ownCloud instance only on my LAN - first thing to do to secure it?
-
HAProxy with ACME in front of Owncloud is a much more complex setup than just Owncloud. Especially if you're unfamiliar with either.
It's always better to go one step at a time.
-
@stephenw10 Is there a security benefit?
-
Not really. I mean the best security is not to open ports to OC at all. Just use a VPN if you need external access.
-
@stephenw10 said in ownCloud instance only on my LAN - first thing to do to secure it?:
Not really. I mean the best security is not to open ports to OC at all. Just use a VPN if you need external access.
Maybe that's what I should just do and maybe my struggles with setting up SSL are a sign (danger danger). I really don't need remote access currently, just wanted to eliminate the "Not secure" browser warnings and also the big red warnings in the OC admin page.
My main reason to get this OC instance going was to have it ready to go in case we find out that the popular paid cloud service I currently use has either been hacked or (more likely) served with some order to open it up for government monitoring (similar to what just happened with Apple in the UK). I may just leave it LAN-only or possibly go the pfSense VPN route if I do decide I need external access.
-
@stephenw10 said in ownCloud instance only on my LAN - first thing to do to secure it?:
Not really. I mean the best security is not to open ports to OC at all. Just use a VPN if you need external access.
Reply
But how do i share my cat videos with those i love?
Jokes aside, you guys have your own NextCloud server i know I've used to upload trouble issues. Is SSL on the application or through a proxy - Feel free to not answer if its divulging sensitive info. Im just curious as to how your organization handles something that needs to be exposed to the outside world
For what its worth, i have my external applications pass through Cloudflare WAF which i have no shame in stating that i pay for the advanced rule sets.
-
Local access only with VPN for external access is safer and simpler to setup. I would at least start out using that.
-
If I remain (until I decide to implement a VPN on pfSense) http:-only, does that mean my phone (for example) is periodically (via the ownCloud app) pinging my 192.168... address and potentially transmitting login credentials, when I'm away from home and on other wifi or the cellular network?
I think I still need to get https: working even if I am not intending to connect to it remotely.
That said, is my post above (with the screenshot of Dynadot) conceptually correct? In my head I'm struggling to understand how my local pc with OC is to become part of the domain (that I resevered in Dynadot) or if that's even what I'm supposed to do.
-
Does OC have it's own LetsEcrypt/ACME plugin? That's almost certainly easier than trying to pull it from pfSense.
Of course you don't actually need to use a LE cert just to use https. You can just use a self sign cert locally.
-
@stephenw10 I just went down the path of setting up Let's Encrypt and have at least succeeded in getting LE to create my certificate. Now I'm at the point of getting it to actually work from a client PC. I posted a new thread in the Firewall section here since I was getting firewall blocks to access to port 80.
-
Are you running LE in OC or in pfSense?
-
@stephenw10 OwnCloud.
