szumkoal/Laptop-Services
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ca8a84a9ad4daee05350398d1e863081d8c5c0ad
Laptop-Services/syncthing/sync/Security_Plans.txt
Alex Szumko ca8a84a9ad Initial commit
2025-11-25 23:05:11 -05:00

70 lines
2.5 KiB
Plaintext
Raw Blame History

Cloud Security Steps
[01] Configure Cloudflare Tunnel (cloudflared)
- Set up a named tunnel on your Raspberry Pi.
- Only expose required services (Nextcloud, optionally Pi-hole) through the tunnel.
- Run cloudflared as a systemd service to ensure it starts automatically.
[02] Configure HTTPS / SSL
- Ensure "Full (strict)" SSL mode is used in Cloudflare.
- Install Cloudflare Origin Certificate on the Pi.
- Verify all traffic is served over HTTPS.
[03] Secure SSH on Raspberry Pi
- Disable SSH password login.
- Disable root login via SSH.
- Use SSH keys for authentication only.
- Restrict SSH access to trusted IPs if possible.
[04] Configure Raspberry Pi firewall
- Default deny all incoming connections.
- Allow only outbound traffic necessary for updates and cloudflared tunnel.
- Optionally restrict access to Pi-hole (DNS) or Nextcloud ports internally.
[05] Secure Nextcloud
- Set trusted domains in Nextcloud configuration.
- Enforce HTTPS only.
- Move Nextcloud data directory outside web root.
- Ensure correct file permissions on Nextcloud data.
- Configure database to accept connections only from localhost.
- Set strong database password.
[06] Nextcloud Web Security Settings
- Enable 2FA for all admin and important users.
- Enable brute-force protection app.
- Enable strong password policy app.
- Disable or uninstall unused apps.
- Configure HSTS headers:
- Enable HSTS headers (max-age 15552000)
- Include Subdomains only if all HTTPS
- Preload OFF
- Enable No-Sniff header
[07] Cloudflare Zero Trust / Access Policies
- Enable Zero Trust access.
- Require authentication (Google/GitHub/email) to access Nextcloud.
- Apply policies only to allowed users.
- Enable Web Application Firewall (WAF) in Cloudflare.
- Add rate-limiting rules for login pages.
[08] Verify tunnel and DNS
- Confirm Cloudflare Tunnel routes Nextcloud (and Pi-hole if needed) correctly.
- Ensure your home IP is not exposed.
- Test that Nextcloud is accessible via the domain only through Cloudflare.
[09] Backups / Credential Security
- Set up encrypted backups of Nextcloud data and database.
- Backup /etc/cloudflared/config.yml and Nextcloud config.
- Store SSH keys and Cloudflare certificates securely.
- Test restoration of at least one backup.
[10] Test Security Headers
- Verify HSTS and No-Sniff headers are active using curl or https://securityheaders.com.
- Ensure browsers enforce HTTPS and MIME sniffing prevention.
glances token
CF-Access-Client-Secret: f7908c8d9e1206284dfbcb43a29106ff9c50ec9b9397a08d0420a6a6d3cec061
Reference in New Issue View Git Blame Copy Permalink