Nextcloud login page facing the entire world. Risky? Workarounds?

Looking for tips/solutions to not show your login page towards the web.

I have installed a Nextcloud instance on my home Linux server. Plan to use it as a collaboration-server, professionally. I have obtained a domain-name and all of that. So now, my Nextcloud login page is facing outwards towards the entire world, for everyone to see… (this one:

This makes me concerned. I would really prefer if the login page did not make it obvious, to any potential passer by, that there is a live Nextcloud server installation running online here.

To me, it feels like a security risk. An open invitation, attracting portscanning semi-gifted script-kiddies with no girlfriends and way too much time on their hands to “have some fun” mess with the Nextcloud server. Even try to break in somehow, or simply DDOS it just for fun. Or even disciplined cyber-pirates etc etc.

I would really prefer the contents of my domain to be as low key as possible, and the Nextcloud installation only known to the people I will be working with. I would prefer if the first page was … I don’t know, something else. Not a “hello, here is a server with a login form, with unknown resources in it for you to discover and mess with”.

I’m not doubting the native security of the Nextcould portal so much. And I don’t traffic in sensitive material or transactions, so I’m not a huge potential target for sabotage or intrusion . I just don’t want to attract potential trouble. I thought about putting up a sign saying “Beware! Aggressive guard dogs on premises”. Not sure it’ll deter :stuck_out_tongue:

Do you keep your Nextcloud login page facing the entire world?
Do you have security- or privacy concerns from this?
Did you arrange a custom solution to address this? If so what did you do, and how did you think about it?

Would love to hear other ppls impressions and thoughts about this.

Nextcloud is designed to be accessed over a standard https connection, but if that isn’t good enough you could:

  • Install the two factor authentication app and force all users to adopt it. I recommend this.

This would be the standard best practice. If that isn’t good enough:

  • Funnel Nextcloud access only through a virtual private network, such as OpenVPN or Wireguard (or Tor), and force all your users to join it.

This would mean only someone with access to your VPN will have access to the services running within it. You’ll want to consult guides for this online. It is standard practice for universities, schools, governments, and paranoid hobbyists.

If you aren’t sure of either option, you could go the truly professional route:

  • Pay someone else to host Nextcloud for you.

This is actually the most common solution I’ve seen, so when anything goes wrong you can point the blame firmly to whomever is hosting your Nextcloud: “Man, can you believe the job xyzcloud is doing?? What am I paying those people for?!”

It is worth considering… being the last person in the line of defense is never ideal when other people rely on you to get their photos. We are all volunteers and many of us use a junker laptop or Raspberry Pi. Most are likely on a VPS or using a provider running on the same. If you are beyond hobbyist, and getting paid for this, reconsider how much responsibility this is worth taking on as one person.

Another quick note, if you are not backing your server up you might as well not be hosting anything for anyone. Just my .02 since nextcloud is not a backup solution.

1 Like


Whoa, really. The title is like a beat for roasting you !!!

My landing page is open to the net !!! Ho boy, so, tell me, what did you expect from the landing page ? To be closed down behind an firewall, and on a dial-up service using a 1-800 number ??

Just answer is so just !!! :wink:

But honestly, if you are so afraid and looking for a low level access, you can also login in via ssh-keys, start your apache/nginx on demand. And when finish with it, stop the service and shut donw your server… This is extreme low level protection…

I even wonder if your question was a april fools question !!! but 17 days later !!!

Thank you for making me laugh today !!!