this post was submitted on 20 Jul 2023
14 points (85.0% liked)

Selfhosted

40117 readers
986 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hi, finally setting up Nextcloud in an effort to de-Google myself and replace GDrive for good.

I am currently running Nextcloud via Tailscale and that works fine except for when i want to share a file to someone outside of my Tailnet. I have heard of federated Nextcloud but i am not sure that i quite understood the purpose of this or maybe there is a better solution? If i run two instances like that, will i simply be able to share certain files over to that instance for sharing?

you are viewing a single comment's thread
view the rest of the comments
[–] citizen@sh.itjust.works 2 points 1 year ago (3 children)

Here is my security point of view. Second instance would be too much overhead for just one use case of sharing file. You have to decide how comfortable you are with exposing anything in your private network. I would personally not expose Nextcloud instance because it’s complex application with many modules each possibly having 0day exploits. If your goal is to share a file and selfhost I would look into dedicated apps for that purpose. You can setup simple microbin/privatebin on dedicated hardware in DMZ network behind firewall. You should run IDS/IPS on your open ports (pfsense/opnsense have that nicely pairs with crowdsec). You could also look into cloud fare tunnels to expose your dedicated file sharing app but I would still use as much isolation as possibilities (ideally phisical hardware) so that it would be not easy to compromise your local network in event of breach. Regardless selfhosted solution will always pose risks and management overhead if you want to run a tight setup. It’s much easier to use public cloud solution. For example proton drive is encrypted and you can share files via links with people.

[–] mysbyxor@lemmy.world 3 points 1 year ago (2 children)

Thanks, did not occur to me to use a dedicated app for that purpose! Will check that out.

[–] PriorProject@lemmy.world 4 points 1 year ago* (last edited 1 year ago)

Thread parent's approach is what I would use as well. It makes lot of sense to isolate something as sprawling and with as large an attack surface as nextcloud... but that implies you can't use it for public sharing. Any use that that DOES involve public sharing creates an incentive to choose a smaller and more auditable codebase (not that you'll necessarily audit it yourself, but simplicity does have benefits here).

Another approach I've used with semi-public services is to stick them behind a proxy I trust like Caddy or nginx and gate access to them with https basic auth. Basic auth rightfully gets dismissed in many security contexts, but in the case of personal self-hosting it can serve a useful purpose. The proxy handles the basic auth, and no network packets can reach the protected application until basic auth is complete, which completely protects against unathenticated exploits in the protected application (though obviously exploits against the proxy would still work, but major proxies are pretty well hardened). The major downside here is that you can't really use mobile apps, as none of them support this niche and frankly dubious approach to network access control. But for public sharing, you're almost certainly having folks use a browser as their client rather than an app, and for the small convenience overhead of the basicauth login you get a pretty significant reduction in unauthenticated attack surface. The app limitation again makes this a poor match for Nextcloud, but a good match for a standalone public filesharing system that you don't quite trust as much as your proxy.

Edit: If you want to get fancy you could even expose the same Nextcloud instance BOTH via tailscale for your own app use behind a basicauth proxy for semi-public sharing. It gets network protection in both cases, but basicauth is sort of kind of easy enough to grant semi-public access to.

[–] HamSwagwich@showeq.com -1 points 1 year ago

I use Pingvin to share one off files for that purpose. It's super easy to set up and works great.