how to access nextcloud outside LAN?

Submitted ⁨⁨9⁩ ⁨months⁩ ago⁩ by ⁨milkytoast@kbin.social⁩ to ⁨selfhosted@lemmy.world⁩

https://kbin.social/m/selfhosted@lemmy.world/t/774216

ive anabled a port forward on port 80 (TCP/UDP) to my server, but i still cant acess it. i know its unsafe to just open a port like that, this is temporary, just wanna see if it works. ill put a reverse proxt and https on it later

source

Comments

Sort:hotnew top

thantik@lemmy.world ⁨9⁩ ⁨months⁩ ago
I’m kinda weirded out by all the people suggesting a VPN here.

Like – if you’re hosting Nextcloud, Jellyfin, etc and you want friends/family to use it, having them VPN into shit is a hurdle that none of them are going to overcome.

You need to make sure you’re not behind CGNAT first, if not, don’t use Nextcloud on port 80, put it on another port, and then open that port to the outside world.

Just be aware, you REALLY want these things to be isolated from your home environment if you’re going to host them, and you NEED to be on some sort of CVE notification list for the software you currently use. Not all CVEs are “YOU MUST UPGRADE NOW”, but some of them can be pretty severe.

source
- Mugmoor@lemmy.dbzer0.com ⁨9⁩ ⁨months⁩ ago
  A cheaper, albeit less secure alternative, is purchasing a domain and setting up a Cloudflare tunnel.
  
  source
  - h3ndrik@feddit.de ⁨9⁩ ⁨months⁩ ago
    I think opening a tunnel and forwarding the port through it and opening a port forward directly have about the same security implications. Both end up opening the same port and forwarding the same packets to the same computer. The only difference is with a tunnel there is an extra step in between that slows things down. In some edge cases it may be nice if people can’t directly see your IP but just the one from the tunnel. But that doesn’t matter if it’s only for you and your friends. Might be a concern though if you’re a big live-streamer and fear people DDoSing you. But then there are better alternatives. So I think a tunnel only makes sense if you can’t get the port forward running. Not for securitz purposes.
    
    source

Decronym@lemmy.decronym.xyz ⁨9⁩ ⁨months⁩ ago

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
CGNAT	Carrier-Grade NAT
IP	Internet Protocol
NAT	Network Address Translation
VPN	Virtual Private Network
VPS	Virtual Private Server (opposed to shared hosting)

[Thread #441 for this sub, first seen 19th Jan 2024, 23:25] [FAQ] [Full list] [Contact] [Source code]

source

thantik@lemmy.world ⁨9⁩ ⁨months⁩ ago
You missed CVE – Common Vulnerabilities and Exposures

source

thecrotch@sh.itjust.works ⁨9⁩ ⁨months⁩ ago
Absolutely do not expose your server on port 80. Http is unencrypted, you’d be sending your login credentials in plaintext across the open internet. That is Very Bad™. If you own a domain name, you can set up a letsencypt cert fairly easily for free. Then you could expose 443 and at least your traffic will be encrypted in transit. It won’t solve the other potential issues of exposing your instance like brute force or ddos attacks, but I’d consider it a bare minimum.

If you use a VPN like many others are suggesting it won’t matter as much because the unencrypted traffic never leaves your local network.

source
- peeteer@feddit.de ⁨9⁩ ⁨months⁩ ago
  As a side note: you not technically need a domain or a let’s encrypt certificate to enable https. As a test you can create your own certificate, and use that for https (snake-oil certificate).
  
  This is not appropriate for longer-term usage. If you want to run websites on the Internet long-term, you should buy a domain and get a lets-encrypt certificate.
  
  source
  - thecrotch@sh.itjust.works ⁨9⁩ ⁨months⁩ ago
    Technically true but I wouldn’t suggest using a self signed cert on the internet under any circumstances.
    
    source
BearOfaTime@lemm.ee ⁨9⁩ ⁨months⁩ ago
Tailscale.

You can run clients on all your devices. Or if you want easier access, use the Funnel feature.

Tailscale Funnel lets you expose a local service, file, or directory to the entire internet.

tailscale.dev/blog/funnel-serve-demo

source
uzay@infosec.pub ⁨9⁩ ⁨months⁩ ago
To be honest, I would advise against opening your home network like that at all. A VPN would be much safer. If you use something like Tailscale it would be much easier as well and doesn’t need opening any ports at all.

source
nodsocket@lemmy.world ⁨9⁩ ⁨months⁩ ago
If you want to be very secure, host a VPN and don’t open any ports besides the VPN port. Then access anything as though you’re on LAN.

source
rambos@lemm.ee ⁨9⁩ ⁨months⁩ ago
Afik nextcloud runs only on https, so 443 would be more suitable. I use wiregurd tho

source
h3ndrik@feddit.de ⁨9⁩ ⁨months⁩ ago
How have you tested this? You need to use the external IP address of your router to open it. And you need to test that from another internet connection. Also make sure the browser is actually trying to open an http connection on port 80. Some modern browsers try to use https on port 443 instead and that wouldn’t be reachable.

source
- milkytoast@kbin.social ⁨9⁩ ⁨months⁩ ago
  10.x.x.x IS an external adres yes? how do I check?
  
  source
  - h3ndrik@feddit.de ⁨9⁩ ⁨months⁩ ago
    Sorry, 10.x.x.x is a private IP address range. That can’t be reached from the internet.
    
    Maybe try one of the services that display your IP like www.showmyip.com or the one mentioned earlier, that also shows your IP.
    
    source
Starbuck@lemmy.world ⁨9⁩ ⁨months⁩ ago
Please set up Tailscale or a Wireguard VPN before you start forwarding ports on your router.

Your configuration as you have described it so far is setting yourself up for a world of hurt, in that you are going to be a target for hackers from literally the entire world.

source
- thecrotch@sh.itjust.works ⁨9⁩ ⁨months⁩ ago
  
  before you start forwarding ports on your router
  
  Don’t you mean instead of? If all the OP wants to do is access next cloud, they can do it over the VPN without forwarding ports. What you’re suggesting is just adding yet another attack vector (the VPN itself)
  
  source
  - Starbuck@lemmy.world ⁨9⁩ ⁨months⁩ ago
    Realistically, yes. But it’s a phrase and it’s important that they start doing that first. Maybe it’s their intention to do it publicly.
    
    Also, sure, but a Wireguard installation is going to be much more secure than a Nextcloud that you aren’t sure if it’s configured correctly. And Tailscale doubly so.
    
    source
    -> View More Comments
Rentlar@lemmy.ca ⁨9⁩ ⁨months⁩ ago
I’ve not set up Nextcloud myself, so a basic question first: have you already tried canyouseeme.org to check for the running service on that port?

If the service is not available, then either your server or the router isn’t configured correctly. If it is, then the problem is in the software.

source