How to create an isolated environment for Nextcloud: complete instructions

Yes, using a bare-metal server for these purposes is still the best solution – in this case, you will have full control over the infrastructure and independence from the service provider, but there will be no need to host your own server.

If no sensitive data is stored, or there is little data, then isolation will not make much sense. Also, isolation is not required if the storage needs to be shared.

Preparation: creating two servers

We will need the following resources:

  • Server with OpenVPN. Disclaimer: in the example we will use OpenVPN to set up corporate access to the local network. The service does not imply gaining access to prohibited resources outside the Russian Federation;

  • Server with Nextcloud.

You can either buy a blank server and install the software on it yourself, or choose a ready-made option from a provider.

For example, let's use the SpaceWeb infrastructure. For OpenVPN And Nextcloud We already have ready-made solutions that you can choose when ordering services.

This is what the server order page looks like in SpaceWeb

This is what the server order page looks like in SpaceWeb

We combine servers into one local network

To create an isolated environment, we need to connect both servers to one local network. You can include servers in the local network in SpaceWeb immediately when creating a new VPS service or combine them manually after ordering. For our example, we will combine the servers immediately and will not configure them manually.

At the end of the VPS order panel in SpaceWeb there is a toggle switch for connecting to the local network

At the end of the VPS order panel in SpaceWeb there is a toggle switch for connecting to the local network

Setting up OpenVPN

Since we are using our server with OpenVPN pre-installed, no additional configuration is needed. But if you decide to use a pure server or a server from another provider, some configuration may be required there. Usually there are no problems with this, and there are a lot of detailed instructions in the public domain.

Setting up Nextcloud

Step 1. Issue a self-signed certificate for Nextcloud.

Connect to the server via SSH and execute the command:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/nextcloud-selfsigned.key -out /etc/ssl/certs/nextcloud-selfsigned.crt

Any data can be specified, but in the Common Name we need to indicate the local IP address of the server.

Step 2. Remove the default domain mention.

If you install and configure the software yourself, most likely you already have a public IP server specified. Then you will need to specify the local network address instead of the public IP address.

But when using SpaceWeb solutions for Nextcloud, the technical domain is automatically substituted. We will no longer need it – we will remove it, leaving access via local IP. To do this, first we need to remove the symlink /etc/nginx/sites-enabled/default

unlink /etc/nginx/sites-enabled/default

In the nginx virtual host file along the path /etc/nginx/sites-available/nextcloud we make changes:

  • in all server_name directives we replace the test domain with the local IP address of the server;

  • in the ssl_certificate and ssl_certificate_key directives we specify the paths to the previously generated certificates:

ssl_certificate /etc/ssl/certs/nextcloud-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nextcloud-selfsigned.key;
if ($host = 10.0.0.99) 
{return 301 https://$host$request_uri;
}

Step 3. Register the local IP address of your server.

This needs to be done in the configuration file of Nextcloud itself along the path /var/www/nextcloud/config/config.php. In Trusted Domains, we replace the technical domain with the local IP address of the server.

Step 4. Disconnect the Nextcloud server from the external network.

We do this in the network card settings. On Ubuntu OS this is done in the file /etc/netplan/50-cloud-init.yaml

We comment out all the lines of the default interface ens3, leaving only the local interface ens4:

network:  
    ethernets:  
        # ens3:  
            # addresses:  
            # - 77.222.60.8/24  
            # - 2a02:408:7722:54:77:222:60:8/64  
            # gateway4: 77.222.60.1  
            # gateway6: 2a02:408:7722:54::1  
            # nameservers:  
                # addresses:  
                # - 8.8.8.8  
                # - 8.8.4.4  
                # - 2001:4860:4860::8888  
                # - 2001:4860:4860::8844  
                # search: []  
            # optional: true
             ens4:
            addresses:
            - 10.0.0.99/27

Step 5. Save the file and run the command:

netplan generate

Step 6. Reboot the server.

Ready! The server is now accessible via the local IP address. To access it, users need to first connect to an OpenVPN server.

Using a domain instead of an IP address to connect to Nextcloud

If you need access to Nextcloud via a specific domain (for example, nextcloud.example.ru), then instead of a local IP address during setup you will need to specify this domain everywhere.

For domain resolution to work within the network, you need to add the following entry to the /etc/hosts file on both servers:

10.0.0.99 nextcloud.example.ru

In this case, instead of 10.0.0.99 you need to specify the local IP address of the Nextcloud server, and instead of nextcloud.example.ru – your domain.

This domain does not have to exist, since resolution will occur locally.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *