ownCloud instance only on my LAN - first thing to do to secure it?
-
Running ownCloud on one of my PCs as a proof-of-concept. So far I like it.
I don't need and don't intend to open it up to the internet, this is just for my own use and I have almost zero need to get to any of the files when I'm away from home.
I'm currently just using http: to access it, no SSL.
On my pfSense, I am running pfBlockerNG.
I guess first how much at risk is my ownCloud server (using good passwords) just sitting here on my network? In other words how quickly do I need to up security?
Also, is using SSL the best thing to do since I don't intend to be able to access this from outside the LAN? I do have some IoT gear (Unifi) and a streaming device on my LAN. Some other devices are on separate VPNs.
-
@NGUSER6947 It is about as safe as anything else on your LAN, including the login to your pfsense. Using http or https on the LAN doesn't really matter too much since it is your LAN and it's behind your firewall.
However, I do think you will in fact start accessing ownCloud or is it NextCloud, from the internet. Having it on the phone and keeping all your pictures backed up is great. But even so, you can set up HA Proxy or Nginx Proxy Manager to handle SSL encryption.
-
@Gblenn Thanks for the input. I have started to look at various ways of incorporating SSL (had not looked at HA Proxy or Nginx Proxy Manager). Lots of options it seems and I'm a little out of my wheelhouse on some of this.
-
I would expect owncloud to have it's own ssl options. I wouldn't go trying to add an external proxy to it until you're comfortable with OwnCloud itself.
-
@stephenw10 Good point.
I started down the path of setting up SSL on my system. Registered a domain and the next step is going through the process to obtain a certificate. Lots to learn (certificate signing request generation, etc.). Yikes. Hope I can figure this all out.
-
Well this spiraled into utter garbage quickly. (Warning, slight rant). I woke up and decided to use Let's Encrypt for my SSL certificates. I have a domain now, right? Should be easy. Ha Ha Ha Ha. I installed Certbot (that part worked) but could not do either the automatic Apache cert generation and install, or even just the generic cert generation. It apparently reaches out to the domain to make sure that's where my server is. Well, of course it isn't there, my local PC is the server. And it has nothing to do with the domain I reserved. Why would it? I am at a major brain block here. Is the expectation that I tie my local PC into that domain for some reason?
I know this isn't really a pfSense thing, so I probably shouldn't go on about it in this forum. Or is it? Should I be somehow linking to that domain I registered and configure the Dynadot DNS inside my pfSense?
Is there a subforum here where these things can be discussed, (i.e. not pfSense direct issue); my experience here has always been outstanding and I've always gotten much better help here than by using other forums.
For now I guess I'll disable my port forward rules for 80 and 443 and just run local, until/if I can ever figure this out.
-
It depends how you are confirming the domain in ACME but either way it must resolve to something you can control.
https://docs.netgate.com/pfsense/en/latest/packages/acme/general.html#validation-processYou can discus anything you like in Off-Topic (within reason!)
But if you're running ACME in pfSense, rather than in OwnCloud directly, you can continue here or in the packages section.
-
@stephenw10 Thanks (again).
Is it correct that the ACME package is essentially the same as EFF's Certbot tool? (same result, anyway)?
As I let my brain work on this in the background a bit, here's the rough list of steps I think I need to follow:
- Ensure my pfSense NAT is configured to port forward both 80 and 443 (actually, do I need or want 80? maybe not).
- Ensure my pfSense firewall rules for those redirects are correct
- Go to my Dynadot and set up DNS (I need a class A for both <domain name> and <www.domain name> I think). In this setup: login-to-view
I select Type = "A" and to the right, enter the port forwarded IP address of my server (including the :443?). - Then give it a little time to propagate the web
- Finally, set up ACME on pfSense.
Am I conceptually correct on this sequence?
-
@stephenw10 said in ownCloud instance only on my LAN - first thing to do to secure it?:
I would expect owncloud to have it's own ssl options. I wouldn't go trying to add an external proxy to it until you're comfortable with OwnCloud itself.
Reply
Curious statement. Would you not put HA Proxy (or any reverse proxy ) in front? Im guilty of putting a reverse proxy in front of my Nextcloud instance and don't rely on the ACME process in the application.
Whats your thoughts on one vs the other? Just curious. Maybe there is a benefit. -
HAProxy with ACME in front of Owncloud is a much more complex setup than just Owncloud. Especially if you're unfamiliar with either.
It's always better to go one step at a time.
-
@stephenw10 Is there a security benefit?
-
Not really. I mean the best security is not to open ports to OC at all. Just use a VPN if you need external access.
-
@stephenw10 said in ownCloud instance only on my LAN - first thing to do to secure it?:
Not really. I mean the best security is not to open ports to OC at all. Just use a VPN if you need external access.
Maybe that's what I should just do and maybe my struggles with setting up SSL are a sign (danger danger). I really don't need remote access currently, just wanted to eliminate the "Not secure" browser warnings and also the big red warnings in the OC admin page.
My main reason to get this OC instance going was to have it ready to go in case we find out that the popular paid cloud service I currently use has either been hacked or (more likely) served with some order to open it up for government monitoring (similar to what just happened with Apple in the UK). I may just leave it LAN-only or possibly go the pfSense VPN route if I do decide I need external access.
-
@stephenw10 said in ownCloud instance only on my LAN - first thing to do to secure it?:
Not really. I mean the best security is not to open ports to OC at all. Just use a VPN if you need external access.
Reply
But how do i share my cat videos with those i love?
Jokes aside, you guys have your own NextCloud server i know I've used to upload trouble issues. Is SSL on the application or through a proxy - Feel free to not answer if its divulging sensitive info. Im just curious as to how your organization handles something that needs to be exposed to the outside world
For what its worth, i have my external applications pass through Cloudflare WAF which i have no shame in stating that i pay for the advanced rule sets.
-
Local access only with VPN for external access is safer and simpler to setup. I would at least start out using that.
-
If I remain (until I decide to implement a VPN on pfSense) http:-only, does that mean my phone (for example) is periodically (via the ownCloud app) pinging my 192.168... address and potentially transmitting login credentials, when I'm away from home and on other wifi or the cellular network?
I think I still need to get https: working even if I am not intending to connect to it remotely.
That said, is my post above (with the screenshot of Dynadot) conceptually correct? In my head I'm struggling to understand how my local pc with OC is to become part of the domain (that I resevered in Dynadot) or if that's even what I'm supposed to do.
-
Does OC have it's own LetsEcrypt/ACME plugin? That's almost certainly easier than trying to pull it from pfSense.
Of course you don't actually need to use a LE cert just to use https. You can just use a self sign cert locally.
-
@stephenw10 I just went down the path of setting up Let's Encrypt and have at least succeeded in getting LE to create my certificate. Now I'm at the point of getting it to actually work from a client PC. I posted a new thread in the Firewall section here since I was getting firewall blocks to access to port 80.
-
Are you running LE in OC or in pfSense?
-
@stephenw10 OwnCloud.