Need a sense check please-Nextcloud, Docker, Nginx, pfSense, and Cloudflare

I am working on standing up Nextcloud in docker, and exposing it to the internet with a Cloudflare tunnel. I have it running and it passes all of the checks. I get a green check on the security and set up warnings, I got an A+ on the Nextcloud security scan. All the functionality seems to work OK. I just wanted to get a sense check if my approach is correct, or if there is something I could tighten up

I first installed Nextcloud, Mariadb, Collabora, Nginx, and Redis using a Portainer stack. In that stack I exposed ports 8081:80 for Nextcloud, 9980:9980 for Collabora, and ‘80:80’, ‘81:81’, ‘443:443’ for Nginx. That all worked fine.

Next I set up two proxy hosts on Nginx. I used a cloudflare DNS challenge to get a wildcard cert for my ultimate public domain that I already own. My two proxy hosts are nextcloud.domain.com and collabora.domain.com, both using https with the wildcard cert.

I normally use the DNS resolver in pfSense to resolve the FQDNs for all my home lab services. I went into the DNS resolver and added two host overrides: one for nextcloud.domain.com and one for collabora.domain.com, both pointing to the IP address of my docker host VM.

In Cloudflare, I already have my domain set up and have a tunnel set up for several websites already. So I just went into that tunnel and updated it to add two new public host names. This part is a little janky I think, but it is the only way I could get it to work. My public host name is set to nextcloud.domain.com and the internal service points to nextcloud.domain.com. Same for collabora. I haven’t done this before where the public host name is the same as the internal service name.

Finally, I edited the config.php in my nextcloud container and added the following:
‘trusted_proxies’ =>
array (
0 => ‘127.0.0.1’,
1 => ‘192.168.0.0/16’,
2 => ‘172.18.0.0/12’,
),

‘trusted_domains’ =>
array (
0 => ‘nextcloud.domain.com’,
),

‘overwrite.cli.url’ => ‘http://nextcloud.domain.com’,
‘overwriteprotocol’ => ‘https’,

Everything seems to be working fine. But I have very little experience with Nginx and I feel like I did something wrong somewhere. Any feedback would be appreciated.

Personally I would recommend using the Cloudflare auth system to stop anyone from logging in to the Nextcloud interface as I don’t trust having that open to the public internet. But I am also someone who prefers to keep everything behind a VPN.

Thanks Tom. I will look into that, or maybe placing the whole setup in my Tailscale network.

Do you think the way I am using Nginx with Cloudflare is correct? Or am I better off without Nginx in this case? I really wanted everything to have a proper cert inside my lab as well as on the internet.

I don’t use Cloudfare Tunnels just an internal reverse proxy (currently HA Proxy) and Tailscale is solid and if you looking for something self hosted, Netbird is nice as well.

All though NextCloud has not had a lot of security issues, and they have been very on top of the ones that have popped up, and it is convenient to have things publicly exposed, it feels too risky. Especially since I do lots of work designing secure systems.

One last question for Tom or anyone. Leaving aside the cloudflare tunnels for a moment, how important is it to have SSL certs/https access for services inside my home lab? Let’s say I make Nextcloud available on my tailscale network, do I need a reverse proxy to provide certs or an I OK without it? Services would only be accessed in my private network internally or externally through tailscale.

Homelab or not, I think security is always good to implement and getting in the habit of doing it. Personally I would set up SSL regardless if it is internal only.

Yes, I have SSL on all the things but some I am simply using self signed which is better than using none. The things I use a lot, such as Home Assistant, FreshRSS, Uptime Kuma, etc all have reverse proxy and proper certs. I don’t bother with things such as the pfsense interface, IPMI interfaces, and other management control planes.

Previously I had certs on everything (including Proxmox, Synology, and pfSense) except docker-ized apps, of which there weren’t that many in my environment (Uptime Kuma, Cloudflared, Heimdall, Portainer, and Watchtower). But I recently built a new a new TrueNAS scale machine, and I am going to be moving everything except my Wordpress sites to docker on that machine. So I am gaining some experience with reverse proxies that I never had before. Thanks for the input.

1 Like

Hi Tom,

I implemented the access controls for tunnels as you suggested, but it promptly broke the android app. I started going down the path of using access tokens instead of email address and one time pin combinations, but it quickly was way over my head. If you are looking for suggestions for video ideas, I find that there is not a lot of content out there covering anything more than basic cloudflare tunnels. Anything on how to use tunnel access controls, alternate logins like access tokens, WARP, certificates, JWT, etc. might be good content, but its up to you.

I can consider it, but I am not big on solutions that lock you to a cloud vendor such as Cloudflare.

That’s valid and I appreciate you responding to the suggestion. Maybe the alternative is a video on how to securely expose services like Nextcloud, Firefly III, Joplin, etc. that have phone apps, when your home server is behind CGNAT or you don’t want to punch a hole in your firewall. And expose them in a way that the non-tech users in my family can easily understand. I know you have done stuff similar to this, and maybe I am missing a video you already did. I am not wedded to Cloudflare (although I like the free aspect), but signing on to a VPN probably won’t work for my wife and kids. Maybe such a solution just doesn’t exist. I don’t know. Thanks again Tom. Keep up the good work.

Tom has a video to setup wireguard on a VPS for CGNAT users.

I have done that before, and its a cool technique. However, I don’t believe it solves Tom’s original concern:

Personally I would recommend using the Cloudflare auth system to stop anyone from logging in to the Nextcloud interface as I don’t trust having that open to the public internet. But I am also someone who prefers to keep everything behind a VPN.

Using this method, isn’t the Nextcloud interface still open to the public internet?