Nextcloud security decisions

I’m looking into setting up NC on what is essentially a distributed intranet: a server on internet, accessibly only via SSH tunnels to lightweight nodes, which make it available over WiFi, and with VPN for mobile use. What it all amounts to is that the server is not accessible from the internet, only via SSH / VPN / WPA2. In other words: all the access paths are encrypted.

My question is: is there any reason to set up NC as HTTPS, i.e. using SSL, in this specific context?

My thinking is that this would merely double the compute overhead (some parts are fairly slow / low-power), so I might as well just have the client coming in through WiFi use plaintext HTTP.

I would appreciate any guidance & tips people on this forum can give, regarding the trade-offs involved.


Clients try to connect to the server. If you are not in your wifi environment and somewhere else, the client tries to connect to the private ip address and it could happen that there is a host with the same ip where it sends a username and password… And it is worse with an evil wifi operator…

Within your network, someone could try to intercept communication.

Thanks - that scenario hadn’t occurred to me. Indeed, that’s a risk.

I also found another one - most browsers now start to enforce, or at least complain, with non-HTTPS sites.

Risk of interception / snooping within the network is less important here.

But yeah, https and certificates - looks like I’ll have to use them here as well, even though the encryption in itself is not needed - but the authentication is.