On NS7, there is always a firewall, no matter if you install it or not. If you install Firewall, you get a GUI, and some pre cooked stuff.
And yes, Green only, a 16 GB RAM VM with 8 Cores on Proxmox. And OPNsense in front, as a dedicated box, not as a VM.
The biggest issue is the distance, that server is half the world away from me (+ 10000 km). And in that context, time shift, communicating with people…
Limit NextCloud login to domainname and local IP, but not Internet IP.
The domain only exists internally.
The VPN enforces the use of the internal DNS, and additionally routes ALL trafic to NethServer.
In this use case, SSL cert is a non-issue, as we can / will provide self generated certs and have these embeddded in the allowed clients (Master Image).
A logical switch like other Modules have might have been easier (and maybe more secure), but the above will work and is a valid workaround.
looking at the code of the nethserver 7 module for nextcloud it doesn’t have this feature;
in de Apache e-smith configuration access is hard coded to all granted
IIRC to limit access from trusted networks you need a space-separated list of (trusted) IP’s on this place like:
Require ip 192.168.xxx.yyy 192.168.aaa.bbb
maybe test this while the other half of the world is at sleep
if it works we can try to bake a custom template…
As a self considered non-coder, here’s my translation (attempt).
use esmith::NetworksDB;
Uses the e-smith Template system.
my $ndb = esmith::NetworksDB->open_ro();
Variable defined $ndb as the e-smith DB (var/lib/nethserver/db)
my @localAccess = $ndb->local_access_spec();
Defines an “Array” of networks or hosts considered local (or “Trusted” in the GUI)
$localAccess .= join ' ',
Fill in the variable with: An Element of the array, followed by a space. (“.=” defines the array element,
and the space in apstrophe is the space), and continue looping until array is finished.
map { s:/255.255.255.255::; $_ }
This generates the line and subnet for each entry.
This is a non coder reading and trying to explain what this code snipplet does, step by step, to a coder!
Hope it is comprehensible, makes sense and is the actual programming steps per line!
those are good ideas. As well as at apache level as Mark suggested as an option.
There’s also a nextcloud app (limit_login_to_ip) that is supposed to do something similar (external access to nextcloud UI is possible but login is limited by IP range). Not exactly the same… and unaware if it also restricts desktop/mobile app access if conditions are met. The first two options you both mention are probably more reliable/secure long term.