mTLS?
Mine is publicly exposed using the standard
nextcloud:stable-apachedocker container, with nginx (past) / traefik (present) handling TLS termination, but not otherwise adding additional security measures.It’s been this way for several years and I’m yet to have issues, but it’s certainly not bulletproof since a critical vuln in Nextcloud could pwn it. That just hasn’t happened.
Yes. Not only that, but it can be exposed at garagantuan scale for the last decade. Use of a vpn is totally optional.
Idk about giving a comprehensive answer, but getting full marks on the nextcloud security scanner is a good start: https://scan.nextcloud.com/
I check mine periodically and make sure I’m on the latest version, use 2fa (passkey) and hope that does the trick.
Also there’s a plugin for brute force protection.
Huh. The scan just fails but presumably because of my geoblocking rules.
A very effective first step is to put it on a vhost with a domain you control, and drop traffic to the default vhost. 99.999% of scanners are just going through IPs looking for stuff, so don’t give them anything. Better yet, block any IP that scans you more than a dozen or so times.
Obviously some stuff will find you through cert issuance logs, but most of the bastards don’t bother with that level of sophistication.
Yes. mine is exposed publicly (with fail2ban) on a VPS with a public IP and a public DNS name and it’s fine. Use a minimal configuration that meets your needs, use secure passwords like you would for any public service and keep it up to date, and stay aware of any potential news that might make you aware of any severe and widespread vulnerabilities in the future (there haven’t been any in Nextcloud so far). It is not nearly as terrifying as people make it out to be to share public services on the public internet. Most decent software is secure-by-default. Yes vulnerabilities and attacks can happen but they are the exception not the rule.
deleted by creator
Of course it is. That’s literally what it is made for
Define securely.
I’ve run my nextcloud online for a few years with no incidents, it’s behind Apache, I keep it up to date, I have a bit of extra hardening (but none of it really hardens nextcloud itself it would just make running exploits on my server more visible).
It doesn’t really add security in the traditional sense but for a personal server logging outbound traffic and having it email me when something non standard initiates a connection also gives me an added sense of security.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
6 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #315 for this comm, first seen 25th May 2026, 17:40] [FAQ] [Full list] [Contact] [Source code]
There’s a lot of discussion on a very recent post about doing this for Jellyfin. You should start by reading that: https://discuss.online/post/40181742
As the creator of that thread, and a Nextcloud volunteer, I can confirm that Nextcloud can absolutely be run without a VPN. That is exactly what it is designed to do, scaling to millions of users.
It is vastly more deployed, modular, enterprise grade, and battle tested. Running it is nothing like running Jellyfin.
This is not an apples to apples comparison because Nextcloud has security built in… it was designed to be published securely on the internet.
That’s not to say Nextcloud is perfect and without security concerns, but it’s miles ahead of Jellyfin which is Not designed to be published to the web.
The state of Nextcloud is not in any way comparable to the mess Jellyfin calls a Backend
FWIW it seems Jellyfin has some application-specific authentication/security bugs that complicate things a bit. Of course the same concepts should generally apply, but some considerations will be different depending on what application you’re exposing.
I don’t think anyone answered the question. It is about whether it can be exposed without a VPN, not whether it is safe to expose.
In my limited knowledge, I think it is possible, but I’m not really sure what do you mean by “VPN”. You will at least need a tunnel. If your concern is paying for VPN, just for the use case, you don’t need a full fledged VPN. A wireguard tunnel will do.
You may get a better answer if you can elaborate your question with more details. Good luck.
