Help needed with Network settings

Hello,

I have deployed my Code Server using a Docker Compose. The same host is also running Nextcloud via Snap Deployment. Both are running behind a Nginx Reverse Proxy.

Collabora Code → office.mydomain.online
Nextcloud → nextcloud.mydomain.online

I have used Nextcloud Office app to configure the domain name and it is working fine. Nextcloud users can access and use Collabora via internet using the public domain.

But the problem is, anyone and everyone can access the code server. I mean, just to test, I deployed a sperate instance of Nextcloud on a completely different domain (suppose - nextcloud.mydomain.com) & hosting server and when I try to connect to this deployment (running as office.mydomain.online), I see it is allowed.

What do I have to do to prevent this.

I only wish to allow a single instance of nextcloud and its users & it’s public domain name (suppose nextcloud.mydomain.online) to be able to use this code server.

Thanks.

Hii @NaXal

To restrict access to your Collabora CODE server (office.mydomain.online) so that only your specific Nextcloud instance (nextcloud.mydomain.online) can connect and use it, you’ll need to configure the WOPI host settings in Collabora. This will limit which domains are allowed to use the server.

Step 1: Configure coolwsd.xml

1. Open the coolwsd.xml file in the Collabora CODE container or host. This file controls the server’s configuration, including access control.

2. Look for the <storage> section, and within it, locate or add the <wopi> block.

3. Modify or add the <host> entry to allow only your Nextcloud instance:

<wopi>
  <host allow="true">
    <domain>nextcloud.mydomain.online</domain>
    <!-- You can also specify IP addresses if necessary -->
  </host>
</wopi>

This will allow only the specified domain (nextcloud.mydomain.online) to access the Collabora CODE server.

Step 2: Block Unauthorized Access with Nginx

You can also enforce this restriction at the Nginx reverse proxy level:

1. Open your Nginx configuration for office.mydomain.online.
2. Add a rule to allow only requests coming from the authorized domain:

server {
    server_name office.mydomain.online;

    location / {
        # Allow only requests from nextcloud.mydomain.online
        if ($http_origin !~* (https://nextcloud.mydomain.online)) {
            return 403;
        }

        proxy_pass http://localhost:9980; # or your Collabora CODE service
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

This configuration checks the Origin header of incoming requests and only allows those coming from nextcloud.mydomain.online.

Step 3: Restart the Services

After making these changes:

1. Restart the Collabora CODE container or service to apply the coolwsd.xml changes.
2. Reload or restart Nginx to apply the reverse proxy restrictions.

Step 4: Optional - Firewall Rules

You can add firewall rules (if you’re using a firewall like UFW or iptables) to allow traffic only from specific IP addresses, such as your Nextcloud server’s public IP.

This setup should ensure that only your specified Nextcloud instance (nextcloud.mydomain.online) can connect to the Collabora CODE server, preventing access from any other domains or instances.

Also, there are many forum topics available you just need to search the keyword, and you can read different approaches that people used in past

Ex: Regarding document security in Production - #2 by Tex

Thanks,
Darshan

Hello,

Thank you for your time and this detailed, indepth reply.

I am trying to do as instructed here, but I am unable to achieve the desired result.

Here is what my default coolwsd.xml look like and subsequent edit that I have done to the coolwsd.xml file as per your instruction,

        <wopi desc="Allow/deny wopi storage." allow="true">
            <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
            <locking desc="Locking settings">
                <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
            </locking>
           <host allow="true">
                <domain>nc.mydomain.online</domain>
            </host>
            <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="first">
            <!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
                    add the hosts below.  If one host is accessible under multiple ip addresses
                    or names, add them as aliases. -->
            <!--<group>
                    <host desc="hostname to allow or deny." allow="true">scheme://hostname:port</host>
                    <alias desc="regex pattern of aliasname">scheme://aliasname1:port</alias>
                    <alias desc="regex pattern of aliasname">scheme://aliasname2:port</alias>
                    
            </group>-->
            <!-- More "group"s possible here -->
            </alias_groups>

            <is_legacy_server desc="Set to true for legacy server that need deprecated headers." type="bool" default="false"></is_legacy_server>
        </wopi>

stopped the container and restarted it again.

