Only make share links publicly accessible

jesta · June 26, 2020, 5:41pm

Version: latest, doesn’t really matter

I’m running Nextcloud docker on UnRAID and I want to be able to share links with friends over the public web but disable the default login page and access my personal files only from within my LAN or remotely via VPN.

I know this can be done with multiple server and location blocks in the nginx site config but I can’t get it to work. Any tips?

Paradox551 · June 26, 2020, 6:21pm

Got it in one!! You need to configure something (reverse proxy/nginx/whatever) to only allow access to a URL with /s/ in it. Such as https://sub.domain.tld/s/PTHRfXzbTp7ATAg

All other URL requests need to be blocked.

How you do this is up to you. We can’t configure your system for you, but I would start by looking at how the official nginx configuration in the handbook handles this and go from there.

jesta · June 26, 2020, 7:29pm

I got it working. I added these two location blocks to the default server block:

location = / {
    deny all;
}
location /apps {
    deny all;
}

and kept the original / location block:

location / {
    rewrite ^ /index.php;
}

Now I can’t access / or /apps/files (previous session still valid) by default.

Then I added another server block with the default settings and

server_name 192.168.X.X,10.8.Y.Y;

to access from LAN and VPN.

Paradox551 · June 26, 2020, 7:59pm

Keep in mind this is not the same thing as allowing only /s/.

jesta · June 26, 2020, 8:00pm

You’re right, but only allowing /s/ breaks things…

Paradox551 · June 26, 2020, 8:03pm

The goal is to allow file sharing externally and nothing else correct?

/s/ allows access to your shares. Particularly direct download links such as https://sub.domain.tld/s/TqSSmAki5to99g5/download or preview.

It (likely) won’t allow direct browsing on the website but the actual shares should still download with a direct link.

jesta · June 26, 2020, 8:13pm

I know, but disabling the default location block:

location / {
    rewrite ^ /index.php;
}

breaks all access including /s/.

Paradox551 · June 26, 2020, 8:20pm

But I never said to disable the default location block

Personally I would leave everything as is on the main server and setup a reverse proxy that only serves content from /s/. Keep in mind this is well outside of the normal configuration and requires the knowledge to do so.

jesta · June 26, 2020, 8:26pm

I’m using NginxProxyManager…

Thanks for your help!

jesta · June 26, 2020, 9:04pm

Can I ask another question?

I want my share links to contain the domain name instead of the local/VPN IP that I used to access nextcloud.

When changing my config.php to include

'overwritehost' => 'domain.com',

I get redirected to domain.com/login when accessing nextcloud by IP which is blocked since it’s not in /s/

Any hints how to get this working?