Hello Nextcloud Community,
I manage a Nextcloud instance on a Synology NAS via Docker, and I’m looking to configure access specifically for my business needs, using Tailscale.
My objective is twofold:
- Private Internal Access: For my internal users, Nextcloud is fully accessible via a private Tailscale virtual network (e.g.,
https://nextcloud.mydomain.ts.net). This access works perfectly and is secure. - Controlled External Shares: I want public sharing links generated by Nextcloud to be accessible to external users (non-VPN) via a dedicated public URL (for example,
https://share.mydomain.com).
The challenge lies in the fact that I have no open ports on my router for security reasons. For public sharing exposure, I’m using Tailscale Funnel, a service that establishes an outbound tunnel from my Synology. A Docker reverse proxy (tsbridge) is used to direct traffic to my Nextcloud container.
Nextcloud automatically generates sharing links. Currently, my config.php is configured for internal access.
My questions are:
- Share URL Management: How should I configure
config.php(specificallyoverwrite.cli.url,overwritehost,trusted_domains,trusted_proxies) so that Nextcloud generates sharing links withhttps://share.mydomain.com, while still functioning normally for internal access viahttps://nextcloud.mydomain.ts.net? - Selective Exposure: Does Nextcloud have mechanisms (e.g., within the container’s internal Apache/Nginx, or via modules) that could help limit public domain access (
share.mydomain.com) strictly to sharing paths (/s/), to prevent the login page or other interfaces from being publicly accessible? My reverse proxy (tsbridge) seems to expose ports rather than filter paths. - Intranet/Extranet Deployment Recommendations: Are there any recommended configurations or “best practices” for Nextcloud in an environment where the primary access is via VPN (like Tailscale) and only shares are intended to be public and ultra-secure?
Any advice or configuration examples would be greatly appreciated. Thank you!