I have (4) different public IP addresses. I am going to use one for Nextcloud. Having read almost all the firewall/security topics in this forum, I am now frozen!
There is no firewall between the internet and my Nextcloud machine. I do not have a DMZ. I already have port 443 forwarded from my router to an IIS box. My configuration is:
-Gateway with (4) public IP addresses
–a small windows web server connected to the gateway using a public IP address
–I am thinking of putting my Nextcloud server here as well.
-Router
–Port 443 forwarded to another IIS box behind an ASUS RT-AC87R firewall/router
Is this a proper/safe way to put the Nextcloud server online?
I will get a domain and an SSL certificate from Namecheap
Will a Linux software firewall be sufficient?
My installation will be using a VM with:
Ubuntu Server 16.04 LTS
Nextcloud Server 12.0.1
Apache 2.4
PHP 7.0
PostgreSQL 9.6
Redis Server 3.1
Webmin 1.850
sometthing).missingsomething)
in order to run nextcloud from the network you don’t need to open any port except 443 and 22 (unless you want to login via console, but I suppose you don’t).
This means you have to provide public access to port 443. If you use a firewall that prevents anyone from connecting to different ports there aren’t much differences between public IP address and forward the port 443 of another public IP address to the nextcloud server.
If the attacker found a way to exploit a bug in nextcloud code and gain priviledged access to the server it would be better to be in a segregated network, but I think it will be too late.
So, if you’re worrying about the nextcloud server itself and its contents I think it doesn’t matter.
Instead if you want to protect also the other servers in your network I think you should add a firewall between the network and the nextcloud server, restricting everything you don’t need.
(I’m not even talking about reverse proxy, web application firewall and other expensive solutions…)
Of course if you want to access the nextcloud server via ftp, cifs, nfs and/or use internal network resources like remote storage, ldap authentication, backup servers and so on this is far beyond public/private IP address.
So, IMHO, you can choose almost freely between public/private IP address because you would be adding very little security using a private address.