Security of Nextcloud High Performance Backend


what are the minimum ports to open for public if I want to use talk from external clients (not behind my nat, users and guests)?

I installed nc-hpb and coturn on two different hosts. They can reach each other.
Nextcloud is in a different net but nc-hpb and Nextcloud can reach each other. All are behind my nat. Turnserver has all private ranges blocked except my nc-hpb IP.

I guess its safe to open nc-hpb signaling port (8080) if secured with SSL?
Its safe to open Turnserver port 3478 if all private ranges blocked?

Are there any security considerations?
Any hardening I should do?


SSL doesn’t add any security to your installation. In olny adds some privacy so nobody can access data on the wire.

Port 3478 is the preferred TURN communication port which is used to receive media from meeting participants. TURN/HPB server is not expected to hold any data so attack vector is mostly DOS/abuse of the TURN server e.g. as part of DDOS botnet.