting up another way to access the your cloud…
If you control the DNS of your VPN then you can add your host there as well - once it shows local IP then your traffic stays local - the drawback it stops working once you use your VPN when not in the same network as you Nextcloud server. other option would be hosts file record - bad solution in my eyes but I fear there is no good solution for your problem
Thank you everybody. I read through all your suggestions carefully and they pointed me in a few good directions. With some additional help from Reddit, I ended up with a solution that solves most problems except it breaks the link between Nextcloud and Collabora. I can live with that for now. I left a feature request with the VPN provider to add support for split-traffic according to FQDN.