Hello! I am new to Nextcloud and this sort of IT/Server stuff. I was initially looking at running Nextcloud AIO in a Docker container on Windows using Cloudflare Tunnels as my security measure. However, upon some brief research about what Nextcloud AIO is, it seems like that may be unnecessary…? I do want my server accessible globally by a domain, but I want to make sure I expose my network as safely as possible. Can I simply use a service like DuckDNS, forward the required ports on my router, and call it good? Is that safe, or should I use an external proxy like NGINX?
Yes, no, maybe. Security is tricky and it depends on the effort you want to employ. Boils down to “how long is a piece of string”
Opening a port on your firewall comes with a lot of risks. You are granting access to the world a subset of your home network. Typically at a minimum you should:
Deploy a DMZ, isolating your externally accessible server from the rest of your network.
Setup monitoring to detect unusual activity.
Have an update schedule/auto-updates to avoid security issues.
Other attack surface mitigations like geo-blocking. I personally like geo-blocking for small deployments as it’s quite simple and surprisingly effective.
That said I would always recommend using a VPN. Especially for a “Noob”
VPN’s like wireguard, or a more user friendly option like Tailscale are a VERY good option for beginners. Mainly because it’s extreamly secure, easy to setup, doesn’t introduce many complications and if you use something like Tailscale doesn’t require any manual firewall shenanigans.
You mentioned cloudflare tunnels, they are a nice option and allow ad-hoc access domain based access where as VPN requires application setup. Each comes with some downsides and upsides such as complications regarding access setup and limitations due to architectural choices some applications use. VPN’S tent to be the more robust, secure and simple option IMHO.
Is that safe, or should I use an external proxy like NGINX?
It’s not necessary to have a external proxy, the AIO package has a containerized proxy that is up-to-date and well configured. You won’t provide additional security benefits, at least out of the box.
