How can I secure connection to nextcloud?

Hey so I’m completely new to raspberry pis. I just bought one because I thought It would be fun to make a cloud sever for myself. nextcloud installed on my raspberry pi and noticed that the connection is not secure (using http instead of https). How do I fix this (step by step would be nice as I’m new)? is there any other measures I should take for security? I have already changed my app password and login password. Thanks for your time in advance! :smiley:


one small question. Do you need to access Nextcloud from Internet or just from local network only?

I would like to be able to connect to it outside of the network. I’m still in the process of figuring that out though.

  1. create a clean DietPi installation and complete initial setup
  2. first you would need to have a DynDNS service that allow you to connect from outside world to your home network by using a dynamic domain name. If you already have a DDNS service, you can go to point 5
  3. to get a DDNS domain, you would need to register at first
  4. if you finished registration process, we can go to install No-IP software on your DietPi device
  • run dietpi-config
    • go to option 8 : Network Options: Misc
    • select No-IP
    • confirm installation
    • once installation of No-IP software is done, select No-IP again
    • enter your login credentials for No-IP
  1. if DDNS is working, continue with next step
  2. ensure Port 80 and 443 are forwarded (from your internet router) correctly to your DietPi device
  3. once ready, run dietpi-software, search and install NextCloud
  4. once installation completed and your system was rebooted, try to connect to your Webserver on http (port 80)
  5. pls try to connect from your LAN as well as from Internet, you should receive the Webserver Default Page
  • once you’re able to connect to your Webserver from Internet on http (80), got to point 10. (https - port 443 will not work at this stage)
    • if you are not able to connect on http (80) from internet, you would need to check why and what’s wrong with your port forwarding
  1. let’s do the SSL certificate now, run dietpi-letsencrypt
  2. install CertBot
  3. once done you will be ask for your Let’sEncrypt information
  • fill in your domain name (No-IP DDNS)
    • fill in your email address
    • set Redirect to ON
    • Apply the setting
  1. once finished (and all services started) you should be able to reach your website on http (80) as well as https (443)
  2. if you are opening the website on http (80) you should be automatically redirected to https (443)
1 Like

Hello, how about I don’t have DDNS domain but I have public IP from my provider? Can You help me to enable SSL?
Regards Przemek

You would need to have a DNS to get SSL certificate created, you can simply register on NoIP. It should be a free service and is supported by DietPi.

Hi, I do as You told and I can login with https to nextcloud but Firefox tell that is not secure and lock icon is crossed. It is normal?


No that’s not normal. Usually the connection should be displayed as secured. How do you connect to your NextCloud website? Do you use the same DNS name that you used to create your Letsencrypt certificates?

Thanks I login with and it works with secure connection :slight_smile: but now have error because permissions. I add permissions for dietpi user to write to nextcloud folder when connected by ftp.
Joulinar can You tell me, if I have ssl now and login with https it will be more secure if I disable http login and delete port forwarding on my router for port 80?

well I guess you still would need http on your router (port-forwarding) to be able to recreate your certificate. Keep in mind that the certificate has a lifetime and would need to be re-created before it expire.

If you use dietpi-letsencrypt to create your certificate, you could set the option Redirect to ON. This should redirect each http request on your webserver to https automatically.

OK, thank You for help.

Port forwarding on a home router is generally a bad idea, as it opens your home network up to the public Internet and thus makes every connected device in your house vulnerable to an attack.

I have found that works very well for this use case. You can install it from the dietpi-software menu.

Hi, hyperreal. Is this service free? How does it works? Can You tell me something about it?
Regards Przemek


honestly I would not do that. You would establish a permanent connection between your system and a “unknown” US cloud provider. I’m not sure if this is a good idea.

Hi, thanks for tip. Now I’m looking about how to secure my Emby server. I install fail2ban but I don’t know is it working only for logging to my Dietpi SSH or everything (Emby and Nextcloud)?
Regards Przemek

do you plan to have Emby accessible from Internet?

Fail2ban basically scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs, too many password failures, seeking for exploits, etc. Means as long as there is a log file that shows failed logins, it should work.

Yes, I have Emby accesible from internet. I wants also to add SSL certificate but don’t know how to start. Is this tutorial from SSL for nextcloud will work The same?

well there a some guides on emby forum. First hits on google. So it’s not that difficult. You can reuse the letsencrypt certificate you already created. Not sure if it is still valid but only thing needed is to convert certificates to “PFX/PKCS#12”

Sorry but I don’t understand. I have used letsencrypt to grnerate certificate for nextcloud. Now I can use the same certificate for Emby? I will be login on The same no-ip ddns domain? but ending …

well I guess you have a misunderstanding what and how web browser certificates are working. The certificate is not used for Nextcloud only. Your webserver is using basically for all request that will be received for, doesn’t matter if it’s Nectcloud or something else. However Emby will have his own webserver as it’s not running on http port 80 or https 443. Therefore you would need to configure Emby to use the certificates. How to activate and convert the generally created letsecrypt certificate I linked you above. As you may noticed, Emby is using their own ports like 8096 for http. Once you have activated https it will be 8920. So don’t miss to forward the correct port on your router.