Secure Nextcloud

Hi, I’m very new to Nextcloud, I installed with docker (thanks to portainer) on my Rpi 4 8GB, but now that I have configured duckdns and all, I am at the step to secure Nextcloud, HTTPS, Reverse Proxy.
I’ve wondering some things :

  • Is it better to not have nextcloud on internet and access only through VPN ?
  • Apparently we could secure it with cloudflare to protect my network ?
  • I have an unused Rpi Zero W, can I use it for reverse proxy ? Or is it better to put it on the same Rpi 4 than Netxcloud ?
  • And finally if Reverse Proxy and HTTPS is better, I really don’t know how to start using Portainer.

Thanks in advance for your time

Hi @d4rklynk

Not having something exposed directly to the internet will always be more secure obviously. Whether that is practical, depends on how you want to use your Nextcloud. If you for example want to share files with other people, it won’t work, if Nextcloud is behind a VPN.

…or you could secure your network yourself. But that of course requires learning on how to do that.

There is no real need for a local reverse proxy, if you are running only one application and the web server and the reverse proxy are running in the same subnet or even on the same device. I guess there can be a small increase in security, but only if you harden your server properly. Same goes for Docker. If for example everything is running as root on the same machine, you won’t gain much security. But I am not an expert when it comes to docker and how to set it up securely.

I guess you have to play around with it and learn. There are many tutorials out there how to set up a Docker stack using Portainer and reverse proxys. Search on Google and Youtube. Or you could use something that works out of the box like Nextcloud-AIO or the Snap package.

1 Like

How did you end up securing your Nextcloud? Interested because I’m in the same situation.

As described here… without the SE Linux part:

Additionally I have two factor authentication active for my accounts. (U2F with YubiKeys)

You should also make sure that your system is always up to date, preferably automated. I use unattended-upgrades for this.

Of course you can always do more. But I think, if you consider all this, you are doing already pretty good.

I did it with NextcloudPi, because it was easier for me xD

The advantage of a ready system like NextcloudPi is that the security settings are mostly good.

The most important thing for more security is knowledge.
Increase your knowledge. There are a lot of ways to secure Nextcloud.
But you do not get 100% and you do not need it.

To secure your account from outside use 2FA. Passwords are a security risk.
To secure highly sensitive data use client-side-encryption (end-to-end-encryption) (video)
TLS (HTTPS) is default. Without that use no internet service e. g. Nextcloud.

1 Like

I have HTTPS, when I do a check with Nextcloud I have an A (not A+ because apparently not on the latest patch, while I am on the 22.2.2)
I also did 2FA as I always do
I was just wondering if e2e was ok for Rpi4 8GB or is it really going to slow down my performance

I would not recommend to use Nextcloud’s E2E Encryption. If you want your data at rest to be encrypted, encrypt the disk on OS level. E2E Encryption adds another layer of compexity, is more error-prone and backups become more complicated, etc. The connection is already encrypted with HTTPS and you are thus sufficiently protected against man in the middle attacks. Also, your Raspi is most likely resting in your home, which means someone would have to break into your house to get the disk with the unencrypted data. The situation is of course different if you install Nextcloud in the cloud and don’t want the cloud provider to have access to the data. In this case, E2EE can make sense or even be the only option to prevent this.

1 Like

@bb77 @d4rklynk

Sorry that is not really the same. Client-side-encryption (e. g. AES-256 ZIP files, Boxcryptor, file system encryption, Nextcloud 2E2) is too complicated to explain the differences in a few lines here. Also perhaps you want use the data on different devices (PC and Mobile)? With Nextcloud 2E2 it is possible. With a lot of other solutions not. Also it does not really help you to encrypt the filesystem on your Nextcloud server. For using it must be decrypted. Only on clients it makes really sense to use a file system encryption.

My clients are laptop, workstation, and android

Yes. And if you have highly confidential data then the best way is Nextcloud E2E.
But then you can use every Nextcloud hoster who supports E2E.
And yes: I do not need and use it. Only for testing. :wink:
I must not use my highly confidential data in access on my mobile devices.

Any number of folders can be end to end encrypted.

You must not encrypt all stuff.

It depends on what kind of threat you want to be protected against. Yes, disk encryption only helps against physical access to the disk. But in many cases, especially for home users this is more than enough. Of course if someone hacks remotely into the server at runtime, the disk encryption is useless. But I think the risk that this happens is small, if the server is reasonably secured otherwise. The bigger risks for home users are malware on their client devices, fishing or generally malicious or insecure devices in the same network, where they keep their Nextcloud server.

Btw. I use neiter of those on my server, but I’ve been thinking about disk encryption though. But yes, if you don’t trust the person who operates the server, other users on the same server, admins etc. Client Side Encryption is surely a way to increase security massively. So massive that in the end not even you have access to the data anymore. :wink:

Seriousley: I think it’s overkill for a home server. But at the end of the day, everyone has to decide for themselves.


Thanks. That is all correct.

I think you have to decide for yourself how far you want to protect the data from third parties. There are a lot of security features. But at first you must understand them. A lot of them are not really useful for you.

1 Like

I think https, 2fa, are good enough for me, thanks for your help everyone ^^

As long as you keep everything up do date, only open Port 80/443 to the outside world, and do not run a hole bunch of other stuff on the same machine, you should be fine. Otherwise, of course use, secure and unique passwords and 2FA, just everything that also applies to an online service that you do not host yourself.

And make sure that the server is also protected from local threats. Don’t start a 1000 other services on the server, even if you don’t expose them to the internet. Like maybe an SMB server that collects data from a Windows XP machine in the basement, which controls some IOT device from 1999 :wink: Use also for internal access only port 80/443 and use a secure password or better keys for the SSH connection. Install UFW and open only ports 80, 443 and 22.