Limit access to web ui to local network only, allow apps from anywhere

For security reasons I want to have a setup like this:

  • access for iOS and Android apps as well as CardDav/CalDav from anywhere
  • access to Web-UI (and login page) only from local network
    Is there a way to do this?

I have a reverse proxy (Nginx) running and Nextcloud is fpm together with Nginx in front.

I, myself, preferably use VPN to access vulnerable data from WIFI and Internet, while only LAN has direct access.

And to your question. As I understand DAV is handled by remote.php while the UI is handled by index.php. Then there is ocs/v2.php which is called regularly checking for notifications. You can have a look at your access logfile and see what other URIs are fetched by the clients. Then you could try limiting your nginx (reverse proxy) to serve foreign IPs only remote.php and ocs/v2.php and what else you find necessary in the logfile. While your local clients access the fully served application.

Hope it helps and gets you a little further.

Thank you very much.
I also prefer VPN but I have a few users using my private Nextcloud using apps on iOS and Android. But they aren’t using the UI so that’s why I want to have this setup.
I’ll check my logs.

1 Like