Ask HN: Most secure way to run Nextcloud?
Is it more secure to run Nextcloud with a third party provider or host my own?
For either method, what provider or hardware is recommended?
Much appreciated I run it using docker, paired with a watchtower container that automatically updates it. For accessing it, I use tailscale so that I don't have to open ports or have any kind of exposure to the internet. This obviously won't work if you want to do public linking from your instance. In that case, just run it from a subdomain. Make sure your www folder is mounted read only Yes! Tailscale is incredibly useful and a great way to access your devices. For public linking, if you don't want any open ports, you can use Cloudflare Tunnel. Note that in this case, for your own use, you should still be accessing Nextcloud via Tailscale, as its P2P, so it'll be substantially faster than routing via a CF datacenter. 'can use Cloudflare Tunnel.'
- Most secure way to run Nextcloud? since cloudflare posted they are going to spy on things they connect to and send info to men with guns about what they see, [1] I would not put them in a list of 'most secure' anything. [1] along with helping govt's create legislature to encourage and allow more of the same... https://blog.cloudflare.com/terminating-service-for-8chan/ its a longish ramble - but you can ctrl-f "us cooperating around monitoring potential hate sites on our network and notifying law enforcement" zerotier[0] is also a surprisingly great alternative to tailscale. stable as hell, adding devices is fast and easy, and their web panel is real-time and user-friendly as hell. cloudflare tunnel is a mess to set up unfortunately. Do you use relays with Tailscale? Otherwise, UPnP and STUN may not be secure (it’s generally recommended to disable these protocols in router). STUN isn't something that runs on your router. You can disable UPnP in your router and still use Tailscale perfectly fine. I thought STUN uses UDP packets, as the name suggests (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators), as well as standardized port numbers. I thought you could filter its traffic based on protocol and port number. Enterprise routers sometimes allow only 80/tcp and 443/tcp egress traffic. That’s why sometimes Tailscale falls back to relaying, which is pretty slow (unless in the future they deploy large number of relay servers around the world). A Wireguard VPN is the only thing publicly accessible on my network, so I used that to access my self-hosted Nextcloud from anywhere until I switched to Syncthing. Any backups outside your own network?
I always think if someone would break in, everything‘s lost… Don't run it xD