Was very close to exposing Nextcloud to WAN, then read Samuel Dowling, now I don't think so.

[jackdinn]

I wanted to allow my friends and family access to one of my datasets, but they are very tech adverse, so Nextcloud looked like just the job.

I put in a lot of work searching, trying to understand, and then implementing what was needed to expose one of my Truenas datasets via Nextcloud to the WAN.

I have

• Managed to figure how to share one of the datasets with Nextcloud.
• Got the permissions figured (That was fun ^^).
• Got a static IP.
• Forwarded the correct port/s to the jail.
• Got a domain name.
• Set up the "A" IPv4 records in my domain registrar.
• Tinkered with some of the Nextcloud, nginx & apache settings to keep Nextcloud security checks happy.
• Was just in the process of getting an SSL cert sorted out.

Then i stumbled across Samuel Dowling

https://www.samueldowling.com/2020/07/24/install-nextcloud-on-freenas-iocage-jail-with-hardened-security/

How to set up an nginx reverse proxy with SSL termination in FreeNAS

Use an nginx reverse proxy to make multiple self hosted services available on your LAN and the internet using LetsEncrypt wildcard certificates for HTTPS

www.samueldowling.com

I read and digested, read more, digested more. The more i read, the more i started getting a deep feeling that i was drowning. I was in way over my head.

I finished reading and spent a couple of days trying to think about this. I came to the conclusion that it's all just too much. I just do not have the knowledge or ability to know what I'm doing. It would take me a lifetime to really understand the content of Samuel's blog, and the last thing i want is to get my personal family data hacked.

I have now shut down my Nextcloud instance.

I was looking for some opinions and points of view.

Am i just being way too paranoid, or should this stuff be left to the pro's ?

 

[danb35]

https://www.samueldowling.com/2020/07/24/install-nextcloud-on-freenas-iocage-jail-with-hardened-security/

If you want to manually handle every step of the way, that's the best guide I know of for that--if you're a masochist. If you want an easy and secure way to do it, IMO this is a better way to do it:

Scripted installation of Nextcloud 28 in iocage jail

Status: This script will run with TrueNAS CORE 13. It's possible, but untested, that it will work with FreeNAS 12. Earlier versions are not supported. There are a number of guides on the forum to install Nextcloud, but they all rely on a lot of...

www.truenas.com

should this stuff be left to the pro's ?

Not necessarily. There are risks, and you need to be aware of them, and take reasonable steps to mitigate them. What those reasonable steps will be will depend on many factors. You obviously ought to be using HTTPS. Any sensible setup these days will get a cert and renew it for you automatically, and implement a modern and sane HTTPS configuration--the one above does. You need to keep your software up-to-date. You should ensure that secure passwords are used. I don't see any reason to put a reverse proxy on top of Nextcloud, unless you want to expose more than one web application to the Internet.

 

[jackdinn]

Hi @danb35, thanks for the response.

Normally, I would say yes, I am a masochist and even a sadomasochist, but not in this case. I'd just be happy to get it working with a "reasonable" amount of peace of mind.

I love the script you linked, and I will take a good look through it. With a little luck, it might even give me the opportunity to revisit my choice to end my Nextcloud project. I suppose the point was that even though I really did not understand half of what Samuel wrote, it did make me realize just how vulnerable a NAS/site/server is the moment you open a port and point your router to it. This did scare me, but I do wonder how many other public-facing admins don't understand or even use half of what he was talking about.

Thx :)

 

[danb35]

A big part of the issue is just that Nextcloud is a really involved app with lots of moving pieces--there's Nextcloud itself, there's your web server, PHP, a database, and probably a few others I'm not thinking of. That means that installing it manually is a chore, and gives you lots of opportunities to configure something poorly--but it gives you control over everything, and (in principle) a better understanding of how it all works together. If you use a prepackaged solution--the plugin, or my script, or pkg install nextcloud--there's a lot less work, but you have to trust that whoever put it together configured it reasonably. I think I did, but I can't guarantee it'd meet anyone else's standards. But I haven't gotten any complaints, or suggestions for improvement, along those lines, FWIW.

 

[jackdinn]

I'm reading your Git now, and the first thing I'm thinking is that it seems to be starting right from the beginning. For example, structuring the NAS datasets, installing NC, etc. However, I have already completed most of the work, and I really don't want to start over. Nonetheless, I would like to script the setup of the Let's Encrypt certificate because I had a quick go at it, and I got a bit muddled. Is that possible?

 

[ddaenen1]

I have my NC set up with WAN access through an FQDN on https with let'sencrypt certs and HAproxy on my pfsense firewall. I have not looked back since. I understand there is no such thing as 100% hack-proof but i think i have done all i could to secure it is good as possible.

I have deliberately chosen to to run the certs and proxy on pfsense as it give much greater flexibility and much easier to maintain.