Help needed with Network settings

Hello,

I have deployed my Code Server using a Docker Compose. The same host is also running Nextcloud via Snap Deployment. Both are running behind a Nginx Reverse Proxy.

Collabora Code → office.mydomain.online
Nextcloud → nextcloud.mydomain.online

I have used Nextcloud Office app to configure the domain name and it is working fine. Nextcloud users can access and use Collabora via internet using the public domain.

But the problem is, anyone and everyone can access the code server. I mean, just to test, I deployed a sperate instance of Nextcloud on a completely different domain (suppose - nextcloud.mydomain.com) & hosting server and when I try to connect to this deployment (running as office.mydomain.online), I see it is allowed.

What do I have to do to prevent this.

I only wish to allow a single instance of nextcloud and its users & it’s public domain name (suppose nextcloud.mydomain.online) to be able to use this code server.

Thanks.

Hii @NaXal

To restrict access to your Collabora CODE server (office.mydomain.online) so that only your specific Nextcloud instance (nextcloud.mydomain.online) can connect and use it, you’ll need to configure the WOPI host settings in Collabora. This will limit which domains are allowed to use the server.

Step 1: Configure coolwsd.xml

1. Open the coolwsd.xml file in the Collabora CODE container or host. This file controls the server’s configuration, including access control.

2. Look for the <storage> section, and within it, locate or add the <wopi> block.

3. Modify or add the <host> entry to allow only your Nextcloud instance:

<wopi>
  <host allow="true">
    <domain>nextcloud.mydomain.online</domain>
    <!-- You can also specify IP addresses if necessary -->
  </host>
</wopi>

This will allow only the specified domain (nextcloud.mydomain.online) to access the Collabora CODE server.

Step 2: Block Unauthorized Access with Nginx

You can also enforce this restriction at the Nginx reverse proxy level:

1. Open your Nginx configuration for office.mydomain.online.
2. Add a rule to allow only requests coming from the authorized domain:

server {
    server_name office.mydomain.online;

    location / {
        # Allow only requests from nextcloud.mydomain.online
        if ($http_origin !~* (https://nextcloud.mydomain.online)) {
            return 403;
        }

        proxy_pass http://localhost:9980; # or your Collabora CODE service
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

This configuration checks the Origin header of incoming requests and only allows those coming from nextcloud.mydomain.online.

Step 3: Restart the Services

After making these changes:

1. Restart the Collabora CODE container or service to apply the coolwsd.xml changes.
2. Reload or restart Nginx to apply the reverse proxy restrictions.

Step 4: Optional - Firewall Rules

You can add firewall rules (if you’re using a firewall like UFW or iptables) to allow traffic only from specific IP addresses, such as your Nextcloud server’s public IP.

This setup should ensure that only your specified Nextcloud instance (nextcloud.mydomain.online) can connect to the Collabora CODE server, preventing access from any other domains or instances.

Also, there are many forum topics available you just need to search the keyword, and you can read different approaches that people used in past

Ex: Regarding document security in Production - #2 by Tex

Thanks,
Darshan

Hello,

Thank you for your time and this detailed, indepth reply.

I am trying to do as instructed here, but I am unable to achieve the desired result.

Here is what my default coolwsd.xml look like and subsequent edit that I have done to the coolwsd.xml file as per your instruction,

        <wopi desc="Allow/deny wopi storage." allow="true">
            <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
            <locking desc="Locking settings">
                <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
            </locking>
           <host allow="true">
                <domain>nc.mydomain.online</domain>
            </host>
            <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="first">
            <!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
                    add the hosts below.  If one host is accessible under multiple ip addresses
                    or names, add them as aliases. -->
            <!--<group>
                    <host desc="hostname to allow or deny." allow="true">scheme://hostname:port</host>
                    <alias desc="regex pattern of aliasname">scheme://aliasname1:port</alias>
                    <alias desc="regex pattern of aliasname">scheme://aliasname2:port</alias>
                    
            </group>-->
            <!-- More "group"s possible here -->
            </alias_groups>

            <is_legacy_server desc="Set to true for legacy server that need deprecated headers." type="bool" default="false"></is_legacy_server>
        </wopi>

stopped the container and restarted it again.

But still the server is usable from other nextcloud domains.

