Self Hosting on home Internet connection

Other notes

 

BitWarden

Installation instructions using PowerShell for Docker on Windows.

You’ll need to do the following for the instructions above to work.

Change PowerShell execution policy:

set-executionpolicy Unrestricted

Enable TLS 1.2 in PowerShell:

[System.Net.ServicePointManager]::SecurityProtocol += 'tls12'

To get drive sharing to work

Add network to private zome

Set-NetConnectionProfile -InterfaceAlias “vEthernet (DockerNAT)” -NetworkCategory Private

Create a new local Windows user (best to use usrmgr.msc)
Set strong password (you will use it only once, so write it down to password manager)
Check “Password never expire”
Add user to Administrators group
Open Docker setting and allow drive sharing
Use newly created user credentials

Set-NetConnectionProfile -InterfaceAlias “vEthernet (DockerNAT)” -NetworkCategory Private

Go to Hyper-V Manager -> Virtual Switch Manager -> DockerNAT -> Connection Type: change from internal to private, apply, change back to internal, apply
Restart MobyLinuxVM
Restart Docker
Set Docker network profile to ‘Private’ as described above
Reset file sharing on DockerNAT connection as described above

 

NextCloud

NextCloud was tricky to get working. Firstly, it wouldn’t work with the IIS reverse proxy because it compresses content in gzip format in its HTTP responses, so response URLs containing the private site address couldn’t be rewritten with the public site address before being sent to the user. So the Apache deflate module needed to be disabled from inside the container. Then, URL rewriting in the response worked, except the response URLs would use HTTP instead of HTTPS and I’m not serving HTTP traffic at all, so the Android client would have login issues. To fix this HSTS (HTTP Strict Transport Security) needed to be enabled. This would force browsers and clients to only use HTTP connections. This was set at the server level (above the Sites level in IIS Manager) so all apps would benefit from it. Now, internal URLs would be rewritten and sent to the user and the user’s device would upgrade the URLs to HTTPS. And while I was at it making changes in the container, I added the smbclient package so Windows shares on the local network could be accessed. Oh! And lastly, the public hostname needed to be added to the /var/www/html/config/config.php file as a trusted domain.

Disable deflate Apache module,install smbclient

docker exec -it <Container Name> /bin/bash
a2dismod deflate
service apache2 restart
apt update
apt install smbclient mc
cp config/config.php config/config.old.php
mcedit config/config.php
exit
docker restart <Container Name>

 

Edit the config.php file so the trusted domains section looks something like this:

'trusted_domains' =>
array (
0 => '192.168.x.x:8080',
1 => 'cloud.wossman.net.gy',
),

 

Add the HSTS header to IIS (with 180-day max age recommended by ssllabs.com server tester):

Name:
Strict-Transport-Security
Value:
max-age=15552000; includeSubDomains

 

One last thing to do would be to setup an SMTP account for the server to user for sending mail.

 

 

NOTE:
Use this link to check HSTS domains in Chrome.
Query sites for HSTS pre-loading in browsers (hard-coded in browser source code).