Nextcloud - Expose your instance on the Internet

  • dHENRY
  • 23/05/2019
  • (Reading time : 8 mn)

(**) Translated with

How to expose your NextCloud instance, or any other services, hosted at home, on the Internet?
Two possibilities:

  • By setting up your Internet router (Box),
  • via a virtual private server (VPS), the most reasonable solution.

Setting up your Internet Box (fiber optic router or ADSL).

There are so many types of routers (Box) that it is impossible for me to detail them here. But when we talk about this type of operation, it is more generally a question of adding NAT (address translation) rules. The first thing to do is to make the main entrance address of your MiniDatacenter fixed, to make sure that it will always have the same IP address. Then set up the router (Box), so that packets arriving on a specific port (443 here) are redirected to the address and port of your MiniDatacenter.
If your ISP does not provide you with a Fixed IP address, you will need to set up a dynamic DNS update service, so that the domain name you have chosen is always associated with the IP address of your Box, which changes randomly and is decided by your ISP.
This solution does not work if your provider, as I do in India, does not provide a public IP address (direct Internet exposure address) to each connected user, but passes traffic through a single point on the Internet, or, if your ISP blocks direct incoming traffic, to your Box.
Another problem may also arise when generating the LesEncrypt SSL certificate….

NAT operations on a router exposed on the Internet

Virtual private server

This is the most interesting solution, but of course not free. Many data centers offer Virtual Private Server solutions. You can find offers starting at 3€/month without any commitment.
To reduce the invoice, share this rental with other users.
What interests me in this type of service is its bandwidth, regardless of the server’s power and storage capacity.
The virtual server will have only two services: OpenVPN, and HAPROXY, so very easy to maintain.
OpenVPN will allow you to connect your MiniDatacenter to the VPS server, and thus allow its exposure on the Internet, while HAPROXY will distribute traffic to VPN clients according to the Url received (Haproxy layer 7).
If you share this service with other users, the configuration does not change. There will be several Openvpn clients connected to the VPS.
You will need to ensure, for everyone’s safety, that Openvpn clients cannot communicate with each other.

This system has several advantages:

  • inexpensive,
  • easy to maintain,
  • Intrusion detection intercepted by the final servers and forwarded to the intrusion detection server (allows sharing in the event of attacks),
  • does not require NAT to be installed on your internet box,
  • Data center isolation can be instantaneous (Openvpn service shutdown),
  • you benefit from the Firewalls of the infrastructure in which the VPS server is hosted,
  • only alternative solution when your Internet service provider does not offer NAT on your connection,
  • you can move your MiniDatacenter anywhere without any configuration changes.

Preparation of the virtual private server

After ordering your virtual private server, the provider offers SSH access with the “root” login and password.

Changing the “root” password

Log in to this server and immediately change the access password. You can generate it with the “apg” tool:

apt install apg
#Enter the new password and confirm.

Ssh access control by key

Check that there is no file with the name “authorized_keys

#This command searches and deletes this type of file.
find / -name "authorized_keys" -exec rm -f {}\;

These files often allow Datacentre administrators to connect to them without having a user password.
This case is less and less frequent, but I have already met it in some data centers.

Load balancing service installation - HAPROXY

This service allows you to communicate with exposed or unexposed servers on the Internet in a way that is transparent to the user. It also allows you to distribute the load of a service such as a website, a chat application, etc… by distributing requests over several servers.

To install the “haproxy” service, execute the following command:

apt install haproxy

VPN service installation - Openvpn

I refer you to my very detailed instruction on installing a secure Openvpn server:

Final Topology

Firewall configuration

  • VPS : INPUT TCP/443 - INPUT[Proto Openvpn]/[Port Openvpn]
  • MINIDATACENTER : I don’t go into details, several cases are possible (PREROUTING, or flow to another Haproxy,…)

HAPROXY parameter setting

Once the VPN communication between your Datacenter and the VPS is established, in a stable way, it is time to configure the HAPROXY distributor. The latter will be the interface between Internet users and your Datacenter.