But still the server is usable from other nextcloud domains.

I have tried to put that host entry inside the “alias group” section, like this,

        <wopi desc="Allow/deny wopi storage." allow="true">
            <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
            <locking desc="Locking settings">
                <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
            </locking>

            <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="first">
            <!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
                    add the hosts below.  If one host is accessible under multiple ip addresses
                    or names, add them as aliases. -->
            <!--<group>
                    <host desc="hostname to allow or deny." allow="true">scheme://hostname:port</host>
                    <alias desc="regex pattern of aliasname">scheme://aliasname1:port</alias>
                    <alias desc="regex pattern of aliasname">scheme://aliasname2:port</alias>
                    
            </group>-->
            <!-- More "group"s possible here -->

           <host allow="true">
                <domain>nc.mydomain.online</domain>
            </host>

            </alias_groups>

            <is_legacy_server desc="Set to true for legacy server that need deprecated headers." type="bool" default="false"></is_legacy_server>
        </wopi>

Still no effect.

Am I making any mistake in editing the file?

Thanks.

The <wopi> configuration should allow or deny specific domains using the <host> tag. You only need one <host> entry under the <wopi> section to allow access from a specific Nextcloud instance. The entry inside the <alias_groups> section should not be necessary for your case unless you’re working with multiple Nextcloud instances or aliases.

Here’s a recommended approach for a single allowed domain:

<wopi desc="Allow/deny wopi storage." allow="true">
    <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
    <locking desc="Locking settings">
        <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
    </locking>

    <!-- Allow only one specific Nextcloud domain -->
    <host allow="true">
        <domain>nc.mydomain.online</domain> <!-- Your Nextcloud domain -->
    </host>

    <!-- Alias groups are not needed unless you're using multiple domains -->
    <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined." mode="first">
        <!-- Keep empty for single domain usage -->
    </alias_groups>

    <is_legacy_server desc="Set to true for legacy server that need deprecated headers." type="bool" default="false"></is_legacy_server>
</wopi>

Verify Domain Configuration

Make sure that the domain you’re using (nc.mydomain.online) is correctly defined in your Nextcloud configuration and matches the domain in the Collabora configuration exactly. It should be the exact domain without any additional subdomains or ports unless specified.

If you’re unsure of the domain in use, you can check it from your Nextcloud instance:

• In Nextcloud, go to Settings > Administration > Office and ensure the correct domain is used when connecting to Collabora Online.

Reload container

Sometimes changes in coolwsd.xml may not take effect if the container isn’t properly stopped and restarted. To ensure this:

1. Stop the Collabora container completely:

docker-compose down

2. Start the container again:

docker-compose up -d

Also, i recommend :

It’s possible that your browser is caching responses from the Collabora CODE server. Try clearing your browser’s cache or testing with an incognito window after making the configuration changes.

Thanks,
Darshan

Hello,

Thank you for your reply.

I am ensuring no cache related issue by using hardened ingonito mode and then further manually clearing the cache also.

I have taken the container down. Edited the coolwsd.xml file as given by you and then started the container again. Here too, Collabora Code instance is serving / allowing any nextcloud instance to get connected with it. No just the allowed one.

As per the edit, only nc.mydomain.online should be allowed to use this collabora instance.

However, a completely separate instance of nextcloud, running in a completely different server with a completely different domain (nc.mydomain.com) is still able to access and use this instance of collabora.

Thanks.

Hello @NaXal, I’ve compiled all the possibilities from various sources and documents. I truly hope this time it works, and you achieve the outcome you’re aiming for. My only request is that you go through each point with utmost attention.

It seems like the changes in your coolwsd.xml file are not taking effect as expected. Given the issue persists, here are a few more things to check and try:

1. Check for Other Configuration Files

Sometimes Docker images or Docker Compose setups might be using a different configuration file than expected. Verify that the coolwsd.xml file you’re editing is the correct one being used by the running Collabora container.

To confirm this, you can:

1. Enter the running Collabora container:

   docker exec -it <container-id> /bin/bash
   

2. Navigate to where the configuration file is located (typically /etc/coolwsd/) and confirm that your changes are present.

cat /etc/coolwsd/coolwsd.xml

If your changes are not present, the container might be mapping a different config file or restoring the default config during startup. In that case, you’ll need to ensure the Docker Compose file is mapping the correct configuration.

