Paperless Internet Sharing Compendium

The Paperless Internet Sharing Compendium shows you what options you have: Reverse proxy yes/no, VPN, SSL, 2FA or Cloudflare.

More articles in this series:

• Paperless: Why document management and performance scope
• Paperless: NGX Docker installation
• Paperless: Adding documents basics
• Paperless: Customize and optimize
• Paperless: Internet Sharing Compendium

Now it’s time to get down to business! I would generally advise against sharing Paperless directly on the internet – the data it contains is too sensitive for that. You can also send documents conveniently by email. The recipient is usually more satisfied with an attachment than with a link. In addition, links may be blocked or automatically removed by the recipient for security reasons.

The most secure way to access the site while on the move is to use a VPN. This allows you – or authorized users – to access your paperless system securely. A sample configuration with Cloudflare VPN is also linked at the end in case VPN is the right solution for you.

Paperless-ngx is a powerful open source document management system that is particularly popular for digital archiving. Since version 2.14, it supports two-factor authentication (2FA) via TOTP, which significantly improves security when accessing sensitive documents. Anyone who wants to use Paperless-ngx from outside the home network is faced with the question of how this can be implemented securely. There are two main approaches: sharing with a reverse proxy and direct sharing without a reverse proxy. Both methods have their advantages and disadvantages, differ in their complexity and harbor specific security risks. This article examines both approaches, compares them and lets you decide for yourself.

Release with reverse proxy

The most common way to make paperless-ngx accessible via the Internet is to use a reverse proxy, such as Nginx or the integrated proxy of a Synology NAS. First you need a public domain or a DDNS address, for example paperless.yourname.synology.me, which can be easily set up on a Synology NAS via the DSM interface. Alternatively, you can configure your own domain via a DNS provider by pointing an A-record to the public IP address of the server. The reverse proxy then forwards requests from https://paperless.deinname.de to the internal paperless ngx port (e.g. 8010). On a Synology NAS, this is done via the control panel in the application portal, where a reverse proxy for HTTPS is created on port 443 with a Let’s Encrypt certificate. On other servers, Nginx is set up with a configuration that activates HTTPS and defines the forwarding to Paperless-ngx. In the docker-compose.yml of Paperless-ngx, environment variables such as PAPERLESS_URL (e.g. https://paperless.deinname.de) and PAPERLESS_TRUSTED_PROXIES must be adjusted to ensure proxy integration. Port 443 is then released in the router and forwarded to the internal server IP. The 2FA activation is done in the web interface of Paperless-ngx: Under “My Profile” a QR code for a TOTP app such as Google Authenticator is scanned and the generated recovery codes should be stored securely. After activation, each login requires a TOTP code in addition to the password.

This method offers several advantages. SSL integration is straightforward thanks to tools such as Let’s Encrypt or Synology DSM, and a reverse proxy enables additional security functions such as rate limiting, IP filtering or header manipulation, which make attacks such as brute force or DDoS more difficult. In addition, several services can run via subdomains on port 443, which increases scalability. However, the method does harbor security risks: Port 443 is exposed on the Internet, which makes attacks possible if no firewall or IP restrictions are set up. Incorrect proxy configurations can also lead to problems such as CSRF errors. Another disadvantage is that the Paperless-ngx mobile app does not directly support TOTP, so an API token must be generated for app access.

Release without reverse proxy

The alternative is the direct release of Paperless-ngx without a reverse proxy, whereby the container itself handles HTTPS. A domain or DDNS address is also required here. An SSL certificate, for example from Let’s Encrypt, is created with tools such as certbot and the files fullchain.pem and privkey.pem are copied into the Paperless-ngx data directory. The container is configured in docker-compose.yml so that it listens directly on port 443, and environment variables such as PAPERLESS_SSL=true and PAPERLESS_URL=https://paperless.deinname.de are set. Port 443 must be forwarded to the internal server IP in the router. As with the reverse proxy method, 2FA is activated via the web interface.

This method is architecturally simpler, as no additional proxy server is required, which is particularly attractive for smaller setups. Nevertheless, it is associated with challenges. The manual integration of SSL certificates is more error-prone and requires regular updates for certificate renewals. Without a reverse proxy, protection mechanisms such as rate limiting or IP filtering are missing, which increases the attack surface. In addition, scalability is limited as only one service can be operated per port. As with the reverse proxy method, the mobile app does not support TOTP, which makes API token access necessary.

