ArdNsc Posted August 11, 2020 Share Posted August 11, 2020 (edited) Hi, i recently joinded the unRAID community and built my first server. Works fine so far. Now here is my question (I hope I am posting this in the right sub-forum. If not, just let me know): Currently I am running Nextcloud on a Raspberry Pi (installed manually on Raspbian, not dockerized, all data on a SSD attached to the Pi) in my home network. Nextcloud is accessible from the Internet. I am using a DDNS service and SSL (Lets Encrypt). The Pi also accesses a SMB-Share provided by my unRAID-Device (located in the same network) to put daily backups of the Userdata/Database there. Now from a practibility (less devices, easier backups) and performance point of view I would like to transfer this Nextcloud service to my new unRAID-Build an retire my Pi. I would run Nextcloud via Docker with a seperate internal network IP assigned to this container and forward a port in my router to that specific IP. Would you consider this "best practice"? What I don't know is, if this would be a wise decision regarding security. I know this question is rather vague, but how would you estimate the security of these two solutions in comparison? (By security concerns I mean the possibility of attackers gaining control of my private data/other services running on unRAID and/or other devices in my local network that are not hosted via Nextcloud) I guess I could also run Nextcloud in a Docker Container on another physical device (e.g. another Raspberry Pi), but I have no Idea if this would make any difference regarding security compared to running everything (private data and Nextcloud) on the same physical device. If you need any more information to discuss/answer this properly, just let me know. Thanks! Edited January 16, 2023 by ArdNsc Quote Link to comment
xanvincent Posted August 18, 2020 Share Posted August 18, 2020 The best security is provided by the most abstraction. I'd spin up a full VM to do any external forwarding instead of Docker containers. unRAID is always advertised to be not internet-facing so keep that in mind. Quote Link to comment
Solution Energen Posted August 19, 2020 Solution Share Posted August 19, 2020 8 hours ago, xanvincent said: The best security is provided by the most abstraction. I'd spin up a full VM to do any external forwarding instead of Docker containers. unRAID is always advertised to be not internet-facing so keep that in mind. That's kind of bad advice, I mean the entire point of Docker is to not have multiple VMs, and you don't want to expose the Unraid GUI to the internet, but any internet related Dockers are always exposed, because they have to be. How are you going to run a Nextcloud docker with no external access? That's only one example. To the most direct question that was asked --- from the most extreme standpoint, if any device on your network were able to be compromised, whether it was Nextcloud on a Pi, in a Docker, whatever, the POTENTIAL for complete intrusion is possible. Doesn't matter how many ways you try to separate them. The only way to possibly mitigate complete intrusion is to have each device on it's own separate network, as much as you could. But that's extreme paranoia. Quote Link to comment
ArdNsc Posted March 23, 2021 Author Share Posted March 23, 2021 I have not yet started the moving project (moving Internet-exposed Nextcloud from Raspi to Server) I explained in my opening post. I wanted to do it in the next couple of days, but now I red some horror stories of users losing all their data because they exposed their Unraid-machines to the internet. Am I getting this right, that exposing a single docker container (nextcloud) with its own fixed IP-Adress by forwarding port 443 (thats what I was planning to do) is not the kind of thing everyone is warning users about (they are exposing the Unraid-UI)? Would you say that what I am planning to do is "okay"? Sorry for asking again, I just want to make sure I am not messing things up. Quote Link to comment
ChatNoir Posted March 23, 2021 Share Posted March 23, 2021 No, the issues we are seeing is people exposing ports 80, 22, etc. to the Internet or even the whole server to the router DMZ. Properly secured Dockers should not be an issue. Many people are exposing dockers without any problem. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.