2. Verbose Logs for WOPI Domain Restrictions

Enable more verbose logging to see if the WOPI host restrictions are being read and applied during runtime.

In your coolwsd.xml, change the logging level to debug:

<logging>
    <file enable="true">/var/log/coolwsd.log</file>
    <level desc="0-5, where 0 is nothing and 5 is most verbose." type="int" default="2">5</level>
    <color type="bool" desc="true enables colorful logs" default="true">false</color>
</logging>

Then, after restarting the container, monitor the logs for clues:

docker logs <container-id>

Look for lines related to WOPI host verification to see if the correct domain restrictions are being applied.

3. Verify Alias Group Mode

Double-check if Collabora is reading your alias group configuration properly. If you’re only allowing one Nextcloud instance and don’t need multiple alias groups, make sure you’ve kept mode="first" in <alias_groups>. You can also try explicitly switching to mode="groups" and specifying the allowed host under a group:

<alias_groups mode="groups">
    <group>
        <host allow="true">https://nc.mydomain.online</host>
    </group>
</alias_groups>

4. Disable Unwanted Access at the Proxy Level

If the coolwsd.xml settings are still not working as expected, you can restrict unwanted access at the reverse proxy (Nginx) level, as a more enforceable workaround.

In your Nginx configuration for office.mydomain.online, explicitly deny all domains except nc.mydomain.online by checking the Origin header:

server {
    server_name office.mydomain.online;

    location / {
        # Deny any requests from non-authorized domains
        if ($http_origin !~* "^https://nc.mydomain.online") {
            return 403;
        }

        proxy_pass http://localhost:9980;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

This will ensure that only requests coming from nc.mydomain.online are allowed through to the Collabora server. Any other domain, such as nc.mydomain.com, will be blocked.

5. Firewall or IP Blocking

Another option is to use firewall rules on the host running Collabora CODE to restrict access based on the source IP address. This can be configured using iptables or the firewall of your choice.

For example, to allow only connections from nc.mydomain.online:

sudo iptables -A INPUT -s <Nextcloud server IP> -p tcp --dport 9980 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9980 -j DROP

This will allow traffic from the specified IP only, blocking all other sources from accessing the Collabora service.

6. Check Collabora CODE Version

It’s worth checking whether your current Collabora CODE version fully supports the coolwsd.xml domain restrictions. You can try updating to the latest stable version to ensure that all security features, including WOPI restrictions, are properly enforced.

Conclusion

1. Double-check that you’re editing the correct coolwsd.xml file.
2. Increase log verbosity to see what’s happening with domain restrictions.
3. If necessary, explicitly switch to mode="groups" for more precise control.
4. Consider enforcing domain restrictions at the Nginx or firewall level if the config changes still don’t work.
5. Make sure you are running the latest version of Collabora CODE.

All the best,
Darshan

Hello,

Pardon me if my continuas questioning seems stupid. As I guess it must sound stupid since Google Search / Reddit or this discussion board, I have searched a lot but didn’t find anyone facing the issue that I am banging my head on.

Please dont think that I am arguing or acting arrogant. Do note, I truly appreciate you taking your time off to write these detailed replies. These are really helpful.

But please allow me to write my problems.

I understand from your hints and detailed replies with those given configs that access to collabora can be restricted via a firewall or at reverse proxy level. I truly appreciate you taking the time off to write me the config code for my use case. I am saving those must needed informations.

But blocking at Reverse Proxy or Firewall level makes editing coolwsd.xml pointless. At least for this host access restrictions.

I see the coolwsd.xml file and it’s host config entries having no effect at all for this host access restriction.

I have experimented further,

I have ditched docker. Just to remove this variable out of equation.

I have killed all the Server VMs and starting completely fresh. Including the Windows VM from which I would be using the browser to access.

I have followed these two guides (Guide 1 / Guide 2) to install Collabora package directly on an Ubuntu Server VPS hosted at RackNerd (US) server.

The Host entry to allow only nc.mydomain.online is added to the coolwsd.xml file. And I have doubled checked, it is saved properly.

