I am working on standing up Nextcloud in docker, and exposing it to the internet with a Cloudflare tunnel. I have it running and it passes all of the checks. I get a green check on the security and set up warnings, I got an A+ on the Nextcloud security scan. All the functionality seems to work OK. I just wanted to get a sense check if my approach is correct, or if there is something I could tighten up
I first installed Nextcloud, Mariadb, Collabora, Nginx, and Redis using a Portainer stack. In that stack I exposed ports 8081:80 for Nextcloud, 9980:9980 for Collabora, and ‘80:80’, ‘81:81’, ‘443:443’ for Nginx. That all worked fine.
Next I set up two proxy hosts on Nginx. I used a cloudflare DNS challenge to get a wildcard cert for my ultimate public domain that I already own. My two proxy hosts are nextcloud.domain.com and collabora.domain.com, both using https with the wildcard cert.
I normally use the DNS resolver in pfSense to resolve the FQDNs for all my home lab services. I went into the DNS resolver and added two host overrides: one for nextcloud.domain.com and one for collabora.domain.com, both pointing to the IP address of my docker host VM.
In Cloudflare, I already have my domain set up and have a tunnel set up for several websites already. So I just went into that tunnel and updated it to add two new public host names. This part is a little janky I think, but it is the only way I could get it to work. My public host name is set to nextcloud.domain.com and the internal service points to nextcloud.domain.com. Same for collabora. I haven’t done this before where the public host name is the same as the internal service name.
Finally, I edited the config.php in my nextcloud container and added the following:
‘trusted_proxies’ =>
array (
0 => ‘127.0.0.1’,
1 => ‘192.168.0.0/16’,
2 => ‘172.18.0.0/12’,
),
‘trusted_domains’ =>
array (
0 => ‘nextcloud.domain.com’,
),
‘overwrite.cli.url’ => ‘http://nextcloud.domain.com’,
‘overwriteprotocol’ => ‘https’,
Everything seems to be working fine. But I have very little experience with Nginx and I feel like I did something wrong somewhere. Any feedback would be appreciated.