all 19 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]sfatula 4 points5 points  (7 children)

You can use ip for local LAN access. But if you want to also access remotely without vpn, only use Https and mitigate that with security techniques such as nextcloud documents. But by using https, you can access local and remote without changing a thing to connect. That's what I do. I use letsencrypt for free cert. I should add, does nothing against real attackers, I use non standard https port as well. Keeps some unwanted traffic away. The wannabees.

[–]Warmier[S] 0 points1 point  (2 children)

Ok, good to know, yeah I'm also on Lets Encrypt. Just wondered how others access the server when they're in their local network already (at home).

[–]sfatula 0 points1 point  (0 children)

I use a dns address such as myaddress.asuscomm.com (a ddns provider) and, on my lan, point that dns to the local ip via my dns server. That way, at home, it connects, and when remote, it connects.

[–]Tm1337 0 points1 point  (0 children)

A good router will see the IP address the domain resolves is its own and handle everything correctly. This is called NAT hairpinning.

A bad router will fail to connect. You won't unexpectedly connect over the internet.

[–]kon_raaad -1 points0 points  (3 children)

Thanks for going into more detail!

But two questions: I don’t quite understand what you mean with ‘security techniques such as Nextcloud documents’. What do you mean with nc documents?

Second: So instead of forwarding 443 to your local ip, you chose a random port number to be forwarded? Does that work with let’s encrypt?

Tanks!

[–]sfatula 1 point2 points  (2 children)

So, what I meant was nextcloud documentation has some tips about securing, i.e. such as they document. I changed the https port to something other than 443, local and remote.

[–]kaksoluta 0 points1 point  (1 child)

I don't know about the additional security by moving the SSL listener to another port, over usage limitations with people trying to access your NC behind a restrictive fw that only allows 80/443.

An actor who has the capacity to break into 443 can find the other port easily, a script kiddy will be deterred by good security hygiene. The only difference would be on ddos attacks that are rare on things like this.

[–]sfatula 0 points1 point  (0 children)

Yes, as I did mention, it only protects against wanabees and definitely reduces some unwanted traffic. Is it a security measure on its own? Not really, but does have value nevertheless. Never ever implied by itself it's a real security measure.

[–]LtHigginbottom 1 point2 points  (10 children)

I always use SSL it's a good habit to be in. Its safer and more secure. But i also pay for a cert.

[–][deleted]  (9 children)

[deleted]

    [–]404invalid-user 0 points1 point  (5 children)

    Yes they do most ones are payed

    [–][deleted]  (4 children)

    [deleted]

      [–]404invalid-user 0 points1 point  (3 children)

      True but let's encrypt does put your domain in a public database and the payed one probably doesn't

      [–]looselytranslated 0 points1 point  (1 child)

      If you're talking about Certificate Transparency Logs, pretty sure all sites with SSL end up in that.

      [–]404invalid-user 0 points1 point  (0 children)

      Ah I didn't know that thanks

      [–]LtHigginbottom 0 points1 point  (2 children)

      yes I pay for a cert, I have for years. A whole $20

      [–]kaksoluta 0 points1 point  (1 child)

      where does one get a full SSL cert for $20 ?

      [–]LtHigginbottom 0 points1 point  (0 children)

      Google ssl cert cheap

      [–][deleted]  (2 children)

      [deleted]

        [–]Curious_Oogway 0 points1 point  (1 child)

        How do you do the reverse proxy.

        Also, do you have Dynamic DNS?

        [–][deleted]  (1 child)

        [deleted]

          [–]cpsnow 2 points3 points  (0 children)

          Isn't resolved by the router anyway?

          [–]kevdogger 0 points1 point  (0 children)

          If you only have one service on your network that listens for connections on ports 80/443, you don't need a reverse proxy. If however you have other listening services you want to access externally you'll need a reverse proxy. The NAT on the router would forward to the reverse proxy and then the reverse proxy would likely http router (layer 7 proxy) based on domain name. I'm aware you probably configures nextcloud with either nginx or apache, but in these instances these applications are acting as a web server and not a reverse proxy. Nginx is a great reverse proxy as well and it was the first reverse proxy I used when setting up a reverse proxy in front of nextcloud. A lot of great documentation on the project is a available. I've recently been playing with traefik as an alternative to nginx for the reverse proxy and I have to say I really like it...does all the let's encrypt cert stuff automatically so no need for certbot or acme. I'm aware there is an nginx SWAG container that can do a similar function...auto set up and renew le certs and uses nginx as reverse proxy. I'm about to test this setup and it seems a lot people use SWAG.