Running accessible Nextcloud via Docker on Unraid?


ArdNsc

5 posts in this topic Last Reply

Recommended Posts

Hi, i recently joinded the unRAID community and built my first server. Works fine so far. Now here is my question (I hope I am posting this in the right sub-forum. If not, just let me know):

 

Currently I am running Nextcloud on a Raspberry Pi (installed manually on Raspbian, not dockerized, all data on a SSD attached to the Pi) in my home network. Nextcloud is accessible from the Internet, since my Router is forwarding port 443 to the device. I am using a DDNS service and SSL (Lets Encrypt). The Pi also accesses a SMB-Share provided by my unRAID-Device (located in the same network) to put daily backups of the Userdata/Database there.

 

Now from a practibility (less devices, easier backups) and performance point of view I would like to transfer this Nextcloud service to my new unRAID-Build an retire my Pi. I would run Nextcloud via Docker with a seperate internal network IP assigned to this container and forward port 443 in my router to that specific IP.

 

Would you consider this "best practice"?

 

What I don't know is, if this would be a wise decision regarding security. I know this question is rather vague, but how would you guys estimate the security of these two solutions in comparison? (By security concerns I mean the possibility of attackers gaining control of my private data/other services running on unRAID and/or other devices in my local network that are not hosted via Nextcloud)

 

I guess I could also run Nextcloud in a Docker Container on another physical device (e.g. another Raspberry Pi), but I have no Idea if this would make any difference regarding security compared to running everything (private data and Nextcloud) on the same physical device.

 

If you need any more information to discuss/answer this properly, just let me know. Thanks!

Edited by ArdNsc
Link to post
8 hours ago, xanvincent said:

The best security is provided by the most abstraction. I'd spin up a full VM to do any external forwarding instead of Docker containers. 

 

unRAID is always advertised to be not internet-facing so keep that in mind. 

That's kind of bad advice, I mean the entire point of Docker is to not have multiple VMs, and you don't want to expose the Unraid GUI to the internet, but any internet related Dockers are always exposed, because they have to be.  How are you going to run a Nextcloud docker with no external access? That's only one example.

 

To the most direct question that was asked --- from the most extreme standpoint, if any device on your network were able to be compromised, whether it was Nextcloud on a Pi, in a Docker, whatever, the POTENTIAL for complete intrusion is possible.  Doesn't matter how many ways you try to separate them.  The only way to possibly mitigate complete intrusion is to have each device on it's own separate network, as much as you could.

 

But that's extreme paranoia. 

Link to post
  • 7 months later...

I have not yet started the moving project (moving Internet-exposed Nextcloud from Raspi to Server) I explained in my opening post. I wanted to do it in the next couple of days, but now I red some horror stories of users losing all their data because they exposed their Unraid-machines to the internet.

Am I getting this right,  that exposing a single docker container (nextcloud) with its own fixed IP-Adress by forwarding port 443 (thats what I was planning to do) is not the kind of thing everyone is warning users about (they are exposing the Unraid-UI)? Would you say that what I am planning to do is "okay"?

Sorry for asking again, I just want to make sure I am not messing things up.

Link to post

No, the issues we are seeing is people exposing ports 80, 22, etc. to the Internet or even the whole server to the router DMZ.

 

Properly secured Dockers should not be an issue. Many people are exposing dockers without any problem.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.