Secure my nextcloud server with https

[Laida]

Hello, I am writing to you to get your help. I recently installed Freenas and the NextCloud plugin. I have access to NextCloud remotely thanks to the DNS service. unfortunately it does not appear secure and remote access is in http. Despite a lot of research, I have not found how to secure my NextCloud server in https. Thank you for your valuable answers

 

[garm]

In practice I don’t think it possible with the plugin, for TLS you need to deploy your own Nextcloud instance. @danb35 have made a script that automates most of the process.

 

[danb35]

In practice I don’t think it possible with the plugin

Well, not easily anyway. I'm sure it'd be possible to download acme.sh into the plugin jail, get a cert, and update the nginx configuration to enable https and use that cert. But what happens with the next update, I don't know.

 

[Basil Hendroff]

If you choose to persevere with the NC plugin, you might want to consider placing it behind @danb35's Caddy reverse proxy, Caddy will address the TLS issue on behalf of NC. However, if you're just starting out with NC, it's still worthwhile considering dispensing with the plugin and using the Nextcloud script as @garm has suggested. The script builds a really robust NC environment and addresses all the warnings you would ordinarily see if building NC using other means such as the plugin.

 

[Laida]

Thanks for your answer,
I come back to you quickly

 

[xames]

But the plugin seems to be the official and stable think, normal people don't know to run scripts and thinks like that. Why no implement ssl on this plugin?

 

[Basil Hendroff]

Why no implement ssl on this plugin?

Some users choose to run NC on the private network only. If external access is required, they will VPN into the network. In this scenario, where local users are trusted, SSL is unnecessary,

 

[ddaenen1]

I used pfsense to take care of that with the acme package and HAproxy. That has worked great so far and the good thing about it is that in case i update NC, my whole set up doesn't go through the drain.

 

[RSVP]

I used pfsense to take care of that with the acme package and HAproxy. That has worked great so far and the good thing about it is that in case i update NC, my whole set up doesn't go through the drain.

This is exactly what I have... I am starting to work more on this but so far what I can tell are:
webDav still shows not as https it shows http:// FQDN/remote.php/dav/files/USERNAME/.. I have not set up sync so I am not sure if this matters.

Only office support is in linux not freebsd at this time for the community document server. But that is all freenas setups.

Besides that seems great.

 

[ddaenen1]

webDav still shows not as https it shows http:// FQDN/remote.php/dav/files/USERNAME/.. I have not set up sync so I am not sure if this matters.

So, you probably also have the issue that if you want to connect a new device to NC that at registration it is stuck in a loop or does not connect?

Please check your config.php for this entry : 'overwriteprotocol' => 'https' - this will fix any issues with registering new devices via an app and also your webDav issue.

Code:

  'datadirectory' => '/usr/local/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '19.0.1.1',
  'overwrite.cli.url' => 'http://localhost',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',

 

[RSVP]

So, you probably also have the issue that if you want to connect a new device to NC that at registration it is stuck in a loop or does not connect?

Please check your config.php for this entry : 'overwriteprotocol' => 'https' - this will fix any issues with registering new devices via an app and also your webDav issue.

Code:

  'datadirectory' => '/usr/local/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '19.0.1.1',
  'overwrite.cli.url' => 'http://localhost',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',

Yes exactly! Thank you for that! Yes that fixed those issues. Just noticed that you cant get the the web gui using the local ip anymore, just fqdn. Not a big deal. Just an observation.

 

[ddaenen1]

Yes exactly! Thank you for that! Yes that fixed those issues. Just noticed that you cant get the the web gui using the local ip anymore, just fqdn. Not a big deal. Just an observation.

That is correct. Same here but not an issue since i always use FQDN for access.

 

[GalacticSpines]

I used pfsense to take care of that with the acme package and HAproxy. That has worked great so far and the good thing about it is that in case i update NC, my whole set up doesn't go through the drain.

I use pfsense, but I haven't setup anything like what you mention. Any resources you can share to help me set this up?

 

[ddaenen1]

I use pfsense, but I haven't setup anything like what you mention. Any resources you can share to help me set this up?

Have a look at THIS post that contains links to the tutorials i used to set it up.

 

[GalacticSpines]

Have a look at THIS post that contains links to the tutorials i used to set it up.

Thanks for the link!

 

[RSVP]

This guy on youtube got me sorted for acme certs and haproxy. I tried many other guides prior and none of them worked for me. https://www.youtube.com/watch?v=FWodNSZXcXs

Wanted to edit to add personal summary of nextcloud on freenas- the plugins are fine. IN both truenas core and in freenas. The plugin works absolutely fine. The issue around external storage using cifs shares changed in rescent updates. you have to enable it first. So go to apps and go to bottom of list. is should show it needs to be enabled. So if behind pfsense acme certs and haproxy, Then you have a fully operational https fqdn that has access to your mounted shares. And any other plugin, jails since you can use wildcard cert. Only real issue is around nextloud is that office platforms built in not supporting freebsd yet. Not sure if this summary matches others best practices. This is a highly supported method.

 

[xames]

Some users choose to run NC on the private network only. If external access is required, they will VPN into the network. In this scenario, where local users are trusted, SSL is unnecessary,

But if you install Nextcloud on mobile app, and have some stuff there, its really not useful to connect vpn everytime you would find a photo or a document over the app.

In the other hand, the danb35 have the ability to take data and config out of the jail for a bad situations.

 

[Basil Hendroff]

But if you install Nextcloud on mobile app, and have some stuff there, its really not useful to connect vpn everytime you would find a photo or a document over the app.

It depends on each individual's risk appetite.

 

[xames]

It depends on each individual's risk appetite.

The best would be to allow only certain FDQN names, and then with a realdns updater installed on the phone, its more easy to connect without the necesity of a VPN and the secure of limit ips origin.

 

[deneb]

I just tried on my official nextcloud plugin.
EDIT: some note at the end about updates:

Log in into your nextcloud jail and then:

Code:

curl https://get.acme.sh | sh  # installed acme

pkg install socat  # needed for acme standalone

service stop nginx  # we need to free port 80

acme.sh  --issue  -d example.com  --standalone

then configure your nginx with:

Code:

  # configure it to use https with the following

  ssl_certificate /root/.acme.sh/example.com/example.com.cer

  ssl_certificate_key /root/.acme.sh/example.com/example.com.key;

then start nginx again:

Code:

service start nginx

EDIT:
I updated my nextcloud official plugin today to `19.0.2` using the update on the freenas UI.
Things I had to recheck:

• re-fix all the Security and setup warnings;
• the certificates where still there, but the configuration in `/usr/local/etc/nginx/conf.d/nextcloud.conf` was gone. Having saved my previous version was quite easy to restore it;
• `/usr/local/www/nextcloud/config/config.php` was the right one.