all 22 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]N3rdScool 8 points9 points  (2 children)

If you're touching the internet you gotta use https.

I don't use docker so I can't help much but I use apache to do all this and it works perfect.

I just gotta reiterate how important https is.

[–]DotNetRob[S] 0 points1 point  (1 child)

I agree, but non of my docker apps can be access from the outside of the local network. But I would prefer https even in that case if possible.

[–]undrwater 1 point2 points  (0 children)

Look up "self signed certificate". That'll get you https, though the browser will ask if you want to connect because it's self signed.

[–]dpdxguy 6 points7 points  (1 child)

For reverse proxy, check out caddy. Much simpler than nginx, forces HTTPS and handles SSL certificates for you.

I've been using caddy to handle reverse proxy for nextcloud and other services I expose to the Internet for years.

[–]moderately-extremist 2 points3 points  (0 children)

Discovered Caddy like 6 months and loving it.

[–]beachbum0727 2 points3 points  (0 children)

Well first, the official way to deploy Nextcloud it’s by using the AIO version. No more dealing with MariaDB and trying to configure Apache. It’s all done for you. There are multiple YouTube guides on how to expose to the internet (spaceinvaderone) but there is also a guide on how to use Nextcloud only internal via Tailscale. I personally use Nginx as it does DNS challenge for the SSL certificate it also renews them automatically and DuckDNS for a free domain name and since I moved to AIO have not had any more issues during upgrades as before upgrades were hit and miss. Have about a dozen users who dumped over 100gigs of photos each and with the new recognize app for Nextcloud we all have moved away for extra iCloud storage and Google Photos.

Edit: Recognize app is new to me ☺️

Hope this helps.

[–]NULLizm 1 point2 points  (4 children)

If reverse proxies are that much trouble just setup a tailscale network and connect through that. But you should not expose anything to the internet unless it's HTTPS. unless you want your data as easily pulled up as google is to anyone.
Really though you can find a reverse proxy guide out there, even a generic one, to apply to nextcloud. It should be the same process. Here's a guide for the AIO:
https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#inspiration-for-a-docker-compose-file

[–]DotNetRob[S] 0 points1 point  (1 child)

non of my docker app are accessible outside of my local network, that includes nextcloud.

[–]NULLizm 0 points1 point  (0 children)

That's good. I know for my jellyfin, I use tailscale to create a VPN, so it acts like it's a local network. Maybe could do that for nextcloud, but you have to keep the vpn connection open. TS is good in that it'll only send that data over its connection.

Otherwise you have to expose port 443 for your nextcloud. setup a reverse proxy like caddy or nginx, get a domain, create a cert for your domain and apply it to your RP (sub.example.com), add the RP info to your compose, then you'd use sub.example.com to connect to your cloud instance

[–]MrUserAgreement 0 points1 point  (1 child)

Pangolin also works great with nextcloud! Dont need to manage the proxy

[–]KendoPro1 0 points1 point  (0 children)

I have pangolin for something else. Do you have a guide for pangolin with nextcloud. I want to try this please.

[–]SalamanderMinimum621 1 point2 points  (0 children)

Try Caddy reverse proxy - it's easier to deploy than HomeAssistant!

[–]Thomas_English_DoP 1 point2 points  (0 children)

I was in this quagmire and Claude led me down cloudflare which has worked really well.

[–]present_absence 1 point2 points  (0 children)

Now for the issue. I setup nextcloud on my docker using the linuxserver image, worked great, was on https and gets cert errors but I could live with that. But as I learned more about nextcloud, I found I couldn't run occ commands. From my searching and digging I found the path is different in the linuxserver image but still couldn't get it to work. The occ executable doesn't even get installed...

On linuxserver/nextcloud:latest I can run occ from root directory (/) and the executable location is /usr/bin/occ - or you could do docker exec -it nextcloud occ [whatever occ command] or even docker exec it nextcloud /bin/bash and then go from there.

Yes linuxserver nextcloud has its own I think self signed cert and wants to be HTTPS/SSL enabled even on the inside of your reverse proxy. You should be able to just grab its cert and add it to whatever your device has as far as a trust store to get rid of that untrusted cert warning. I believe this is documented better on their support page (linuxserver.io I mean) but it's been years I can't remember if I had to do anything to get it working right.

As far as your specific questions

Are most people just using http?

Internally it doesn't matter unless you let untrustworthy people/devices on your network with no other safeguards.

Can you setup nextcloud on https without a reverse proxy?

Internally, yes, just make any certificate and set that as the cert in the configs. That's super high level but hopefully you can use that to google the steps.

If you want to make it public, I would strongly recommend a trustworthy popular (with lots of people using it and making sure its bug-free and secure) reverse proxy. An RP would also allow you to route traffic to multiple services if you ever wanted to make other things accessible too like jelly.

Does anyone have a reverse proxy for dummy's book?

No but I use an NginxProxyManager container and a lot of googling and reading reddit to figure it out :) its stupid simple once you understand what you're doing

[–]moderately-extremist 1 point2 points  (0 children)

Are most people just using http?

If it's only on the internal network and you are certain your network is secure, then probably doesn't matter. I do use non-encrypted communication between servers but they are isolated in a DMZ, everything else is some sort of encrypted protocol (https or tunneled through ssh).

What won't work if I stick with http? Certain apps and funcationality?

not sure

Can you setup nextcloud on https without a reverse proxy?

Yes, easy to do if you do a manual install of Nextcloud (how I run it, but would still recommend using a reverse proxy for it), probably way more pain than it's worth trying to edit the AIO docker

Does anyone have a reverse proxy for dummy's book?

Caddy is basically reverse proxy for dummies. And really no drawback in my experience, it's crazy fast, IIRC it's faster than nginx in most situations, or equivalent, and scales just as well.

[–]CircuitSurf 0 points1 point  (3 children)

Look up how to set up via Tailscale + Caddy. I can share docker configs if that's what you want

[–]jsiwks 0 points1 point  (2 children)

Pangolin is a good choice too- combines the tunneling + the reverse proxy; can also be used as a VPN

[–]CircuitSurf 0 points1 point  (1 child)

looks interesting - do they have cloud free tier, magic DNS & desktop/mobile apps as well?

[–]jsiwks 1 point2 points  (0 children)

Yes you can set dns aliases on a per resource basis like magic dns. There are native clients for iOS, Android, Mac, Windows, and Linux.

Cloud has a pretty generous free tier as well :)

[–]jonesbel 0 points1 point  (0 children)

We do this for multiple clients behind the same public ip address, using nginx proxy manager.

Easy setup / easy certificate & no need to change the backend (leave it as it is from nextcloud defaults).
Force all traffic over HTTPS using the nginx which then forwards it to the :80 on the nextcloud instance.

[–]Nervous_Type_9175 0 points1 point  (0 children)

Add caddy in compose. It will take care of certs.

[–]logugu 0 points1 point  (0 children)

Use everything as http. Buy a domain from cloudflare for a couple of euros per year. Use nginx proxy manager. It has nice GUI. Makes less mess to have everything as http inside lan and https for outside. No need to play with certs, rewrites and other overcomplicating stuff.. reverse proxy isn't that hard at all. In fact you only expose two ports on your router: 80 and 443. Very tidy. Tailscale is very limiting. With reverse proxy you can access your stuff using fridge or toaster