How to properly install and harden NextCloud for rocksolid and secure work on a proxmox physical machine?

Barbadan_Karabadan · February 20, 2024, 9:29am

Hi guys,

as the question clearly states it, how to properly install Nextcloud ontop of a Proxmox, for a Small to Medium Sized Enterprise and also configure it for rocksolid work and also keepin in mind the security and monitoring.

I know there are multiple follow ups,

but using which one of those would be the cleanest and the most secure way?

Some guys use cloudflare, some - don’t, some use ngnix proxy manager, some - don’t.

So which all given ways of implementing would be the most stable one?

I am currently using the proxmox/cloudflare/ngnix proxy manager solution, but it is very very buggy, currently the nginx is not letting me in, even that the password is to 100 % correct, nextcloud is throwing me sporadically 502/504/506 bad gateways, and sporadically not openning it’s built in office solution.

I am targeting to configure it once and then forget for an year or two…

Please throw me some opinions / blogposts / walkthroughs and buildiung the most stable (and simply) nextcloud with a domain on top of a proxmox!

Thank you!

bb77 · February 20, 2024, 10:13am

First, don’t use LXCs, and certainly not privileged LXCs, if you plan to expose it to the internet. That way you you have better isolation from the host and the rest of you’re services you might run on that host. Further put it in a separate network segment / VLAN, and don’t allow traffic to other subnets, so when you’re Nextcloud should be comromized they cannot pivit to other things you’re running on your network, or comporomise the host the VM is running on.

Reverse Proxies are not a security feature, especially if they are running on the same machine/VM/network segment with the rest of your services. They are mainly needed to direct traffic to multiple services behind a single public IP, because you cannot forward port 80/443 to multiple local IP addresses, and in larger envirements they can also be used for traffic shaping and load balancing. Cloudflare adds some “magic (security) sauce” to it, but this comes with a price. 1.) Things like large file upload don’t work very well with Coudflare tunnels, at least not with their free plans. 2.) Now you have to trust Cloudflare, that they don’t mess with your data.

I can only say what I do. I’m running Nextcloud in a VM on Proxmox, and I port forward Port 80/443 directly to that VM. On that VM I’m running a classic LAMP stack, secured with Let’s Encrypt and Fail2ban.

BUT! I’m just a home user…

…and since you are planing to use it in a business, I wouldn’t recommend doing anything without doing proper planing and risk assesment, and I would certainly not recommend to use a home lab “hobbyist” product like NGINX Proxy Manager.

Also, your questions aren’t specific to Nextcloud, but rather about general concepts of how you should design your infrastructure, which is highly dependent on the size of your organization, the nature of your business, and of course your budget.

So I’d say you should probably hire a professional IT consultant that will help you to plan your infrastructure or maybe even hire an MSP that can also help to buld it out and manage it.

If this all sounds already too complicated and/or too expensive for you, you probably shouldn’t host it yourself, and use a managed Nextcloud provider instead. Or at least don’t publicly expose it, and use a VPN or overlay network like Tailscale to access it remotely.

Barbadan_Karabadan · February 20, 2024, 1:25pm

First of all, thank you, man!

The irony here is that I am IT guy not knowing which way I need to go, as I had other jobs in life and mostly in the stupid windows world, the current result is definately too overwhelming and thus issues WILL come, and with far not hassle free and secure

So, the current whole scenario:

Server - DL380, SSDs in raid
QNAP storage - 2 arrays, 1 in stripping, 1 in mirroring (thus the total space gets maximazed, given the different sizes of all 4 hdds) (confiugered to some extent, no backup solution implemented, proxmox sees the arrays)
Old SME router box (which I could dump for some SME second hand grade thing, no teaming, and 100Mbps ethernet, has portforwarding)
2 vWorkstations for 3d Modelling with passedthrough physical GPUs and smth like PARsec for interaction with them (done)
2 more simple office LInux vPCs (done, not needed currently)
Openproject (done, also integrated with nextcloud)
NEXTCLOUD - (done, both should be better interconnected. It is killing me with the aforementioned issues - intermitent bad gateways, intermitent build in editing not working)
Domain name. (bought)
Cloudflare (I am not happy about it, as it is an additional network layer + imposes bans on bigger files + you never know if it is the RC of an issue and speedwise one could believe it is choked, so it could make money for their paid plans)
Nginx proxy manager with encryption between the CFlare and the Ngnix (it is very buggy IMO)

