Nginx + Nextcloud -> Possible to use URL suffix?

Hello,

I have a public domain, which is mapped to my home router’s public IP via DynDNS. In the router I have a port forwarding active to route all 80 + 443 requests to my Ubuntu Server on which I have Nextcloud running behind an nginx reverse proxy. Both is running as docker containers.
All above is running fine now.

My question:
Would it be possible to configure that the nextcloud is not reachable directly via using the domain, but to have a suffix in the end?
So currently the domain (example) https://foo.bar leads to my nextcloud login page, but I would like this URL not to be answered, but only https://foo.bar/cloud to be valid and to show my login screen.
Is such a thing possible via nginx and nextcloud config?

Background is that I want to be a little safer from script kiddies that just brute force through the top domains they find.

Any input or reference to existing docu is appreciated!

Maybe this will help…

1 Like

bb77 has provided you with a big clue to the answer. Short version ‘yes’, you can have url access as you desceibe. In fact, if you manually install Nextcloud, chances are you will end up installing it such that you access it via https://foo.bar/nextcloud. I actually deliberately install my Nextcloud services to give access via https://cloud.foo.bar/, but to each his or her own right? :slight_smile:

Your web server (http(s)://foo.bar/) has a root directory (e.g. and commonly /var/www under linux anyway). If you install Nextcloud in a sub-directory i.e. as /var/www/nextcloud/ in that web-root then it is typically accessed via http(s)://foo.bar/nextcloud. If you further install it in an even more nested directory, such as /var/www/really-challenging-name/nextcloud then, all things being equal, your url access is http(s)://foo.bar/really-challenging-name/nextcloud.

As long as you correctly set up nested directories, and edit your nginx config file to correctly point to these sub-directories AND give correct permissions to the web service on your system (on Apache 2 under linux, that’s done via sudo chown -R www-data:www-data /var/www/) then you can get your obscurity.

For even greater flexibility, you can use a front-end proxy for your system (which is what I do): I run ‘haproxy’ as my gateway exposed to the internet. All web traffic to my system comes via the main house router and then haproxy. I direct traffic to different web servers based on the incoming url. So I have several very restricted web servers - one for nextcloud (for my work), one for another nextcloud system (personal stuff), A web-based document server (OnlyOffice) and one for a web site I own, host and operate (I used to own/operate two - just as easy as one from a raffic management perspective).

if you can imagine it, you can probably configure it in nginx/apache2 (or a combination thereof using e.g. haproxy).

However, security via obscurity (your goal, believe it or not) is not very good. At best, it will stop some traffic, but not e.g. a persistent attack. I suggest you use the built-in features of Nextcloud to inhibit system hackers - you can ban IP regions and certainly slow down brute-force attackes. 2FA logons will help enormously btw - dead easy on Nextcloud. Some often do both - obscurity and hardening - and that’s never a bad solution, because it involves the all important hardening.

Good luck

Andrew

Hi all,

thanks for your hints. I was hoping someone could help me out with a bit more details in regards to my setup, but it’s understandable that this doesn’t happen :smiley:

I am using the official docker images and by doing so, the URL is not /nextcloud, unfortunately.
But anyway, reading through the documentation once again, I believe I have an idea on which places to try out.
Not sure though if I will really do it, as it bears the risk that I break my working setup with this.

As per your “security by obsucurity” argument, I know that this measure would not make my nextcloud safe, but it seemed to me like a good measure against attackers that just scan through publicly available adresses to find targets to attack. Just one of many measures of course.

https://scan.nextcloud.com/ gives me an A+, so I do not solely rely on this obscurity :wink:

So as to wrap up this thread, I will not do this suffix thing for now, but keep it in mind, + I will think about adding more hardening measures, like hinted to in your last post wizlon…