I just installed the AIO and saw that Port 80 is opened to the internet. AiO doesn’t support DNS-challenge as far as I know. There is no need to have port 80 open all the time these days. My installation is most of the time not accessible from the internet.
And this is exactly why port 80 needs to be open.
If you don’t want this, although it’s not a problem in itself, you can use AIO in reverse proxy mode and have the reverse proxy of your choice handle SSL for you: GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.
2 Likes
@Bob.Dig FYI: GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.
Not exactly. I had other software running which would open port 80 only while certbot is running. So most of the time, port 80 was closed! I had a better feeling with that.
1 Like
Please see my comment above. Because I have no knowledge about webservers, it might be without any security implications having port 80 open all the time. But my guess is, it is always open to make a redirect to port 443? And this is not needed anymore with modern Browsers I think.
You are right, modern browsers generally favour HTTPS, but the redirect is of course still needed as a precaution when a web server is listening on port 80.
However, this also means that because of the redirect, the HSTS headers, and the default behaviour of modern browsers, port 80 is not a security risk, so I don’t see a problem with leaving it open for the HTTP challenge to work.
But as I said, if you feel more comfortable with just port 443 open, you can run AIO behind a reverse proxy and let that handle SSL for you, which would allow you to use the DNS challenge and therefore close port 80.
2 Likes
Actually if you read the linked docs, port 80 is only needed to generate a valid certificate for the aio interface on port 8443. if you dont expose the aio interface, you also dont need to expose port 80.
2 Likes
This would require UPnP to be enabled on your router for automatic port forwarding, which I would consider a far greater security risk than leaving port 80 open on a properly configured web server.
1 Like
By default Nextcloud in AIO itself only needs port 443 to be open as it uses that for Nextcloud plus the ports for talk if you want to use that.
1 Like
Ah, good to know, I was under the impression that port 80 is also needed to issue/and renew the certificate for Nextcloud. 
2 Likes
So I guess it will validate with port 443, which is even less favorable because there has to be NC running.
No, please don’t come up with things. Whatever it did, it might closed the port in the firewall or just didn’t run any service on port 80, unless certbot was running, probably the latter. It was prosody.im, a jabber server.
So thinking about it more, it probably was only a coincidence. Because the jabber server had no webserver running, the port was “closed” most of the time. It was open in the firewall, if one was active at all, but no service was listening.
And I kinda liked it, to have port 80 only for certbot. But with that I guess, the topic can be closed. Thanks everyone participating!
And I ditched my first try and went with the Reverse Proxy Documentation. I disabled DOMAIN_VALIDATION right away because it hadn’t worked for me at the first time. I setup Nginx Proxy Manager, never used this before but that was easy enough. And everything is working fine. Thanks to the team for great documentation and the software, which I might never need to touch again, at least as an administrator. 
Please dont forget to update and backup regularly though
1 Like
And thanks for the positive feedback
1 Like
This is a great topic though and I have been wondering something similar, how to open port 80 only for (and only at the time of) Let’s Encrypt renewals (scheduled every 3 months I believe, set up using a timer when the initial Certbot session ran.
I’m not sure if that would be possible with AIO, but with a manual install, you could write a script that opens port 80 in the host’s firewall, runs certbort --renew or some other acme client, and then closes port 80 when it’s done, and put that in a cron job.
However, leaving port 80 open is not a security issue in itself, but rather it depends on what happens when someone connects to port 80. With AIO, they will be redirected directly to https://aio.yourdomain.tld, so I see no problem with leaving port 80 open all the time. The same goes for a manual installation, as long as your web server is configured accordingly.
2 Likes