Task for the whole thing:

a lowcost startup infrastructure for upto 5 participants(eventually more as NEXTCLOUD users only ) all over Europe, giving them the ability to follow up on the project, work online with documents, exchange files, and work in the vPCs and vWorkstation environments (3d Modelling)
reliable and secure environment, which won’t need DIY miracles every now and then, out of the regular maintainance once an year or every second year.
a reliable and free backuping solution to keep the images of the configured setup + to run a hassle free backuping of user data - Nextcloud, Openproject, vWindows, vLinux.

So, given all the ways one could go, and given the best practices, one could out of experience, could give me the mixture of tools/solutions/practices/simple ideas/ for my target setup, that I could then research and implement on my own and have a rocksolid environment in the end, so we could focuse on the startup matters. When the startup grows, I will simply load the whole config to a newer machine through failover clustering and scale it up. Let’s hope!

even it is kind of a struggle now, I am very thankful that I am having such a task, cause it is putting me back on track in the real IT world + I am more annoyed than unable to do the use case setup, but I should not try every single tool/program/practise to find a well known scenario in the end as well?

Thanks to you and all others willing to help!

Barbadan_Karabadan · February 25, 2024, 11:27pm

Hey, buddies, please put some inputs, will be very happy! The thing has just crashed again (error 504) just after uploading 20 MBs of tiny pictures… GRRR…

The strangest thing is - it is getting healed on its own after couple of hours?!?

tflidd · February 26, 2024, 8:22am

The more you add, the more can break. For cloudflare, it makes the whole setup more complicated, and I’d ask myself, what do you want to protect against. Usually, with cloudflare, I’d put static download files, to have them cached around the world to be quickly accessible, or to potentially hide a more or less static website to protect against DDOS. Now if I use Nextcloud just for my coworkers who mostly access the stuff locally, why add cloudflare to complicate the setup?

bb77 · February 26, 2024, 8:59am

Well, Hosting your own server is imho the definition of DIY.

You could take a look at Proxmox Backup Server, which allows you to backup your VMs incrementally. However, this should preferably run on a separate physical box and not on the same server as the VMs. You should also think about an offsite backup. Search for “Raid is not a backup” and “3>2>1” backup rule on the Internet.

And again, and this is not meant to patronise you, but if you lack the knowledge in some areas to do it properly, you need to aquire that knowlege, or hire an MSP to manage it for you, or use SaaS (managed cloud services).

Also, if the main reason why you want to self-host is to save costs, don’t do it, because it will end up in disaster. Self-hosting is almost never cheaper than SaaS for small businesses, unless you’re taking shortcuts, like running everything on a single machine or not doing proper 3>2>1 backups, which will come back and bite you in the a** sooner or later.

If your server gets owned by threat actors because you misconfigured something or didn’t update things, or if your server and/or services go down because of a hardware failure or because you accidentally broke something, and/or if you lose several months of data because the backups didn’t work, and/or if your server is down for a week until you get that replacement raid controller you ordered on ebay, it may cost you a lot more than the subscription fees for a few SaaS services or what you’d have to pay an MSP to manage these things for you.

Barbadan_Karabadan · March 3, 2024, 3:04pm

Hello guys, thank you for your replies!

I’ve decided that I will develop my topic and show everything throughout the way to one good build and config of Hypervisor, VMs, Web and services for private server and SMEs. ITs must show and not ask, so I will show the good concepts and decisions, that I know they will work, but for the details I will be asking. Thus one very good topic will stay for the others, so they would not struggle that much (I am definately not strugglin, but haven’t built anything for me personally since many years, just taking care of the other peoples’s systems)

This is the beginning, it is by purpose with no details given, it will evolve over time and I will be posting the details from time to time with all the philosophy and the decisions staying behind.

Stay tuned and for the rest - help when needed!