I have tried to put that host entry inside the “alias group” section, like this,

        <wopi desc="Allow/deny wopi storage." allow="true">
            <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
            <locking desc="Locking settings">
                <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
            </locking>

            <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="first">
            <!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
                    add the hosts below.  If one host is accessible under multiple ip addresses
                    or names, add them as aliases. -->
            <!--<group>
                    <host desc="hostname to allow or deny." allow="true">scheme://hostname:port</host>
                    <alias desc="regex pattern of aliasname">scheme://aliasname1:port</alias>
                    <alias desc="regex pattern of aliasname">scheme://aliasname2:port</alias>
                    
            </group>-->
            <!-- More "group"s possible here -->

           <host allow="true">
                <domain>nc.mydomain.online</domain>
            </host>

            </alias_groups>

            <is_legacy_server desc="Set to true for legacy server that need deprecated headers." type="bool" default="false"></is_legacy_server>
        </wopi>

Still no effect.

Am I making any mistake in editing the file?

Thanks.

The <wopi> configuration should allow or deny specific domains using the <host> tag. You only need one <host> entry under the <wopi> section to allow access from a specific Nextcloud instance. The entry inside the <alias_groups> section should not be necessary for your case unless you’re working with multiple Nextcloud instances or aliases.

Here’s a recommended approach for a single allowed domain:

<wopi desc="Allow/deny wopi storage." allow="true">
    <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
    <locking desc="Locking settings">
        <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
    </locking>

    <!-- Allow only one specific Nextcloud domain -->
    <host allow="true">
        <domain>nc.mydomain.online</domain> <!-- Your Nextcloud domain -->
    </host>

    <!-- Alias groups are not needed unless you're using multiple domains -->
    <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined." mode="first">
        <!-- Keep empty for single domain usage -->
    </alias_groups>

    <is_legacy_server desc="Set to true for legacy server that need deprecated headers." type="bool" default="false"></is_legacy_server>
</wopi>

Verify Domain Configuration

Make sure that the domain you’re using (nc.mydomain.online) is correctly defined in your Nextcloud configuration and matches the domain in the Collabora configuration exactly. It should be the exact domain without any additional subdomains or ports unless specified.

If you’re unsure of the domain in use, you can check it from your Nextcloud instance:

• In Nextcloud, go to Settings > Administration > Office and ensure the correct domain is used when connecting to Collabora Online.

Reload container

Sometimes changes in coolwsd.xml may not take effect if the container isn’t properly stopped and restarted. To ensure this:

1. Stop the Collabora container completely:

docker-compose down

2. Start the container again:

docker-compose up -d

Also, i recommend :

It’s possible that your browser is caching responses from the Collabora CODE server. Try clearing your browser’s cache or testing with an incognito window after making the configuration changes.

Thanks,
Darshan

Hello,

Thank you for your reply.

I am ensuring no cache related issue by using hardened ingonito mode and then further manually clearing the cache also.

I have taken the container down. Edited the coolwsd.xml file as given by you and then started the container again. Here too, Collabora Code instance is serving / allowing any nextcloud instance to get connected with it. No just the allowed one.

As per the edit, only nc.mydomain.online should be allowed to use this collabora instance.

However, a completely separate instance of nextcloud, running in a completely different server with a completely different domain (nc.mydomain.com) is still able to access and use this instance of collabora.

Thanks.

Hello @NaXal, I’ve compiled all the possibilities from various sources and documents. I truly hope this time it works, and you achieve the outcome you’re aiming for. My only request is that you go through each point with utmost attention.

It seems like the changes in your coolwsd.xml file are not taking effect as expected. Given the issue persists, here are a few more things to check and try:

1. Check for Other Configuration Files

Sometimes Docker images or Docker Compose setups might be using a different configuration file than expected. Verify that the coolwsd.xml file you’re editing is the correct one being used by the running Collabora container.

To confirm this, you can:

1. Enter the running Collabora container:

   docker exec -it <container-id> /bin/bash
   

2. Navigate to where the configuration file is located (typically /etc/coolwsd/) and confirm that your changes are present.

cat /etc/coolwsd/coolwsd.xml

If your changes are not present, the container might be mapping a different config file or restoring the default config during startup. In that case, you’ll need to ensure the Docker Compose file is mapping the correct configuration.

2. Verbose Logs for WOPI Domain Restrictions

Enable more verbose logging to see if the WOPI host restrictions are being read and applied during runtime.

In your coolwsd.xml, change the logging level to debug:

<logging>
    <file enable="true">/var/log/coolwsd.log</file>
    <level desc="0-5, where 0 is nothing and 5 is most verbose." type="int" default="2">5</level>
    <color type="bool" desc="true enables colorful logs" default="true">false</color>
</logging>

Then, after restarting the container, monitor the logs for clues:

docker logs <container-id>

Look for lines related to WOPI host verification to see if the correct domain restrictions are being applied.

3. Verify Alias Group Mode

Double-check if Collabora is reading your alias group configuration properly. If you’re only allowing one Nextcloud instance and don’t need multiple alias groups, make sure you’ve kept mode="first" in <alias_groups>. You can also try explicitly switching to mode="groups" and specifying the allowed host under a group:

<alias_groups mode="groups">
    <group>
        <host allow="true">https://nc.mydomain.online</host>
    </group>
</alias_groups>

4. Disable Unwanted Access at the Proxy Level

If the coolwsd.xml settings are still not working as expected, you can restrict unwanted access at the reverse proxy (Nginx) level, as a more enforceable workaround.

In your Nginx configuration for office.mydomain.online, explicitly deny all domains except nc.mydomain.online by checking the Origin header:

server {
    server_name office.mydomain.online;

    location / {
        # Deny any requests from non-authorized domains
        if ($http_origin !~* "^https://nc.mydomain.online") {
            return 403;
        }

        proxy_pass http://localhost:9980;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

This will ensure that only requests coming from nc.mydomain.online are allowed through to the Collabora server. Any other domain, such as nc.mydomain.com, will be blocked.

5. Firewall or IP Blocking

Another option is to use firewall rules on the host running Collabora CODE to restrict access based on the source IP address. This can be configured using iptables or the firewall of your choice.

For example, to allow only connections from nc.mydomain.online:

sudo iptables -A INPUT -s <Nextcloud server IP> -p tcp --dport 9980 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9980 -j DROP

This will allow traffic from the specified IP only, blocking all other sources from accessing the Collabora service.

6. Check Collabora CODE Version

It’s worth checking whether your current Collabora CODE version fully supports the coolwsd.xml domain restrictions. You can try updating to the latest stable version to ensure that all security features, including WOPI restrictions, are properly enforced.

Conclusion

1. Double-check that you’re editing the correct coolwsd.xml file.
2. Increase log verbosity to see what’s happening with domain restrictions.
3. If necessary, explicitly switch to mode="groups" for more precise control.
4. Consider enforcing domain restrictions at the Nginx or firewall level if the config changes still don’t work.
5. Make sure you are running the latest version of Collabora CODE.

All the best,
Darshan

Hello,

Pardon me if my continuas questioning seems stupid. As I guess it must sound stupid since Google Search / Reddit or this discussion board, I have searched a lot but didn’t find anyone facing the issue that I am banging my head on.

Please dont think that I am arguing or acting arrogant. Do note, I truly appreciate you taking your time off to write these detailed replies. These are really helpful.

But please allow me to write my problems.

I understand from your hints and detailed replies with those given configs that access to collabora can be restricted via a firewall or at reverse proxy level. I truly appreciate you taking the time off to write me the config code for my use case. I am saving those must needed informations.

But blocking at Reverse Proxy or Firewall level makes editing coolwsd.xml pointless. At least for this host access restrictions.

I see the coolwsd.xml file and it’s host config entries having no effect at all for this host access restriction.

I have experimented further,

I have ditched docker. Just to remove this variable out of equation.

I have killed all the Server VMs and starting completely fresh. Including the Windows VM from which I would be using the browser to access.

I have followed these two guides (Guide 1 / Guide 2) to install Collabora package directly on an Ubuntu Server VPS hosted at RackNerd (US) server.

The Host entry to allow only nc.mydomain.online is added to the coolwsd.xml file. And I have doubled checked, it is saved properly.

Rebooted the server. and still the same issue. It has no effect in preventing other nextcloud instances from completely a different domain / server and network accessing & using this collabora server.

That leaves me with only Reverse Proxy or Firewall level blocking options. That has it’s own challenges

Thanks.

@NaXal Your questions are not stupid at all! It’s great that you’re asking questions and seeking answers—there’s nothing wrong with that. Everyone has challenges they’re trying to solve, and that’s how we learn. I’m genuinely happy to help and discuss this topic with you. So please don’t apologize—I’m enjoying the process, and it’s awesome to see your curiosity and effort!

Let me investigate this in more deep and will let you know with better solution.

Thanks,
Darshan