this post was submitted on 24 Jul 2023
13 points (88.2% liked)

Selfhosted

40133 readers
530 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hey y'all! First time trying to self-host something, I started with a local Nextcloud instance for me and my family to use. I just wanted to make sure that no outsiders can enter the instance (access it or its files) through a browser on another connection.

I don't have a DNS server so we access it through its IP address. The connection is unencrypted (I don't know if this is a problem on a local instance, but from what I've read, I need a local DNS server to encrypt it, as well as to be able to set a domain (?) name (I don't really know if it's a domain name, but I'm referring to the website name, for instance google.com). I don't think leaving it as it is (unencrypted, no domain name, only accessible through IP) will be problematic. Could other people access the server remotely with this setting? By remotely, I mean from far away. I tried out Nextcloud's own Security Scan and it returns:

Scan failed! The scan for the specified domain failed. Either no Nextcloud or ownCloud can be found there or you tried to scan too many servers.

I'm guessing this is a good thing for what I'm trying to achieve?

for reference, the tutorial I've used is this one under Linux Mint

top 10 comments
sorted by: hot top controversial new old
[–] [email protected] 31 points 1 year ago (1 children)

In general, if you haven’t taken steps to expose your service to the Internet, it’s not accessible over or to the internet. Your router that connects you to the Internet should have a firewall that blocks all inbound, unsolicited requests, and you also need to do something explicit with most self hosted service to expose them, they will not announce themselves to the world.

In addition if you’re using an ipv4 network address that’s likely a private address (like 10.x.y.z, 172.x.y.z, or 192.168.x.y), which also isn’t accessible outside of your network.

[–] [email protected] 4 points 1 year ago

That's good to know, thanks

[–] [email protected] 4 points 1 year ago

If you use private IP adresses, then no traffic will leave your internal network. Those IPs are not routed trough the Internet 😊

So no one can access your nextcloud outside your network

[–] [email protected] 4 points 1 year ago

You don't need a local DNS server to set up https, but you do need a domain name. If it's something that you wanted to pick up, you can buy them at a number of different places and you'd have to set up a mechanism to make sure the IP address referenced is the correct one. You can either do that by having a static IP address or by setting up some form of dynamic DNS. Then you can use letsencrypt to set up https.

Okay so here's I think the core of your question though: the only way that someone outside of your network can access your nextcloud is if you have set up the server to be accessible from the outside world. You would have to go into your router and forward Port 80 to the local IP address of your nextcloud server. If you don't do that, then it will only be accessible to the people inside of your network. Rotors do something called Network address translation which lets many devices on your local network connect to the internet despite only having one external IP address. If you're accessing the server using a 192.168 address or a 10.x.x.x address you are already using the internal IP address and not your external Internet IP address so you're likely safe.

One neat trick because remembering IP addresses is a pain in the butt is the hosts file. On windows it's in c:\windows\system32\drivers\etc\hosts and you can set a hostname to immediately resolve to a certain IP address. It's particularly nice because it's free, it's fast, and once you set it you can forget it.

My websites are on the public internet, but I use the host to file to point them at the internal IP address because that way I can directly connect to my servers even when the internet is down.

[–] [email protected] 4 points 1 year ago (2 children)

There's going to be a bunch of caveats here, but basically...

Assuming you're using a NAT router to connect to the internet (basically everyone is nowadays): If you're using a local LAN IP address (10..., 192.168.., or 172.[16-32]..*) then nobody on the internet can access any services on that IP, unless you specifically port forward it through your router. Assuming there's nobody dangerous on your local network (and nobody gets a remote-access virus) and your router itself is not hackable then yes it's entirely safe.

You don't technically need a public domain name to set up an SSL certificate, but to smoothly streamline the process in a way that modern software trusts it, you do. A self-signed certificate can be created for any IP address and it will provide full encryption and avoid interception of traffic between established clients, but you will get a scary warning that the certificate is self-signed every time you connect a new client or browser, because it cannot be verified. It still works though, it's just (intentionally) scary, because it doesn't know what you're doing with it and it doesn't know how to establish trust. You probably don't need this, but it is an option. Setting up a self-signed certificate will have various degrees of complexity in documentation depending on what web server you're using, I would recommend using the simplest guide you can find for the relevant web server if you choose to go that route, you don't need anything complex for this. The keywords you're looking for are "self-signed certificate"

Welcome to self-hosting. Nextcloud is a great thing to self-host, too. Hope you enjoy.

[–] [email protected] 2 points 1 year ago

If you add the CA for the self signed certificate to all of your devices, they will trust it and the warning will go away.

[–] [email protected] 1 points 1 year ago

Oh, we're enjoying it alright! Ever since Apple announced that they would kill off a service that we were using (basically to sync files between different computers and TVs) and replace it with iCloud (for which we would have to pay a lot). It was a pain trying to set it up but eventually I got it working. Very impressed at how well it does its thing.

[–] [email protected] 3 points 1 year ago

It sounds like you are accessing it only from your local network, and as long as it stays that way its fine. I have a DNS Server at home, set up a domain name, therefor have certificates from letsencrypt which get automatically renewed for https access, AND STILL I only access it from my local network with no ports open to the www.

If you have your instance openend up to the internet (e.g. by port forwarding from your ISPs router to your nextcloud instance) and have no encryption / no certificate, thats a major flaw and i would advise you to shut it down immediately and close the port.

[–] [email protected] 3 points 1 year ago

Since your other question is already answered:

think leaving it as it is (unencrypted, no domain name, only accessible through IP) will be problematic.

Yes, that's no biggy since it is on your local network only. But be aware that everyone that has access to your network could potentionally capture all the files you're transfering and your nextcloud credentials as well. Other than that, your communication with nc will be encrypted on the wifi layer.

[–] [email protected] 2 points 1 year ago

Here is an alternative Piped link(s): https://piped.video/5IUKE3oA7AY

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source, check me out at GitHub.