Need some general security and setup advice

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
P

pepe sasa

New Member
Aug 3, 2020
7
0
1
So, first let me explain my current setup:
FreeNas on a PC running currently only for backups. Raspberry pi running pihole as adblocker (but only for my PC's, not my entire network) and also running pivpn with wireguard for server maintenance and access from outside of my network.

Now I want to install the nextcloud plugin on my freenas system and would like to be able to access it from the outside, but not by connecting to my VPN. Just as a normal website. I think it would be too risky to directly open the ports to my freenas system from the router as I also have all of my backups on it. So the idea would be to setup a reverse proxy server in front of the freenas system. I don't have another computer for that use and also wouldn't like to pay the electricity costs for that. Could I install the reverse proxy on my raspberry pi, as it already has a public domain name for the vpn or would that cause conflicts?

Also, if that wouldn't cause any conflicts, I have never setup a reverse proxy server myself; Do you have any good guide recommendations for a reverse proxy server on a raspberry pi?

Thank you all for your help!
 
R

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Honestly, I think that is a bad idea.
A reverse proxy will still allow attacks against the nextcloud installation, there really isn't much extra protection to a reverse proxy (though a WAF like modsecurity might help a little).

A slightly better way, might be to use your raspberry pi as nextcloud server and use the FreeNAS server as storage platform for that if you must.
But... I think you are best of using your VPN to access the nextcloud.

If you chose to ignore the above, then to at least answer part of your question: nginx a good reverse proxy
 
P

pepe sasa

New Member
Aug 3, 2020
7
0
1
Hmmmm. Ok. The reason why I wanted to access the nextcloud is because I was going to create some additional accounts on it for some friends, but didn't want to give them full access to my network by connecting to the vpn. I'll take a look at how to setup the freenas server as storage for a nextcloud installation on the pi. That's very interesting. I had my nextcloud installation on my raspberry pi for some time, so it wouldn't be a big problem to reinstall that.
Thank you for your advice, I'll see if I can set it up this way.
 
N

NashBrydges

Member
Apr 30, 2015
86
24
8
58
NextCloud is one of the most secure and robust file sharing platforms out there and it is designed to be available as a public site. Sure, having it behind a VPN is more secure but that's assuming your VPN setup isn't vulnerable (ie: don't use PPP but instead use L2TP as a bare minimum with passphrase instead of password...etc). I agree that you should setup a reverse proxy so that you can route based on the domain name used to connect to your IP. That's pretty easy to do. I use NGINX as a reverse proxy and can share my config with you if that would help. To make your NextCloud install more secure, setup 2FA.

I've setup multiple clients with publicly accessible NextCloud instances that they use to share documents with their clients which you can't do if the install is only accessible via VPN (kind of defeats the file sharing purpose for NextCloud).

nextcloud2.png


Here is a scan of my publicly accessible NextCloud instance through Mozilla Observatory.

nextcloud.png
 
R

RTM

Well-Known Member
Jan 26, 2014
956
359
63
Another thing you may want to consider, is that you can benefit quite a lot (security wise) from doing some network segmentation and firewalling.

If you pi is on one segment, and the NAS on another, you can prevent it from accessing the management webinterface by limiting its access to the FreeNAS to the port(s) relevant for whatever protocol you may chose to use for sharing storage (such as NFS) via firewall rules.
 
P

pepe sasa

New Member
Aug 3, 2020
7
0
1
NashBrydges said:
NextCloud is one of the most secure and robust file sharing platforms out there and it is designed to be available as a public site. Sure, having it behind a VPN is more secure but that's assuming your VPN setup isn't vulnerable (ie: don't use PPP but instead use L2TP as a bare minimum with passphrase instead of password...etc). I agree that you should setup a reverse proxy so that you can route based on the domain name used to connect to your IP. That's pretty easy to do. I use NGINX as a reverse proxy and can share my config with you if that would help. To make your NextCloud install more secure, setup 2FA.

I've setup multiple clients with publicly accessible NextCloud instances that they use to share documents with their clients which you can't do if the install is only accessible via VPN (kind of defeats the file sharing purpose for NextCloud).

View attachment 15288


Here is a scan of my publicly accessible NextCloud instance through Mozilla Observatory.

View attachment 15287
Click to expand...
Thank you!
Ok, I'll try to set up nextcloud normally as a public domain, because it's exactly that file sharing features i need. I'm not going to be able to set it up in the following days, but I think I'll ask you for configuration tips if that's ok.
 
P

pepe sasa

New Member
Aug 3, 2020
7
0
1
RTM said:
Another thing you may want to consider, is that you can benefit quite a lot (security wise) from doing some network segmentation and firewalling.

If you pi is on one segment, and the NAS on another, you can prevent it from accessing the management webinterface by limiting its access to the FreeNAS to the port(s) relevant for whatever protocol you may chose to use for sharing storage (such as NFS) via firewall rules.
Click to expand...
I had heard about network segmentation before, but where do I start?
I don't see any options for doing that on my router... (It's a FritzBox)
 
N

NashBrydges

Member
Apr 30, 2015
86
24
8
58
Here is the NGINX config file. If you have trouble setting this up, let me know and I'll help where I can.

NGINX: 
server {
   listen 80;

   # replace mycustomdomain.com with your own domain;
   server_name mycustomdomain.com www.mycustomdomain.com;

   # line below redirects HTTP requests to the secure HTTPS protocol;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;

  # replace mycustomdomain.com with your own domain;
  server_name mycustomdomain.com www.mycustomdomain.com;
 
  client_max_body_size 4096M;
  fastcgi_buffers 64 4K;
 
  # many of the NGINX security policies are automatically setup within NextCloud and adding them here results in them not being recognized so these are only those that do not exist within NextCloud;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header Referrer-Policy no-referrer;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_tokens off;

  # obviously these certs setup via Let's Encrypt will need the path updated for your particular domain and replace mycustomdomain.com with your own domain;
  ssl_certificate /etc/letsencrypt/live/mycustomdomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mycustomdomain.com/privkey.pem;
  ssl_session_timeout 5m;

  # line below enables ONLY TLS v1.2 and v1.3 since v1.0 and v1.1 are deprecated and no longer considered secure;
  ssl_protocols TLSv1.2 TLSv1.3;

  # limits the use of specific ciphers only;
  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';

  # specify the Diffie-Hellman Elliptic-Curve protocols;
  ssl_ecdh_curve secp384r1:secp521r1;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  # the line below is because I've generated a 4096 bit Diffie-Hellman parms via OpenSSL;
  # you will need to create that before using this line;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  proxy_cookie_path / "/; secure; HttpOnly";


    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

    # change line below with your own internal IP address;
        proxy_pass http://internal.ip.address;

        proxy_redirect off;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
  
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
}
 
R

RTM

Well-Known Member
Jan 26, 2014
956
359
63
pepe sasa said:
I had heard about network segmentation before, but where do I start?
I don't see any options for doing that on my router... (It's a FritzBox)
Click to expand...
Yeah, I doubt that it is doable on a FritzBox, it is quite uncommon to have support for VLAN's and the required level of firewalling in consumer level hardware. It may be doable by installing something like OpenWRT on it, but that is besides the point i guess. You can mimic segmentation, by implementing a host level firewall on the NAS (not that I can find any documentation or guide on how to do that other than this forum post), but that is easy to circumvent (just set IP to something different, like the IP of your laptop/workstation), so that is not a great solution by itself.

Sorry I see no easy ways to implement segmentation.
 
P

PigLover

Moderator
Jan 26, 2011
3,227
1,594
113
I'd suggest you only support https for nextcloud access and set up Lets Encrypt to secure valid certificates. Nextcloud is quite secure - but if you use http (or even https with weak/compromised certs) you run then risk of password sniffing.
 
P

pepe sasa

New Member
Aug 3, 2020
7
0
1
NashBrydges said:
Here is the NGINX config file. If you have trouble setting this up, let me know and I'll help where I can.

NGINX: 
server {
   listen 80;

   # replace mycustomdomain.com with your own domain;
   server_name mycustomdomain.com www.mycustomdomain.com;

   # line below redirects HTTP requests to the secure HTTPS protocol;
   return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;

  # replace mycustomdomain.com with your own domain;
  server_name mycustomdomain.com www.mycustomdomain.com;

  client_max_body_size 4096M;
  fastcgi_buffers 64 4K;

  # many of the NGINX security policies are automatically setup within NextCloud and adding them here results in them not being recognized so these are only those that do not exist within NextCloud;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header Referrer-Policy no-referrer;
  ssl_stapling on;
  ssl_stapling_verify on;
  server_tokens off;

  # obviously these certs setup via Let's Encrypt will need the path updated for your particular domain and replace mycustomdomain.com with your own domain;
  ssl_certificate /etc/letsencrypt/live/mycustomdomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mycustomdomain.com/privkey.pem;
  ssl_session_timeout 5m;

  # line below enables ONLY TLS v1.2 and v1.3 since v1.0 and v1.1 are deprecated and no longer considered secure;
  ssl_protocols TLSv1.2 TLSv1.3;

  # limits the use of specific ciphers only;
  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';

  # specify the Diffie-Hellman Elliptic-Curve protocols;
  ssl_ecdh_curve secp384r1:secp521r1;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;

  # the line below is because I've generated a 4096 bit Diffie-Hellman parms via OpenSSL;
  # you will need to create that before using this line;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  proxy_cookie_path / "/; secure; HttpOnly";


    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

    # change line below with your own internal IP address;
        proxy_pass http://internal.ip.address;

        proxy_redirect off;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
   }
 
    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }
}
Click to expand...
Thank you very much for your help!
 
P

pepe sasa

New Member
Aug 3, 2020
7
0
1
RTM said:
Yeah, I doubt that it is doable on a FritzBox, it is quite uncommon to have support for VLAN's and the required level of firewalling in consumer level hardware. It may be doable by installing something like OpenWRT on it, but that is besides the point i guess. You can mimic segmentation, by implementing a host level firewall on the NAS (not that I can find any documentation or guide on how to do that other than this forum post), but that is easy to circumvent (just set IP to something different, like the IP of your laptop/workstation), so that is not a great solution by itself.

Sorry I see no easy ways to implement segmentation.
Click to expand...
Hmmm. I'll see how the firewall on my freenas would work. Thanks!
 
P

pepe sasa

New Member
Aug 3, 2020
7
0
1
PigLover said:
I'd suggest you only support https for nextcloud access and set up Lets Encrypt to secure valid certificates. Nextcloud is quite secure - but if you use http (or even https with weak/compromised certs) you run then risk of password sniffing.
Click to expand...
Exatly. That's my plan at the moment
 
You must log in or register to reply here.
Top Bottom