Comparison and safety concerns

The two approaches differ in several aspects. With a reverse proxy, the architecture is more complex as an additional service needs to be configured, but it offers more security and flexibility. The proxy handles SSL termination and enables advanced security features, while Paperless-ngx runs internally over HTTP. Without a reverse proxy, the configuration is simpler, but the direct SSL integration in the container is technically more demanding and offers fewer protection mechanisms. Both methods expose port 443 on the Internet, which enables attacks such as brute force or DDoS if no firewall or IP restrictions are set up. Incorrect configurations, such as PAPERLESS_URL or certificates, can lead to CSRF errors or insecure connections. The 2FA restriction of the mobile app affects both approaches equally.

In general, direct sharing without a reverse proxy poses a higher security risk, as there are no protective layers such as rate limiting or a web application firewall. Both methods require careful protection, such as strong passwords, regular updates and backups. For maximum security, a VPN (e.g. WireGuard) is the best alternative, as it avoids direct Internet access and makes Paperless-ngx only accessible via a private network.

The Cloudflare alternative

One way to avoid having to operate the reverse proxy locally and still use a reverse proxy is the solution via “Cloudflare”.
Here you can define your redirects in exactly the same way and use the SSL certificate from Cloudflare – without having to install your own SSL certificate.

Cloudflare also offers you the option of making your home network accessible worldwide via VPN – just as if you were at home.

In this video I will show you how to set up Cloudflare VPN:

VPN access to your network, worldwide and free of charge

Configuration under Cloudflare

You will need a Cloudflare account (free plan is sufficient), a domain managed in Cloudflare (e.g. paperless.yourname.com) and a running Paperless ngx instance (version ≥2.14) in Docker. The Cloudflare Tunnel Client (cloudflared) must be installed to establish the connection to Cloudflare’s network.

Log in to the Cloudflare dashboard, navigate to “Zero Trust > Networks > Tunnels” and create a tunnel (e.g. “paperless-tunnel”). Copy the tunnel token. Install cloudflared as a Docker service in your paperless-ngx environment, configure it to forward requests to the internal paperless-ngx port (e.g. 8010) and make sure that environment variables such as PAPERLESS_URL and PAPERLESS_CSRF_TRUSTED_ORIGINS are set to your domain (e.g. https://paperless.deinname.de). Start the containers to activate the connection.

Mein Beitrag zum Cloudflare Tunnel einrichten – detailliert:

NAT? Deine WEB-Seite Hosten

In the Cloudflare dashboard under “Access > Applications” you add a “Self-Hosted” application, set your domain and define access policies, e.g. MFA via Google or Okta, or restrict access to certain users. Cloudflare automatically provides an SSL certificate, so no manual certificate management is required. Activate 2FA in Paperless-ngx via the web interface: Under “My Profile”, scan the QR code with an authenticator app (e.g. Google Authenticator) and save the recovery codes securely. Every login now requires a user name, password and TOTP code.

Reserve-Proxy vs. Cloudflare: Comparable, but different philosophies

Cloudflare Zero Trust is similar in some ways to a reverse proxy, as both forward requests to Paperless-ngx and use HTTPS. However, Cloudflare Zero Trust goes far beyond the capabilities of a traditional reverse proxy by incorporating Zero Trust principles such as strict identity verification, MFA, and no port sharing. A reverse proxy is local, flexible, and provides full control, but requires more manual security measures. Cloudflare Zero Trust is cloud-based, easier to scale and offers built-in security features, but requires trust in Cloudflare. For Paperless-ngx, Cloudflare Zero Trust is more secure as it minimizes the attack surface and provides advanced protections. However, a reverse proxy may be preferable for users who prioritize local control and independence from third-party providers. For maximum security, a VPN remains the best option as it completely shields Paperless-ngx from the public internet, as previously recommended.

Conclusion

Sharing Paperless-ngx with a reverse proxy or Cloudflare is the recommended method as it is more secure, user-friendly and scalable – especially on systems such as Synology NAS. The method without a reverse proxy is suitable for minimalist setups, but is riskier and technically more demanding. Anyone managing sensitive documents should consider a VPN to minimize the attack surface. Regardless of the method, correct configuration, regular updates and the use of 2FA are crucial to make Paperless-ngx securely accessible over the internet.

Link to support / donation for the channel
PayPal Link
Bank transfer, Bitcoin and Lightning

#PaperlessNGX #Docker #DocumentManagement #SelfHosted #OpenSource #Paperless #Homelab #DMS #Guide #PaperlessOrganizing #DocumentManagement #Guide #InternetSharing #PaperlesInternetSharing