1

I finished a local install of Nextcloud on an old pc I run as a server connected to my LAN. I can access it directly using the private IP address of the server in my local network. My question is about accessing it from outside my local network.

  • I set up port forwarding on my router.
  • And made a small script that automatically uploads my routers' public ip To a git hub repo.
  • This works fine and I can connect using HTTP. But how to connect through HTTPS?
  • From what I understand I cannot make an SSL certificate because I don't have a domain. But can I make a self-signed one? And would this be sufficient for securing the connection?

Notes:

  1. All the users of this Nextcloud instance are my friends so they are not afraid of a self-signed SSL certificate I just want it to make a proper HTTPS connection.

  2. I know I can just use noip I just want to try and make it myself.

Improve this question

2 Answers 2

Reset to default
1

A certificate binds an asymmetric key pair to a subject. The subject is the name of the key pair owner. The type of names permitted is defined in RFC 5280 but for HTTPS boils down to either a domain name, URI, or an IP address.

If you don't have a domain name (and therefore no URI neither) or static IP (which presumably is why you are uploading your public IP address to GitHub) then you have no subject name that your self-signed certificate can certify.

Bottom line - you need to register a domain name or get a static IP address.

But if you must try...

As ISPs don't change your router's IP address that often, you could issue your friends a self-signed certificate where the Subject Alternative Name is an IP address, but it would only work until the router's IP address changed. At that point, you would need a new certificate distributed to your friends.

Alternatively, your friends could put an IP to hostname mapping in their hosts file (which would need to be updated from GitHub - a job for a script?) and that could be used as the DNS name in the Subject Alternative Name field of the self-signed certificate. However, while you can get away with that sometimes in a lab environment, you shouldn't be doing it on the Internet as you could inadvertently be using someone else's registered domain name which is then masked from all your friends - choose an obscure one if you must try this.

Improve this answer
1

A self-signed certificate could be as strong as a public one.

I think there's a misunderstandings; You can use HTTPS with certificates only when working with FQDNs ( not IPs ) since the certificate is generated for a specific domain or FQDN, not IP.

I'd recommend following the guide here ( statring from "Enable SSL on Nextcloud" ) https://www.howtoforge.com/tutorial/ubuntu-nginx-nextcloud/

Regarding owning a domain - nope, it's the just the same as DuckDNS/No-IP/etc.

Regarding Security: It's complicated haha

Please note that the whole conversation here is only about the topic of "encrypting the traffic" but the information and service are exposed to the internet. For example, if your friend use the service from a public WIFI, it will be harder to fake your website if you use certificates. On the other hand, if someone attacks NextCloud tenants without the newest updates - then you will be exposed and probably hacked.

You should probably set-up a VPN to your house, create users for all of your friends and port-forward ONLY the VPN's port, for a much-more secured set-up.

Even better if each of your friends ask their ISP for a static IP and then you will only approve requests from them. In my country it costs about 2.5-3 USD ( which is less than 10% of the price for 1000Mb/100Mb service haha ).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .