Restrict access to Nexcloud, but leave access to download published files from Internet

How can I restrict access to Nexcloud only for local network users, but leave access to download published files via links for the entire Internet?

Can you be more specific about what you need? What do you want your Nextcloud users to be able to access locally? Or should they not be able to access Nextcloud download links either? That would be pretty nonsense unless you basically ban the entire Internet from the inside.

I need domain users not to be able to log into nextcloud from the internet, but only from a local network. But at the same time, it is impossible to completely block access from the Internet, because files published by links must be accessible from the Internet.

The only thing you could do is this:

Create (a) group folder(s) from where the files should be shared.

Every User that should be able to create shared content to the internet should be member of the group who is owner of the group folder.

As soon as the person leaves the local network (work environment), his account could be deactivated. Now he cannot log in to his account/to the cloud but the links are still present, since they are not from within his (now deactivated) account filesystem.

The Account-Deactivation / Activation could be done by cron in a certain time window but can be done manualy as well by an admin user or by a script, that is triggered by a login on a local domain controler or so…

That’s the best way I can think of that would only come close to what you want.


…or you could try adding something like the following to your Apache config:

<Location /login>
Order deny,allow
Allow from
Allow from
Allow from
deny from all

However, I have no idea what happens when someone who is already logged in is leaving the company network with his or her device. I would guess that this person would still be able to continue using Nextcloud normally as long as the existing session token is valid. However this should at least prevent new logins for everyone connecting from outside of the allowed IP ranges.

This is how it it behaved in on my test instance after a quick test. I’m not a security expert and I don’t know for sure whether it’s possible to work around this, so take this with a grain of salt. :wink:

Or maybe you could do it the other way around, and only allow <Location /s> from IP ranges outside your private IP ranges.

1 Like

This thought came to me too, I think it has something really elegant.

But I’m not entirely sure, I think mobile devices probably wouldn’t be affected by this approach. At least not as long as they don’t explicitly log out beforehand.

1 Like

Because of client malware that is not really a security feature. For a real web access security feature you must activate 2FA. And with 2FA you can also allow access from the internet.

Until Nextcloud 21 there was an app for you: Restrict login to IP addresses

The application was probably not important enough.
But maybe Nextcloud can make coffee from the next release. :coffee:

1 Like