Now that our Umbrel apps and custom Docker stacks are running perfectly and surviving reboots, it’s time to access them from outside the house.
The traditional way to do this is by port forwarding your router. Do not do this. Opening ports exposes your home network to malicious scanners and bots. Instead, the safest way to route traffic to a home server is by using a Cloudflare Tunnel. It creates a secure outbound connection from your server to Cloudflare, meaning you never have to punch a hole in your router’s firewall.
While setting up the Cloudflare Tunnel via the Umbrel App Store is relatively straightforward, linking it to Nextcloud introduces a massive roadblock: the dreaded “Access through untrusted domain” error. Here is exactly why that happens and how to fix it via SSH.
The Problem: Nextcloud’s Strict Security
Nextcloud is incredibly secure by design. When you first install it on Umbrel, it looks at its own environment and says, “I am allowed to be accessed via the local IP address (e.g., 192.168.29.123) and the default umbrel.local address.”
When you set up a Cloudflare Tunnel and point a custom domain (like nextcloud.yourdomain.com) to your server, Nextcloud receives the traffic, sees a domain name it doesn’t recognize, and immediately throws up a security blockade. It assumes a hacker is trying to spoof the login page.
The Solution: Editing config.php
To fix this, we need to manually edit Nextcloud’s hidden configuration file and add your custom Cloudflare domain to its “Trusted Domains” list.
Because Nextcloud is running inside a Docker container managed by Umbrel, finding this file can be tricky. Here is the exact path and the steps to modify it safely.
Step 1: SSH into your Server
Open your terminal or PowerShell and log into your Umbrel server:
ssh umbrel@192.168.29.123 (replace with your server’s IP).
Step 2: Open the Configuration File
Navigate to Nextcloud’s app data directory and open the config.php file using the nano text editor:
sudo nano /home/umbrel/umbrel/app-data/nextcloud/data/nextcloud/config/config.phpStep 3: Add the Trusted Domain
Scroll down the file until you see the section labeled 'trusted_domains' =>. It will look something like this:
'trusted_domains' =>
array (
0 => '192.168.29.123:8080',
1 => 'umbrel.local',
),You need to add your new Cloudflare domain as the next number in the array. Carefully add a new line, ensuring you keep the exact same punctuation (the quotes and the comma).
'trusted_domains' =>
array (
0 => '192.168.29.123:8080',
1 => 'umbrel.local',
2 => 'nextcloud.yourdomain.com',
),(Make sure to replace nextcloud.yourdomain.com with the actual subdomain you set up in your Cloudflare Zero Trust dashboard!)
Save the file by pressing Ctrl + X, then Y, then Enter.
Step 4: Restart Nextcloud
For the changes to take effect, you need to restart the Nextcloud container. The easiest way to do this without restarting the whole server is via Umbrel’s restart script:
sudo ~/umbrel/scripts/app restart nextcloudBonus Security: Cloudflare Access
Once Nextcloud reboots, your custom domain will work flawlessly! However, remember that your login page is now technically on the public internet.
To add an extra layer of Zero Trust security, I highly recommend going into your Cloudflare dashboard and adding an Access Application Policy to that specific subdomain. You can set it up so that anyone visiting the URL must first receive a One-Time PIN (OTP) via your personal email before they can even see the Nextcloud login screen.
(In the next post, we will look at what happens when Tailscale and Pi-hole try to share the same network, and how to fix a complete DNS server crash!)