I plan to selfhost nextcloud, for now just for bookmark sync. is there a point to installing a vpn on the computer running the instance? it shouldnt matter as long as i have https right? what about if i dont have a domain? i cant have https without a domain (ill buy one later just want everything to work first). or maybe use one of those free domain providers for now to get https? what do you guys think?

  • milkytoast@kbin.socialOP
    link
    fedilink
    arrow-up
    2
    ·
    11 months ago

    i would need to open a port even if i were to use a domain name correct? would hiding the ip behind a reverse proxy be enough? is nextclouds brute force protection not enough?

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      11 months ago

      A reverse proxy helps, a LOT, like practically eliminating the issue because authentication happens at the proxy, not your port. I’ve never set one up, but I think your local system makes an outbound connection to the proxy, creating the tunnel. In this way no one ever knows what they’re really connecting to - the proxy appears to be the endpoint.

      Which is essentially what Tailscale Funnel does - they expose an interface, then encrypt a tunnel between your Tailscale network and that “proxy”.

      Same concept, just all rolled in to one thing, a check box and a little config info. TS Funnel will create the url to access your service. I suppose you could create another domain/url and have it redirect (or use a link shortener) to make it easier to share. I think by default it uses your Tailscale network name as the domain, and adds to it to define the service.

      https://tailscale.dev/blog/funnel-serve-demo

        • BearOfaTime@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          2
          ·
          11 months ago

          When you do something like Reverse Proxy or Tailscale, your devices make an outbound connection to the Reverse proxy (or with Tailscale it goes to their auth/directory service) using UPnP.

          UPnP is standard protocol these days, and how pretty much any communication or gaming app works. The port opening is performed dynamically by the router, the port number is different every time an outbound connection is made, and it’s ephemeral (both in the range and that the port closes after the session is complete). This isn’t something that’s typically blocked or disabled, as it would break all sorts of things.

          https://en.m.wikipedia.org/wiki/Universal_Plug_and_Play

          I may have misstated exactly how it works - I studied it when it was released, it became ubiquitous and always works, so I haven’t stayed current or reread anything for a while. It just works (and man has it saved me a ton of manual port config).

          • MaggiWuerze@feddit.de
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 months ago

            The fact, that I have to enable it on a device by device basis on my router speaks to the opposite. You shouldn’t let some app open random ports on your router and you didn’t need to do so for years