File Access Control – A firewall for your private files in Nextcloud

When you think about a firewall, you think about a complicated tool big companies use to keep hackers out of their networks. And perhaps you think about the many movies where weird visuals are used to represent them being used and broken through. Nextcloud has the File Access Control app which acts as a bit of a firewall and while it helps protect businesses secrets, there are use cases for home users as well.

Introducing Two Factor Authentication

Two factor authentication has becoming quite popular in the last months/years. So you go ahead and enable all those fancy things on various websites you use. Note that they often provide you with a list of recovery keys! Where do you put those keys, to make sure you don’t ever lose them? There is this self-hosted cloud solution you use, with the slogan «a safe home for all your data«. And it sure can help with this!

By putting your keys on your Nextcloud you keep them to yourself. Yet, Nextcloud aims to make sharing easy. You don’t want to accidentally share your recovery keys, do you? Nor would you want your sync client on your phone to, all too easily, give access to these files. So is there an extra layer of protection possible, one that protects from accidental sharing or a stolen phone?

Protecting the keys

This is where the File Access Control app joins the party:

      1. As a first step you assign the tag `Protected file` to your recovery files in the web UI.
      2. You go to `admin settings` > `File access control` and start a new rule group:

          1. `File system tag` is tagged with `Protected file`
          2. `Request user agent` is not `Desktop client`

Your files can now no longer be downloaded and synced with the android client or a web browser.

This would disallow the client and only allow the web interface (and only Firefox!) from the local network.

This would disallow the client and only allow the web interface (and only Firefox!) from the local network.

Now to be sure the files are also not delivered to your laptop, you can add a second rule that only allows the Desktop client when the IP is the local IP of your Desktop PC which accesses the instance via the LAN rather then the internet:

      1. `File system tag` is tagged with `Protected file`
      2. `Request user agent` is `Desktop client`
      3. `Request remote address` does not match IPv4 `192.168.176.42/32`

As you see, the File Access Control app can help ensure your data stays within the confines of your house or follows other rules which ensure you don’t accidentally make them available where you wouldn’t want them. Note that it is NOT a super secure solution, you can’t use it to replace https or other encryption solutions! But it can avoid mistakes through accidental sharing and such.

Post by Joas, main author of the File Access Control app