nextcloud

807 readers

2 users here now

Nextcloud is a suite of client-server software for creating and using file hosting services.

https://nextcloud.com

https://github.com/nextcloud

IRC: #nextcloud on libera.chat
Matrix: #nextcloud:matrix.org

Other Nextcloud communities on Lemmy

founded 4 years ago

MODERATORS

[email protected]

How do I properly secure NextCloud server connected to the open internet? (lemmy.zip)

submitted 1 week ago by [email protected] to c/[email protected]

4 comments fedilink hide all child comments

I have had a NextCloud up & running for a few weeks thus far and haven't had any problems. The reason I can't just connect to it via vpn is that I want to share links of files with other people. I always keep the system up to date and I think I configured nginx correctly. I have blocked all requests to ports other than 80 and 443, but the firewall is still not the best right now: someone can send many requests in a short timeframe. I have also used tools like pentest-tools.com and some others, but those say that there are no major vulnerabilities. I also keep track of logs with a tool called logwatch. Any tips and tricks or resources (articles, videos, etc) would be much appreciated. Or maybe you want to know more about my setup. I know that NextCloud can be really secure if everything is done right!

you are viewing a single comment's thread
view the rest of the comments

[–] tabris 5 points 1 week ago (2 children)

If you have a domain name setup, I'd recommend using Swag as your gateway. It's a hardened nginx with lots of preconfigured samples that make it feel very plug and play. I got SSL with Let's Encrypt set up in minutes. My next task is adding SSO to my setup.

If you're using docker to run your apps, use a network with only swag on it that can connect via port 80 and 443, and put your other apps on a separate network that isn't public, swag also there and let it do its proxy thing. Run docker rootless, each container with a separate user, secrets fully secured, all that good stuff.

[–] doodledup 2 points 6 days ago (1 children)

Is there anything Swag covers that NPM + Fail2Ban behind Cloudflare doesn't?

[–] tabris 2 points 6 days ago

From a cursory look, as I don't know NPM, Swag doesn't require a database itself as all config is file based, and doesn't have any user management. Both seem to be nginx based with Fail2Ban installed, there's probably some other differences.

What I like about Swag is that with my config checked into a git repo and an act runner set up, I can reconfigure swag on the fly, with a rollback, as it's just a case of pushing an update to the repo and letting the runner pull changes and restart the container. It works very well for how I want things set up.