Should I use DMZ for a public NextCloud server hosted on a home network?

I would like to set up a small NextCloud installation on a Raspberry Pi 1 Model B+, or something like that, on my home network.
I would like it to be accessible from the outside with a DNS of some sort. The idea is to create my private Dropbox.

Now regarding security... should I place the NextCloud server in DMZ and forbid everything except port 80/443 for nginx or Apache to serve the required HTML, or is there a better, more secure way to achieve my goal?

This is the network diagram I have in mind (thank you Alex):

Internet---Router1---Router2====Home Network (Wi-Fi, LAN)
                  |DMZ
                  +---Raspberry Pi

What hardware do you recommand?
Obviously I already have a home provider provided router.

matteobin

Posted 2019-10-09T13:54:32.510

Reputation: 11

3A DMZ (as opposed to an “Exposed Host", which is generally all that consumer routers support) requires you to split the (local) network using a firewall. Do you have the required hardware? – Daniel B – 2019-10-09T14:00:40.823

Hi! what do you have to create the DMZ? how is the network diagram? I think you will get better alternatives if you explained that. Cheers. – Jorge Valentini – 2019-10-09T14:01:51.830

Since you're hosting this in your home network a DMZ is the most secure way to accomplish your goal, yes. You need a capable firewall, like pfSense or a Cisco ASA. The rules should be just as you said: deny all except for TCP port 80/443 for web traffic (and/or any other required ports, but nothing more). – SamAndrew81 – 2019-10-09T14:33:41.633

Answers

you should not put the host into DMZ, but instead create port-forwarding for the ports you do want exposed to the internet (like port 80).

If you put a host into the DMZ, you are essentially putting it on the public side of your firewall, leaving the host fully exposed to the internet on any listening service (not just the 1 you intend to use). This would be like removing all the doors and windows on a house, so that the dog can go through the doggy door.

FocusedWanderer

Posted 2019-10-09T13:54:32.510

Reputation: 11

This is not true. You can set port-forwarding and firewall rules in a DMZ network just like any other network. – SamAndrew81 – 2019-10-09T14:28:20.450

@SamAndrews81 It isn't always possible to set port-forwarding and firewall rules for DMZ devices with home equipment (which is what the original question appears to be in regards to). – Anaksunaman – 2019-10-09T20:09:05.980

I think this answer actually means “Exposed Host” when it says DMZ. If you see it like this, it’s absolutely correct: Exposing the host should be avoided. – Daniel B – 2019-10-10T08:39:58.933

I suppose context is key, yes. This just doesn't make a lot of sense to me since that would not actually be a true DMZ, as discussed on this wiki page: "A DMZ host...by definition, this is not a true DMZ" https://en.wikipedia.org/wiki/DMZ_(computing)

– SamAndrew81 – 2019-10-15T04:02:14.037