HACKER Q&A
📣 aborsy

How to securely expose an internal webserver to the internet


I would like to expose a web server such as the nextcloud to the internet. I want an authentication layer in front of it, as in the Cloudflare Access with ACLs. It will be on a custom domain and end to end encrypted with TLs. I prefer that the proxy in front is managed and secured by a company, since I am not an expert in security.

* Cloudflare Access: This is great, but Cloudflare terminates the TLS which is not acceptable (otherwise I will run the application in the cloud)

* Ngrok: The free tier is limited (doesn’t support custom domains and is too limited in bandwidth), and the pricing of the paid tier doesn’t fit

* A reverse proxy on a VPS with something like Authentik or Teleport in front of it. This would work but I prefer that I don’t configure and maintain the Authentik. It seems risky.

I am looking for recommendations.

  👤 bob1029 Accepted Answer ✓
You are on a cursed mission.

If you want someone else to do your auth for you (I.e, sign in with google account before you get proxied to the origin), you will need to allow them to terminate the TLS for you. Otherwise, they won't know the state of the auth mechanism.

👤 frankjr
If it's just for you, you could simply SSH forward the nextcloud's port to your machine. No need to deal with domains and TLS at all.
👤 ghoshbishakh
Pinggy (https://pinggy.io) supports TLS tunnels (end to end encrypted). However, by design that means Pinggy cannot put any authentication layer in front of it. The connection will be end-to-end encrypted from the browser to your server.

Disclosure - I am working with Pinggy.