Router config for external access?

My raspberrypi nextcloud version 14 seems to be working from within my LAN. I want to setup external access but am wondering why I would need to setup port forwards for 80 and 443? It seems crazy to open those ports externally.

My questions are:

  1. Why do I need access on port 80 at all? I never want to interact with my cloud from the WAN using non-encrypted http and opening this port seems to be asking for trouble.

  2. Why can’t I just forward a random (443XX) external port to the pi 443 port for security? My external access could be (https://A.B.C.D:443XX) where A.B.C.D is my external ip and XX are a randon 2 digit number. I have tried this but it does not seem to work. Why not?

  3. I assume I only need TCP forwarding, not UDP. Is this correct?

What have you done to make NC14 work in your LAN? Just flash an image to sdcard then boot?

NC14 runs on a web server. Web server listens to port 80 & 443. Just in case you overlook the basics.

I installed the latest nextcloudpi. I can access the web interface on the LAN but want external file acess.

I think I got it. thx

just to complete the answer to the question: (1) you only need to open port 443 when you want to use the standard https connection, but this is not (yet) standard when browsing to an address
(2) this works (with NAT), but it depends on the settings of the router
(3) correct