Nextcloud - Geoblocker

ℹ️ Support
, , , , ,
1

Hello everyone,

I installed Nextcloud version 32.0.8 on Ubuntu 24.04.4 LTS. Several ports and other connections are blocked by the firewall, but I want to allow web access to Nextcloud only from the DACH region (Germany, Austria, Switzerland).

Does anyone here have experience with “geoblocking without a proxy” or with the Nextcloud app “Geoblocker” (GeoBlocker - Apps - App Store - Nextcloud)?
Maybe there are other options as well? :slight_smile:

Thanks in advance!

Best regards,
Forest

2

It’s common idea to allow connections from specific regions to “improve security” but at the end it’s no more than snake oil with no real security benefit. It only avoids connections from really dumb scanners which are not dangerous for applications with moderate security level and above..

Attackers could easily use VPN, VPS and other ways to initiate connections from allowed regions to overcome your restrictions, so relying on such measure only gives you wrong security feeling. you better invest into real security like MFA, monitoring and most important good backups.

3

Hi @wwe,

thank you very much for your answer.
MFA for all users, monitoring, and backups are already set up and working as expected. The firewall is also configured appropriately for access via the web and SSH (including MFA).

However, I’m still very interested in the topic of “geoblocking,” and of course I don’t want to “lock myself out.” :sweat_smile:

4

I know there are several third-party modules for Caddy that could be used to achieve this. But you would then need to use Caddy as a web server or as a frontproxy in front of it.

Search for geo on this page:

https://caddyserver.com/docs/modules

However, I have never used it and it may contravene the following requirement:

5

Thank you. I will check this out. :slight_smile:

6

I agree with this statement and disagree with it at the same time.

That is a very controversial topic :grinning_face_with_smiling_eyes:

7

I have seen this more on the server side, that server ISP try to get ipv4 address space and the old location of this IP address remains quite some time in public databases (even google, cloudflare etc.).

Especially this is happening when you don’t expect it, you are on holidays, share files with someone outside the allowed ip range, security checks won’t work, to extend a letsencrypt certificate, …

8

that’s nothing to laugh about… I just tested this more or less the same you’d suggested; white listing (DE, AT, CH)… and guess what, I was locked out :astonished_face: → as long as you have access to the server, you can disable the app occ app:disable <appname> and all is well

agree with @wwe :100:

instead use either TOTP, TOTP2Mail, or U2F or even cloud-notification… but use MFA :exclamation_question_mark: