Collabora with nextcloud and traefik on docker

Elianora · May 28, 2025, 2:28pm

you’re right!

I changed a few labels in the 3 files so I’m not sure wich change fixed the issue but here’re my working docker-compose files:

Traefik:

services:
  traefik:
    image: traefik
    container_name: traefik
    restart: always
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.websecure.asDefault=true"
      - "--entrypoints.wss.address=:9980"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      - "--certificatesresolvers.letsencrypt.acme.email=contact@domain.tld"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      - "--accesslog=true"
      - "--accesslog.format=json"
      - "--accessLog.filters.statusCodes=400-499"
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    expose:
      - 8080
    volumes:
      - "./traefik.yml:/traefik.yml:ro"
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    networks:
      - nextcode
    labels:
      - "traefik.http.routers.traefik.middlewares=traefik-basic-auth,traefik-https-redirect,traefik-https-forward"
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`proxy.domain.tld`)"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.middlewares.traefik-basic-auth.basicauth.users=admin:$$apr1$$aepdom5b$$Ojf8ES2LsBFHBN4DcON2P1"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.traefik-https-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.wss.protocol=https"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`proxy.domain.tld`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-basic-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.service=api@internal"
networks:
  nextcode:
    external: true

nextcloud:

services:
  db:
    [...]

  redis:
    [...]

  app:
    image: nextcloud
    restart: always
    depends_on:
      - redis
      - db
    volumes:
      - nextcloud:/var/www/html
    environment:
      - TZ=Europe/Paris
      - MYSQL_PASSWORD=<db-password>
      - MYSQL_DATABASE=<db-name>
      - MYSQL_USER=<db-user>
      - MYSQL_HOST=db
      - NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.domain.tld
      - VIRTUAL_HOST=nextcloud.domain.tld
      - OVERWRITEPROTOCOL=https
      - NC_default_phone_region=FR
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.domain.tld`)"
      - "traefik.http.routers.nextcloud.entrypoints=websecure"
      - "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud_redirectregex@docker"
      - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.permanent=true"
      # caldav and co
      - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.regex=https://(.*)/.well-known/(?:card|cal)dav"
      - "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud_hsts"
      # hsts
      - "traefik.http.middlewares.nextcloud_hsts.headers.stsSeconds=15552000"
      - "traefik.http.middlewares.nextcloud_hsts.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.nextcloud_hsts.headers.stsPreload=true"
      - "traefik.http.middlewares.nextcloud_hsts.headers.forceSTSHeader=true"
      - 'traefik.http.middlewares.nextcloud_hsts.headers.customRequestHeaders.X-Forwarded-Proto=https'
    networks:
      - nextcode

volumes:
  nextcloud:
    driver: local
    driver_opts:
      device: /home/<my-user>/nextcloud/data
      o: bind
      type: local
  db:
    driver: local
    driver_opts:
      device: /home/<my-user>/nextcloud/db
      o: bind
      type: local

networks:
  nextcode:
    external: true

and collabora CODE:

services:
  collabora:
    image: collabora/code:latest
    ports:
    - "9980:9980"
    environment:
      - domain=nextcloud.domain.tld
      - aliasgroup1=https://nextcloud.domain.tld
      - username=<admin-user>
      - password=<admin-password>
      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:net.frame_ancestors=*
      - VIRTUAL_HOST=collabora.domain.tld
      - DONT_GEN_SSL_CERT=true
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.collabora.tls=true'
      - 'traefik.http.routers.collabora.tls.certresolver=letsencrypt'
      - 'traefik.http.routers.collabora.entrypoints=websecure'
      - 'traefik.http.routers.collabora.rule=Host(`collabora.domain.tld`)'
      - "traefik.http.routers.collabora.service=collabora"
      - "traefik.http.middlewares.collabora-headers.headers.customrequestheaders.Upgrade=websocket"
      - "traefik.http.middlewares.collabora-headers.headers.customrequestheaders.Connection=Upgrade"
      - 'traefik.http.routers.collabora.middlewares=collabora-headers'
      - 'traefik.http.services.collabora.loadbalancer.server.port=9980'
      # reverse proxy
      - "traefik.http.middlewares.collabora-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.collabora-headers.headers.customrequestheaders.X-Forwarded-Host=collabora.domain.tld"
      - 'traefik.http.middlewares.collabora-headers.headers.referrerPolicy=no-referrer'
      - 'traefik.http.middlewares.collabora-headers.headers.stsSeconds=15552000'
      - 'traefik.http.middlewares.collabora-headers.headers.forceSTSHeader=true'
      - 'traefik.http.middlewares.collabora-headers.headers.stsPreload=true'
      - 'traefik.http.middlewares.collabora-headers.headers.stsIncludeSubdomains=true'
      - 'traefik.http.middlewares.collabora-headers.headers.browserXssFilter=true'
      - 'traefik.http.middlewares.collabora-headers.headers.customRequestHeaders.X-Forwarded-Proto=https'
    cap_add:
      - MKNOD
    networks:
      - nextcode
    restart: unless-stopped

networks:
  nextcode:
    external: true

I’m not finished with all the security check so consider these as a working base only

Topic		Replies	Views
Nextcloud + collabora + traefik not work Installation & Configuration	8	180	December 10, 2025
Collabora + Nextcloud with Pangolin doesnt work Installation & Configuration	6	73	January 18, 2026
Issue making Nextcloud and CODE communicate with Docker Installation & Configuration english-en	12	195	April 16, 2025
Collabora and NextCloud on Docker, never worked, help finding out what is wrong and where User Support	19	3569	August 4, 2022
Nextcloud Office can't connect to CODE behind reverse proxy: Requesting address is denied Installation & Configuration english-en	11	5640	November 13, 2024

27 – 29 April 2026, Hamburg, Germany

Collabora with nextcloud and traefik on docker

Related topics