You have purchased the domain “”, create a type A record, with the name “nextcloud”, and the exposed IP address of your VPS, in my example it will be “”. Wait for DNS propagation. (command: host This order must show the address of your VPS (required to create the LetsEncrypt SSL certificate).
Create the file /etc/haproxy/haproxy/haproxy.cfg by indicating this content that you will need to adapt to your configuration.

    log /dev/log local0
    log /dev/log local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    use haproxy
    group haproxy
    ca-base /etc/ssl/certs
    crt-base /etc/haproxy/certs
    ssl-default-bind-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    tune.ssl.default-dh-param 2048
    global log
    http mode
    httplog option
    option includinglognull
    retries 3
    redispatch option
    contstats option
    http-server-close option
    maxconn 2000
    timeout connect 5000
    client timeout 7200000
    timeout server 7200000
    default-server inter 15s rise 2 fall 3
    option forwardfor
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http
frontend ****:443httpssl
    http mode
    bind ssl crt
    acl nextcloudmondomaine.frssl hdr(host) -i
    use_backend nextcloudmondomaine.frssl if nextcloudmondomaine.frssl
    backend nextcloudmondomaine.frssl
        http mode
        server nextcloudmytinydc ssl verify none check weight 100 maxconn 50

Creating an SSL certificate (https) with LetsEncrypt

LetsEncrypt is a certification authority for HTTPS certificates, as are other companies offering this service. Except that obtaining a certificate is free of charge.
Thus browsers, applications, will no longer present errors or messages indicating that the certificate is not verified by a certification authority. To create a LetEncrypt certificate, please refer to the documentation:
WARNING: In the configuration of the proposed VPS server, the latter has the HAPROXY service, which according to its configuration uses ports 80 and/or 443 (respectively http and https). To create your certificates, certbot launches a service that also listens, by default, on ports 80 or 443.

Shell - Creating a certificate

This shell is very simple, takes as a parameter the name of the certificate to create. You must check, before, the effective DNS propagation of the domain name, relative to the certificate to be created. LetsEncrypt uses DNS services to perform basic owner checks.
Create the file /root/ by indicating this content :

if [ "$1" ="" ];then
       echo "Indicate the domain name to be managed"
export DOMAIN=$1
certbot certonly --standalone --preferred-challenges http --tls-sni-01-port 30033 -n --rsa-key-size 4096 -d $DOMAIN
bash -cc's cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem'

Then execute:

chmod 750 /root/
(*) The use of port 30033** is a choice of the administrator who executes the command. By default LetsEncrypt uses ports 80 and 443 but already used by the HAPROXY service.
The default key length is 2048 bits, it is now recommended to use a 4096 bit key.

Shell - Certificate renewal

Certificate renewal is performed by the cron task /etc/cron.d/certbot
When used with HAPROXY, this task does not concatenate certificates to obtain a valid".pem" file for HAPROXY. Therefore,
Add at the end of the line of the file **/etc/cron.d/certbot ** :" && /root/"

0 */12 * * * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e'sleep int(rand(43200))' && certbot -q renew** && /root/

The concatenation will be automatic after the execution of certbot. Create the file /root/ by indicating this content :

DIRS=``they `$PATHCERT`````
if [ "$DIRS" ="" ];then
        echo "No certificate found on this server"
        exit 1
#Route of the installed certs and creation of Haproxy PEMs
       if [ -d "$PATHCERT/$DOMAIN" ];then
                echo "Concat $PATHCERT/$DOMAIN/fullchain.pem $PATHCERT/$DOMAIN/privkey.pem to $PATHCERTHAPROXY/$DOMAIN.pem"
                cat $PATHCERT/$DOMAIN/fullchain.pem $PATHCERT/$DOMAIN/privkey.pem > $PATHCERTHAPROXY/$DOMAIN.pem
# Reload HAPROXY configuration
systemctl reload haproxy

Then run:

chmod 750 /root/

VPS server sharing

To reduce costs, we can share the HAPROXY service between several actors. Each will have a VPN access key, and an administrator will be responsible for managing the certificates and configuration of the HAPROXY service.

Haproxy service security

You should pay attention to the logs of this service, especially if you share the use. The logs, and this related to the implementation of the services implemented, may contain urls containing sensitive metadata such as access tokens etc…. This is not related to the raw security of the HAPROXY service but to the edge effects that can occur if these logs are misused. Pay attention to protecting access to these traces of their storage life,….

Openvpn service security

This can present security problems, in the case where VPN clients, once connected, can communicate with each other.
By default, Openvpn does not enable this service, but you will need to ensure with tools, such as “tcpdump”, that traffic is blocked between these different actors.
Because if Openvpn does not enable this service in its configuration (option “client-to-client”), it may turn out that the kernel does its routing work as for any other interface. You can disable the Forward of the IP stack and/or add an iptables rule preventing Forward between actors:

FORWARD -i[interface name] -o[interface name] -j DROP

You will find an excellent explanation here:
The management of VPN access certificates (openvpn) is made very easy with the tool associated with Openvpn, which I developed and which you can find here:


Of course, you can adapt this “Nextcloud” case to other services, such as instant messaging, Rocketchat, etc…

Document licence : Creative Commons (CC BY-NC-ND 4.0)


(**) Translated with