this post was submitted on 09 Sep 2023
69 points (92.6% liked)

Selfhosted

40347 readers
387 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Says "Please type in the domain into the input field below that will be used for Nextcloud in order to create a new AIO instance."

I dont wanna unnecessarily spend money

you are viewing a single comment's thread
view the rest of the comments
[–] strawberry@artemis.camp 1 points 1 year ago (1 children)

didnt want one bc i gotta pay, but its fine, and especially since i can get those certificates

[–] kristoff@infosec.pub 1 points 1 year ago* (last edited 1 year ago)

Hi,

Good idea!

And once you have you domainname, you can do the following:

  • set up a reverse reverse proxy (apache, nginx) in front of nextcloud
  • in the configuration of apache/bginx use virtual hosts.
  • make sure that the default virtualhost (in apache, that is the the one that does not have "ServerName") first in the configuration. Point that to a local website with just an empty directory
  • then, AFTER the default virtual host, add the reverse-proxy configuration of your nextcloud instance.

What this does, is that if somebody addresses your website with a URL that does not contain the exact hostname of your nextcloud, the webquery will go to the empty website and simply return a 404. A hacker who does a webrequest to "https://your-ip-address/login" will just get a "404 not found" and not reach your nextcloud instance.

This keeps people who just scan the internet for vulnerable systems and try out all kind of URLs to try to get in out of your nextcloud.

Of course, this only works if you keep the full hostname of your instance to yourself and do not post it somewhere (including social media, mailing-lists, ...)

Good luck with your nextcloud server