Not sure if I am posting in the right section, feel free to move the topic in another section if it is not the case.
I have set up a personal Nextcloud server (12) on a Debian 9 virtual machine, which runs a Tor hidden service (.onion) on port 80. Remote Linux clients access the Nextcloud server through the Nextcloud client app using SOCKS 5 proxy at 127.0.0.1:9050 (common Tor settings) in the app network settings, while Windows clients access it using the tunnel created by Tor Browser (port 9150 I guess).
It works well, although a bit slow as can be expected. I chose to run the Nextcloud server on Tor for security (natural encryption) and ease of use (no need for port forwarding on the router or static IPs configuration), not for paranoid anonymity needs or criminal reasons.
However, I find out that in order to make it work, I had first to declare the .onion Nexcloud address as trusted in the server config file. I guess it is the usual setting for all configurations, Tor or clearnet. The problem is that now the Nextcloud server portal is accessible through Tor Browser. It is not a very big deal (still protected by username and password), but ideally I would not like the Nextcloud web portal to be remotely accessed. I don’t want users to be able to login through the portal other than through the server’s local IP address (i.e. 192.168.XX.XX).
Is there any way to configure Nextcloud so as the web portal is not remotely accessible, while still enabling the service to be accessible to clients using the Nextcloud client app?