Questions about Nextcloud and security

Quote from HubbleWho

I'm working on getting Nextcloud running but I don't know what I don't know here. In using this OMV forum tutorial and this Technodad tutorial they talk about setting up a reverse proxy so that you can access the Nextcloud server from the internet. In talking to my sysadmin friend it's my understanding that this presents a huge host of security issues and for someone as amateurish as me, that seems over my head. My sysadmin friend suggested something like Wireguard instead as a means of contacting the server while remote.

So I have some questions:

• How insecure is this?
• Is one more secure than the other?
• Can I do both?
• If I want to just do wireguard, do I just delete/comment out the portion of the Docker-compose file that includes SWAG (In the video they use Letsencrypt but the OMV tutorial changed it)?
• I'm sure there are things I don't know, but what are other considerations that I'm missing? (I can google so you just have to list them if you don't want to explain)
• Do I need to get the DuckDNS container if I use a DuckDNS url?
• If I use Wireguard, is it better to install that natively or use it in a container?

Serious thanks to anyone who answers. Hopefully I'll be able to answer people's questions on here someday.

I followed the tutorial on the sub and in the past, followed the tutorial by technodad. When you're done, nextcloud has a security scan (I guess you just have to decide if you trust them or not) that will grade the security of your server. My experience with the technodad video, you'll end up with an A+ security rating. macom's (using subfolder) you'll get an A (it always "fails" one thing because you're using subfolder.. whether its his tutorial or someone elses). If you use subdomains, I've ever gotten less than an A+, unless the nextcloud container wasn't current I'd get a A. When the container updated, it would go to A+. So depending on how much you trust nextcloud, I'd go the subdomain route.

You don't really "need" the duckdns cotainer and also in the linuxserver/swag tutorial, there's threads here on setting it up without it.. I don't use wireguard so can't answer any of your questions on that. The letsencrypt container in the video is no longer supported, it was replaced by swag.. thus why the tutorial differs here (kinda one advantage of written tutorials vs videos... they are easily updated).

Personally.. I purchased a cheap domain from domain.com. If you don't get all their extra junk and get a less than common domain like .xyz, .home or whatever... you can get one for as little as $3 for a year. I'm sure the price will go up a little next year, but I'm not married to the URL, if it's to much.. I'll just purchase a

new cheap one. As for security... I think like most things, it starts with the person pounding on the keyboard. Good passwords, keeping things up to date, not logging in from computers that might be compromised, etc.

https://docs.linuxserver.io/general/swag (this has several examples, including a duckdns exampe without the duckdns container)

Hope that helps