Nextcloud on Tailscale and SSL certs

šŸ·ļø General
1

Iā€™ve already posted on Tailscale this question but I wanted to make sure I cover the basis.
I basically want to know if it is possible to access Nextcloud from two different networks using two different HTTPS site domain names with two separate certificates.
Here is what I have and what I am looking for:

Tailscale_Nextcloud.drawio
Tailscale_Nextcloud.drawio701Ɨ1062 83.6 KB

Hopefully someone here can answer my questions from the graphic.

  1. Is it possible to have two different certs on the web server?

https://web.home.lan

https://web.tailxxx.ts.net

  1. Is a reverse proxy required in this scenario?
  2. If a reverse proxy is required, is that a separate server or can it be setup on the Nextcloud web server?

Thanks.

2

I think you do not need a reverse proxy as long as you donā€™t need ports 80 and 443 for other purposes than the web server. I think your webserver can handle two virtual domains to the same Nextcloud path with different SSL certificates. In Nextcloud you can configure.

  'trusted_domains' => 
  array (
    0 => 'web.home.lan',
    1 => 'web.tailxxx.ts.net',
  ),

But i think the biggest problem is the certificate for your local domain.

I would just use the domain web.tailxxx.ts.net for all users (better also for Android clients :grinning:). You might want to look at Hairpinning and NAT Traversal. Donā€™t think there is a security advantage to using an internal domain name web.home.lan from within. Then rather block the access from the outside or use VPN or 2FA without sharing permission, that brings you the greater security gain. :grinning: Alternatively, you can think about building two separate Nextclouds one for inside and outside and one for inside only. But this is a completely different setting. Your current setting cannot make this distinction between inside and outside.

3

Thanks for the response.
It would definitely make things a little easier if I just have every client on my LAN use the Tailscale network and not worry about web.home.lan and just use the Tailscale FQDN. Itā€™s definitely a strong consideration.

1 Like
4

Hi. Did you ever succeed getting access to your nextcloud container via tailscale fqdn?
I have started the AIO container, navigated to the fqdn :8080 page and can see the initial password and then the setup pagesā€¦ however it isnā€™t liking my tailscale fqdn when I submit it under ā€˜new aio instanceā€™ saying ā€œdns config is not set for this domainā€.
Any advice?
I have the container host on tailscale (with https cert) and a local pihole dns record setup.
Cheers

5

Iā€™ve managed to get through the domain check by starting the AIO container including the docker run flag --add-host machinename.tailnet.ts.net:[tailscale IP] and got the containers all up and running, but when clicking through to ā€˜open your nextcloudā€™ i get a SSL error ā€œSSL received a record that exceeded the maximum permissible lengthā€ :frowning: