I plan to selfhost nextcloud, for now just for bookmark sync. is there a point to installing a vpn on the computer running the instance? it shouldnt matter as long as i have https right? what about if i dont have a domain? i cant have https without a domain (ill buy one later just want everything to work first). or maybe use one of those free domain providers for now to get https? what do you guys think?

@Telodzrum@lemmy.world
link
fedilink
English
010M

This is all going to depend on your risk tolerance, overall attack surface, and network topology.

milkytoast
creator
link
fedilink
110M

whats attack surface and network topology?

SGG
link
fedilink
English
310M

In very basic terms, and why you want to do them:

Attack surface is the ports and services you are exposing to the internet. Keep this as small as possible to reduce the ways your setup can be attacked.

Network topology is the layout of your home network. Do you have multiple vlans/subnets, firewalls that restrict traffic between internal networks, a DMZ is probably a simple enough approach that is available on some home grade routers. This is so if your server gets breached it minimises the amount of damage that can be done to other devices in the network.

Display Name
link
fedilink
English
110M

I’d use a free dynamic dns hoster

You can get SSL easily with ngninx proxy manager and letsencrypt

Easy setup with podman or docker compose nextcloud

https://github.com/nextcloud/docker#running-this-image-with-docker-compose

And

https://nginxproxymanager.com/guide/#quick-setup

@JonnyJaap@lemmy.world
link
fedilink
English
1
edit-2
10M

Dunno if you are still watching this post.

I have a few comment to your post and the other panic about security.

  1. Using nextcloud only for bookmarks if total over kill, but if you want to start and understand and later use it more, it’s actually a good idea.

  2. Yes, exposing ports in your firewall is potentially dangerous, BUT if you only expose a port and not the complete PC the firewall deals with attacks (but your services still have to be up to date to ensure safety).

  3. Yes, using a VPN instead of exposing the service is saver that’s for sure. You can do it they way for the start. But don’t let you be frightened by some of the other commands. I have several services public on my network. 3.1. BUT I still evaluate if this service even have to be public and the risk of late patches. I have public services and local service (name.domain.com and name.local.domain.com). Any service that I don’t need to access from a random PC/share with family/friends can only be accessed in local network /via vpn.

  4. Its good you are careful, try to search online for more information since this post didn’t get a lot of comments.

Edit: 5. Don’t know why people recommend tailscale where you need an account, instead of recommendatinh wireguard (tailscale is build on wirequard) or OpenVPN.

Edit 2: 6. Don’t use UPnP! It enables your machines to automatically open ports, that’s so bad.

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 76 users / day
  • 109 users / week
  • 241 users / month
  • 850 users / 6 months
  • 1 subscriber
  • 1.53K Posts
  • 8.72K Comments
  • Modlog