How to use local and public access (with https/ssl)

n-3 · March 17, 2026, 9:59am

The Basics

Nextcloud Server version (e.g., 29.x.x):
- Nextcloud Hub 26 Winter (33.0.0)
Operating system and version (e.g., Ubuntu 24.04):
- Debian 13 as LXC on proxmox
Web server and version (e.g, Apache 2.4.25):
- Apache 2.4.66
Reverse proxy and version _(e.g. nginx 1.27.2)
- Caddy 2.10.2 (own lxc)
PHP version (e.g, 8.3):
- 8.4
Is this the first time you’ve seen this error? (Yes / No):
- n/a
When did this problem seem to first start?
- n/a
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- Manual in lxc
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- no

Summary of the issue you are facing:

I installed nc on a debian lxc manually. I’m using a seperate MariaDB LXC because I also have a WordPress installation in my homelab. The website is exposed through caddy which is also setup in a debain lxc. I have a dynamic ip and it only changes if I restart my opnsense. Therefore I use it without cloudflare etc. until now. I planned to set it up in the near future.

I want to register a new domain for my family and access nc also from the internet. Also if I want share files etc.

My questions are:

How do I access nc in my local network? Through the public domain? I do not want to use the internet connection, if I’m in my local network.
Should I use https/ssl in my local network. If yes, how?
Can I use nc only locally now and expose it with the reverse proxy if my domain is registered?
What security advices do you have?

Steps to replicate it (hint: details matter!):

n/a

Log entries

Nextcloud

n/a

Web Browser

n/a

Web server / Reverse Proxy

n/a

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.home.local"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "33.0.0.16",
        "overwrite.cli.url": "http:\/\/nextcloud.home.local",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance_window_start": 1,
        "default_phone_region": "DE",
        "server_id": 1,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "maintenance": false
    }
}

Apps

The output of occ app:list (if possible).

Enabled:
  - activity: 6.0.0-dev.0
  - app_api: 33.0.0
  - bruteforcesettings: 6.0.0-dev.0
  - calendar: 6.2.1
  - circles: 33.0.0
  - cloud_federation_api: 1.17.0
  - comments: 1.23.0
  - contacts: 8.4.1
  - contactsinteraction: 1.14.1
  - dashboard: 7.13.0
  - dav: 1.36.0
  - federatedfilesharing: 1.23.0
  - federation: 1.23.0
  - files: 2.5.0
  - files_downloadlimit: 5.1.0-dev.0
  - files_pdfviewer: 6.0.0-dev.0
  - files_reminders: 1.6.0
  - files_sharing: 1.25.2
  - files_trashbin: 1.23.0
  - files_versions: 1.26.0
  - firstrunwizard: 6.0.0-dev.0
  - logreader: 6.0.0
  - lookup_server_connector: 1.21.0
  - mail: 5.7.3
  - nextcloud_announcements: 5.0.0
  - notes: 4.13.0
  - notifications: 6.0.0
  - oauth2: 1.21.0
  - password_policy: 5.0.0-dev.0
  - photos: 6.0.0-dev.0
  - privacy: 5.0.0-dev.0
  - profile: 1.2.0
  - provisioning_api: 1.23.0
  - recommendations: 6.0.0-dev.0
  - related_resources: 4.0.0-dev.0
  - richdocuments: 10.1.0
  - serverinfo: 5.0.0-dev.0
  - settings: 1.16.0
  - sharebymail: 1.23.0
  - spreed: 23.0.1
  - support: 5.0.0
  - survey_client: 5.0.0-dev.0
  - systemtags: 1.23.0
  - text: 7.0.0-dev.3
  - theming: 2.8.0
  - twofactor_backupcodes: 1.22.0
  - twofactor_totp: 15.0.0-dev.0
  - updatenotification: 1.23.0
  - user_status: 1.13.0
  - viewer: 6.0.0-dev.0
  - weather_status: 1.13.0
  - webhook_listeners: 1.5.0
  - workflowengine: 2.15.0
Disabled:
  - admin_audit: 1.23.0
  - encryption: 2.21.0
  - files_external: 1.25.1
  - suspicious_login: 11.0.0-dev.0
  - twofactor_nextcloud_notification: 7.0.0
  - user_ldap: 1.24.0

XueSheng-NC · March 17, 2026, 11:27am

If the plan is to make nc publicly available, I would suggest to start with a fqdn and ssl from the beginning on (ssl termination at reverse proxy). Otherwise, it may get troublesome to change configs at a later point.

Especially your mobile clients will need to work with the fqdn if you want to access nc from LAN and WAN. To prevent the long way through the router in LAN, you could use a local DNS Server (e.g. bind9 with rpz) so that requests to public fqdn are resolved to local reverse proxy. Of course you could also maintain local dns rules on each client (e.g. /etc/hosts on linux clients, so that the fqdn resolves to the local reverse proxy).

adelaar · March 17, 2026, 11:47am

I don’t use OPNsense but pfsense. I use Firewall → Aliases to set an Alias Name to the Nextcloud for internal access. This resolves the Nextcloud FQDN internally from the sense’s DNS server to the local Nextcloud IP address

To create Lets’ Encrypt ssl certificates you need a domain (FQDN) but you may also use a DynDNS for that purpose

yes

n-3 · March 17, 2026, 12:27pm

OK right, so I will:

configure cloud.mydomain.com in nc,
configure my local dns to map for my local nc ip
configure dyndns with my provider and opnsense
configure caddy as reverse proxy for nc

Caddy will autogenerate ssl automatically.

Right?

wan: Client --https–> DynDNS --https–> opnsense --https–> caddy –http → nc
lan: Client --http–> DNS --http–> nc

Is this also correct, oder should I also have caddy --https → nc?

adelaar · March 17, 2026, 12:40pm

What is correct will most likely depend on what device (proxy or NC-Server) will create and renew the certificate.

I don’t use a reverse proxy in my setup. I have switched to IPv6 and with IPv6 is no need for any reverse proxy’s.

But my NC-Server does in generall accept no http request. In my eyes it is insecure, no matter used only in local network or WAN as well. Furthermore if you later intend to use webdav-Mounts for excample or internaly some Mobile App’s you will need https also to access the NC from LAN.

So my opinion is: do it with https from scratch to avoid to run into any trouble laterly

n-3 · March 18, 2026, 10:02am

Thank you all for the respons! I managed to managed to run it yesterday Actually I’m getting a A rating because I have to check the headers but this is fine tuning.

I configure DynDNS with ipv64.net. My DNS Server (AdGuard) use DNS overrite mappe the public domain to my reverse proxy. So my entry point is always the reverse proxy and he forces ssl. nc also only accept https. Thank you for the hint.

I also plan to update my homelab to ipv6 with a stativ address but actually I do not have the time. @adelaar how do you manage ssl with your ipv6 setup. Do you generate the ssl cert manually? I’m using caddy and it is really nice to have ssl out of the box.

adelaar · March 18, 2026, 10:09am

I use Let’s Encrypt with a Cronjob using acme.sh to renew cert’s on my NC-Server. With that it does not matter using IPv4 or IPv6. In fact if the FQDN will be resolved to both, an IPv4 and IPv6-Adress Let’s Encrypt / acme.sh prefer IPv6.

wwe · March 18, 2026, 7:07pm

likely 101: Split-Brain DNS is what you are looking for…