Rebooted the server. and still the same issue. It has no effect in preventing other nextcloud instances from completely a different domain / server and network accessing & using this collabora server.

That leaves me with only Reverse Proxy or Firewall level blocking options. That has it’s own challenges

Thanks.

@NaXal Your questions are not stupid at all! It’s great that you’re asking questions and seeking answers—there’s nothing wrong with that. Everyone has challenges they’re trying to solve, and that’s how we learn. I’m genuinely happy to help and discuss this topic with you. So please don’t apologize—I’m enjoying the process, and it’s awesome to see your curiosity and effort!

Let me investigate this in more deep and will let you know with better solution.

Thanks,
Darshan

I have a similar problem with Collabora Online Development Edition 25.04.9.2 a9b866688f. I run Nextcloud “directly” on my server and CODE in a container with the --network host option.

No matter whether denying access via the <config><storage><wopi><host> XML-path directly or inside a <config><storage><wopi><alias_groups><group><host> path.

In the logs I can easily identify the hostname accessing CODE. The only thing that does work, is disabling <wopi> alltogether:

<!-- Only setting "allow" to "false" here has an effect -->
<wopi allow="false">

  <!-- These settings have no effect -->
  <host allow="false">https://nextcloud.example.com:433</host> 
  <host allow="false">https://nextcloud.example.com</host> 
  <host allow="false">https://localhost:433</host> 
  <host allow="false">https://localhost</host> 
  <host allow="false">nextcloud.example.com:433</host> 
  <host allow="false">nextcloud.example.com</host> 
  <host allow="false">localhost:433</host> 
  <host allow="false">localhost</host>

  <!-- These settings have no effect either -->
  <alias_groups mode="groups">
    <group>
      <host allow="false">https://nextcloud.example.com:433</host> 
      <host allow="false">https://nextcloud.example.com</host> 
      <host allow="false">https://localhost:433</host> 
      <host allow="false">https://localhost</host> 
      <host allow="false">nextcloud.example.com:433</host> 
      <host allow="false">nextcloud.example.com</host> 
      <host allow="false">localhost:433</host> 
      <host allow="false">localhost</host>
    </group>
  </alias_groups>
...
</wopi>

Inverting the logic, i.e. leaving <wopi allow=”false”> and setting <host allow=“true”> everywhere does not work either.

@jejo86

WOPI is host based and works as a trust model between the storage (Nextcloud) and Collabora Online Development Edition.

Good explanation of how WOPI works here:
https://www.collaboraonline.com/blog/wopi-is-open-your-office-stack-should-be-too/

Collabora does not block individual requests by <host allow="false"> the way a firewall would. Instead, WOPI works on an allow list model:

• The storage sends a signed WOPI request
• Collabora checks the hostname of that WOPI URL
• If <wopi allow="false"> is set, only explicitly allowed <host allow="true"> entries are accepted
• Deny entries alone do not work as expected

So the correct setup is:

<wopi allow="false">
  <host allow="true">https://nextcloud.example.com</host>
</wopi>

WOPI is not an access control firewall, it is a trust relationship between services.

I have tested that setup. It is what I meant by

Inverting the logic, i.e. leaving <wopi allow=”false”> and setting <host allow=“true”> everywhere does not work either.

I can see a Unsupported URI [``https://nextcloud.example.com/[…]`` or no storage configured error.

See a more detailed log [I am not allowed to upload files, so here it is]:

2026-03-02T16:33:48.880173646-05:00 wsd-00001-00030 2026-03-02 21:33:48.879928 +0000 [ websrv_poll ] ERR #-1: Unsupported URI [``https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=ggAHqTjnAcCGlf36ZkH6NL2KsihX7SSC&access_token_ttl=0``] or no storage configured| wsd/RequestVettingStation.cpp:89
2026-03-02T16:33:48.880173646-05:00 wsd-00001-00030 2026-03-02 21:33:48.879976 +0000 [ websrv_poll ] ERR #34: Bad request: POSTHTTP/1.1 /browser/a9b866688f/cool.html?WOPISrc=https%3A%2F%``2Fnextcloud.example.com``%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078&lang=de&closebutton=1&revisionhistory=1, length: 4244, chunked: false, closeConnection false, Host: ``office.example.com`` / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Content-Type: application/x-www-form-urlencoded / Origin: null / Upgrade-Insecure-Requests: 1 / Sec-Fetch-Dest: iframe / Sec-Fetch-Mode: navigate / Sec-Fetch-Site: same-site / Sec-Fetch-User: ?1 / Priority: u=4 / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: ``office.example.com`` / X-Forwarded-Server: ``office.example.com`` / Content-Length: 4244 / Connection: Keep-Alive, socket-data: : No Storage configured or invalid URI ``https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=ggAHqTjnAcCGlf36ZkH6NL2KsihX7SSC&access_token_ttl=0``]| wsd/ClientRequestDispatcher.cpp:1271
2026-03-02T16:33:48.963702752-05:00 wsd-00001-00030 2026-03-02 21:33:48.963622 +0000 [ websrv_poll ] ERR #34: Unsupported URI [``https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=ggAHqTjnAcCGlf36ZkH6NL2KsihX7SSC&access_token_ttl=0&no_auth_header=``] or no storage configured| wsd/RequestVettingStation.cpp:255
2026-03-02T16:33:48.963702752-05:00 wsd-00001-00030 2026-03-02 21:33:48.963686 +0000 [ websrv_poll ] ERR #34: Error while handling Client WS Request: No Storage configured or invalid URI ``https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=ggAHqTjnAcCGlf36ZkH6NL2KsihX7SSC&access_token_ttl=0&no_auth_header=``]| wsd/ClientRequestDispatcher.cpp:2621
2026-03-02T16:33:49.040345849-05:00 wsd-00001-00030 2026-03-02 21:33:49.040083 +0000 [ websrv_poll ] ERR #34: Unsupported URI [``https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=ggAHqTjnAcCGlf36ZkH6NL2KsihX7SSC&access_token_ttl=0&permission=edit``] or no storage configured| wsd/RequestVettingStation.cpp:255
2026-03-02T16:33:49.040345849-05:00 wsd-00001-00030 2026-03-02 21:33:49.040229 +0000 [ websrv_poll ] ERR #34: Error while handling Client WS Request: No Storage configured or invalid URI ``https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=ggAHqTjnAcCGlf36ZkH6NL2KsihX7SSC&access_token_ttl=0&permission=edit``]| wsd/ClientRequestDispatcher.cpp:2621

By reading logs what i see

The key line is:

Unsupported URI [...] or no storage configured

In Collabora Online Development Edition this error does not mean the host is denied.
It means the WOPI host did not match any configured and accepted storage entry.

From your log, Collabora clearly sees:

https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/...

So the only valid configuration is:

<wopi allow="false">
  <host allow="true">https://nextcloud.example.com</host>
</wopi>

If that still gives “Unsupported URI”, then one of these is happening:

1. You are editing the wrong config file (very common with containers)
2. The container was not fully restarted
3. Your config is not actually loaded
4. There is another <storage> section overriding things
5. You are using alias_groups mode=“groups” without proper grouping

Very important check

Inside the running container:

coolconfig get storage.wopi

or inspect the active /etc/coolwsd/coolwsd.xml inside the container, not on the host.

Because this specific error:

No Storage configured or invalid URI

only appears when Collabora has zero valid WOPI hosts configured.

So your <host allow="true"> is not being recognized at runtime.

Also note:

You are running with --network host, but the Host header shows:

Host: office.example.com

That is fine. Collabora validates the WOPISrc URL, not the browser host.

Setting back <wopi allow="true"> and running systemctl restart coolwsdrestores functionality as expected. This rules out points 1 to 3:

1. You are editing the wrong config file (very common with containers)
2. The container was not fully restarted
3. Your config is not actually loaded

I can confirm there is only a single <storage> section and am using alias_groups correctly (s. XML snippet above).

4. There is another <storage> section overriding things
5. You are using alias_groups mode=“groups” without proper grouping

The command you suggested to run is not valid:

$ coolconfig get storage.wopi
No such command, "get"
usage: coolconfig COMMAND [OPTIONS]
coolconfig - Configuration tool for Collabora Online.

Some options make sense only with a specific command.

Options:

-h, --help                 Show this usage information.
--config-file=path         Specify configuration file path manually.
--old-config-file=path     Specify configuration file path to migrate 
                           manually.
--pwd-salt-length=number   Length of the salt to use to hash password 
                           [set-admin-password].
--pwd-iterations=number    Number of iterations to do in PKDBF2 password 
                           hashing [set-admin-password].
--pwd-hash-length=number   Length of password hash to generate 
                           [set-admin-password].
--user=name                Admin user name [set-admin-password].
--password=password        Admin user password [set-admin-password].
--anonymization-salt=salt  Anonymize strings with the given 64-bit salt 
                           instead of the one in the config file.
--write                    Write migrated configuration.

Commands: 
    migrateconfig [--old-config-file=<path>] [--config-file=<path>] [--write]
        The migrateconfig command migrates config file of Collabora Online 6.4 or older to the new format.
    anonymize [string-1]...[string-n]
    set-admin-password
    set <key> <value>
    generate-proof-key
    update-system-template

I manually removed all of my <host> entries, ran the command

$ coolconfig set storage.wopi.host https://nextcloud.example.com
No property, "storage.wopi.host", found in config file.
Adding it as new with value: "https://nextcloud.example.com"
Saving configuration to : /etc/coolwsd/coolwsd.xml ...
Saved

instead, restarted the container and checked the content of the coolwsd.xml file. I noticed the file to be nicely formatted and an entry <host>https://nextcloud.example.com</host> was added in the respective section. (Why is there no allow="True" attribute added by coolconfig?)

Still, no success as long as <wopi allow="false"> is set.

You are running with --network host, but the Host header shows:

Host: office.example.com

Correct. I have several subdomains and CODE is using office.example.com.

It might be worth mentioning that I am currently running all of these tests in a virtual machine. There is no “real” DNS entry for my domains. I simply have added the names to my /etc/hosts/ file.

See this command run inside the container:

# cat /etc/hosts
127.0.0.1       localhost localhost.localdomain localhost4 localhost4.localdomain4 www.example.com nextcloud.example.com office.example.com
::1     localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.77.140  host.containers.internal host.docker.internal

Using these subdomains works perfectly fine for my Apache (httpd) server. Not sure though how CODE is working internally and whether that could somehow be a problem?!

The log shows the WOPI URL is:

https://nextcloud.example.com/index.php/apps/richdocuments/wopi/...

but the editor is loaded from:

office.example.com

When <wopi allow="false"> is enabled, Collabora Online Development Edition requires the storage host to match exactly. Since you are using two domains (Nextcloud + CODE), you need an alias group.

Restart coolwsd after changing it.

About /etc/hosts

Using /etc/hosts inside the container is fine and should not break WOPI. Collabora only checks the hostname string in the WOPI URL, not DNS resolution. Since your logs already show nextcloud.example.com, name resolution is working.

@darshan I am curious, did you try your solution before posting it? I mean… you already told me to run a command that does not exist and its now around the third iteration without success.

I have a freshly setup CODE container and Nextcloud. @Naxal had pretty much the same problem two years ago. It’s like two lines of configuration, why is it so difficult???

Are you just telling me how it “should work” or can you actually confirm that you are running CODE and making use of the alias_groups?

Are you one of the developers?

Are you an hallucinating AI?

Anyways, let’s give it another try.

Did you mean this configuration?:

<wopi allow="false">
  <alias_groups mode="groups">
    <group>
      <host allow="true">https://nextcloud.example.com</host> 
      <host allow="true">https://office.example.com</host> 
    </group>
  </alias_groups>
...
</wopi>

Still does not work.

Attached is a log with debug verbosity, if it is of any help. The end of the start up and the attempt to open a document in Nextcloud is marked with <TRY_TO_OPEN_DOCUMENT_IN_NEXTCLOUD>.

Still not allowed to attach a document. Come on… I had to cut a few lines due to the post limit.

I noticed a suspicious Adding trusted WOPI host: [office.example.com]. Why is nextcloud.example.com not added??

I have to split the log in two posts. Annoying!

2026-03-06T13:38:26.709354933-05:00 stderr F Certificate request self-signature ok
2026-03-06T13:38:26.709354933-05:00 stderr P subject=C=DE, ST=BW, L=Stuttgart, O=Dummy Authority
2026-03-06T13:38:26.709419504-05:00 stderr F , CN=localhost
2026-03-06T13:38:27.021195233-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.021106 +0000 [ coolwsd ] INF  Initializing wsd. Local time: Fri 2026-03-06 18:38:26 +0000. Log level is [6]| common/Log.cpp:656
2026-03-06T13:38:27.021195233-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.021126 +0000 [ coolwsd ] INF  Setting log-level to [information] and delaying setting to [debug] until after WSD initialization.| wsd/COOLWSD.cpp:1556
2026-03-06T13:38:27.021195233-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.021134 +0000 [ coolwsd ] INF  Initializing coolwsd 25.04.9.2 server [office.example.com]. Experimental features are enabled.| wsd/COOLWSD.cpp:1569
2026-03-06T13:38:27.023219875-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.023189 +0000 [ coolwsd ] INF  Loaded config file [/etc/coolwsd/coolwsd.xml] (non-default values):
2026-03-06T13:38:27.023219875-05:00 stderr F 	admin_console.password: <redacted>
2026-03-06T13:38:27.023219875-05:00 stderr F 	admin_console.username: <redacted>
2026-03-06T13:38:27.023219875-05:00 stderr F 	cache_files.expiry_min: 1000
2026-03-06T13:38:27.023219875-05:00 stderr F 	cache_files.path: /opt/cool/cache
2026-03-06T13:38:27.023219875-05:00 stderr F 	indirection_endpoint.geolocation_setup.allowed_websocket_origins: 
2026-03-06T13:38:27.023219875-05:00 stderr F 	logging.anonymize.anonymize_user_data: false
2026-03-06T13:38:27.023219875-05:00 stderr F 	logging.color: false
2026-03-06T13:38:27.023219875-05:00 stderr F 	logging.level: debug
2026-03-06T13:38:27.023219875-05:00 stderr F 	logging.level_startup: information
2026-03-06T13:38:27.023219875-05:00 stderr F 	logging_ui_cmd.merge_display_end_time: true
2026-03-06T13:38:27.023219875-05:00 stderr F 	ssl.ca_file_path: /tmp/ssl/certs/ca/root.crt.pem
2026-03-06T13:38:27.023219875-05:00 stderr F 	ssl.cert_file_path: /tmp/ssl/certs/servers/localhost/cert.pem
2026-03-06T13:38:27.023219875-05:00 stderr F 	ssl.enable: false
2026-03-06T13:38:27.023219875-05:00 stderr F 	ssl.key_file_path: /tmp/ssl/certs/servers/localhost/privkey.pem
2026-03-06T13:38:27.023219875-05:00 stderr F 	ssl.termination: true
2026-03-06T13:38:27.023219875-05:00 stderr F 	storage.ssl.enable: 
2026-03-06T13:38:27.023219875-05:00 stderr F 	storage.wopi.alias_groups.group: https://office.example.comhttps://nextcloud.example.com
2026-03-06T13:38:27.023219875-05:00 stderr F 	storage.wopi.alias_groups.group.host: https://office.example.com
2026-03-06T13:38:27.023219875-05:00 stderr F 	storage.wopi.alias_groups.group.host[1]: https://nextcloud.example.com
2026-03-06T13:38:27.023219875-05:00 stderr F 	storage.wopi.alias_groups[@mode]: groups
2026-03-06T13:38:27.023219875-05:00 stderr F 	storage.wopi[@allow]: false
2026-03-06T13:38:27.023219875-05:00 stderr F | wsd/COOLWSD.cpp:1578
2026-03-06T13:38:27.024565394-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.023202 +0000 [ coolwsd ] INF  Anonymization of user-data is configurable.| wsd/COOLWSD.cpp:1647
2026-03-06T13:38:27.024565394-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.023291 +0000 [ coolwsd ] INF  Anonymization of user-data is disabled.| wsd/COOLWSD.cpp:1694
2026-03-06T13:38:27.024565394-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.023307 +0000 [ coolwsd ] INF  SSL support: SSL is disabled.| wsd/COOLWSD.cpp:1741
2026-03-06T13:38:27.024565394-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.023309 +0000 [ coolwsd ] INF  SSL support: termination is enabled.| wsd/COOLWSD.cpp:1742
2026-03-06T13:38:27.024565394-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.024527 +0000 [ coolwsd ] INF  Creating childroot: [/opt/cool/child-roots/1-016034b9/] with mount-namespaces| wsd/COOLWSD.cpp:1868
2026-03-06T13:38:27.040141036-05:00 stderr F wsd-00019-00001 2026-03-06 18:38:27.039470 +0000 [ coolwsd ] INF  Cleaning up childroot directory [/opt/cool/child-roots/].| common/JailUtil.cpp:357
2026-03-06T13:38:27.040141036-05:00 stderr F wsd-00019-00001 2026-03-06 18:38:27.039858 +0000 [ coolwsd ] INF  Cleaning up childroot directory [/opt/cool/child-roots/1-016034b9/].| common/JailUtil.cpp:357
2026-03-06T13:38:27.040141036-05:00 stderr F wsd-00019-00001 2026-03-06 18:38:27.039871 +0000 [ coolwsd ] INF  Creating jail path (if missing): /opt/cool/child-roots/1-016034b9//tmp/incoming/fonts| common/JailUtil.cpp:440
2026-03-06T13:38:27.040141036-05:00 stderr F wsd-00019-00001 2026-03-06 18:38:27.040108 +0000 [ coolwsd ] INF  Creating jail path (if missing): /opt/cool/child-roots/1-016034b9//tmp/sharedpresets| common/JailUtil.cpp:440
2026-03-06T13:38:27.052257766-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052141 +0000 [ coolwsd ] INF  Using Bind Mounting: true| wsd/COOLWSD.cpp:1337
2026-03-06T13:38:27.052257766-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052160 +0000 [ coolwsd ] INF  Using Mount Namespaces: true| wsd/COOLWSD.cpp:1339
2026-03-06T13:38:27.052257766-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052199 +0000 [ coolwsd ] INF  Quarantine is disabled in config| wsd/COOLWSD.cpp:1901
2026-03-06T13:38:27.052257766-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052202 +0000 [ coolwsd ] INF  Cache path is set to [/opt/cool/cache] in config| wsd/COOLWSD.cpp:1907
2026-03-06T13:38:27.052257766-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052227 +0000 [ coolwsd ] INF  Initializing Cache at [/opt/cool/cache]| wsd/CacheUtil.cpp:41
2026-03-06T13:38:27.052368527-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052274 +0000 [ coolwsd ] INF  NumPreSpawnedChildren set to 4.| wsd/COOLWSD.cpp:1938
2026-03-06T13:38:27.052368527-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052282 +0000 [ coolwsd ] INF  Registering filesystem for space checks: [/opt/cool/child-roots/1-016034b9/.]| common/FileUtil.cpp:384
2026-03-06T13:38:27.052368527-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052347 +0000 [ coolwsd ] ERR  Setting concurrency above the number of physical threads yields extra latency and memory usage for no benefit. Clamping 4 to 2 threads.| wsd/COOLWSD.cpp:1953
2026-03-06T13:38:27.052368527-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052361 +0000 [ coolwsd ] INF  MAX_CONCURRENCY set to 2.| wsd/COOLWSD.cpp:1962
2026-03-06T13:38:27.052368527-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052363 +0000 [ coolwsd ] WRN  Fewer threads than recommended. Having at least four threads for provides significant parallelism that can be used for burst compression of newly visible document pages, giving lower latency.| wsd/COOLWSD.cpp:1968
2026-03-06T13:38:27.052417887-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052369 +0000 [ coolwsd ] INF  DISABLE_REDLINE set| wsd/COOLWSD.cpp:1981
2026-03-06T13:38:27.052417887-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052401 +0000 [ coolwsd ] INF  Maximum file descriptor supported by the system: 1048575| wsd/COOLWSD.cpp:2125
2026-03-06T13:38:27.052417887-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052403 +0000 [ coolwsd ] INF  Maximum number of open documents supported by the system: 262136| wsd/COOLWSD.cpp:2128
2026-03-06T13:38:27.052417887-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052404 +0000 [ coolwsd ] INF  Maximum concurrent open Documents limit: 1000000| wsd/COOLWSD.cpp:2131
2026-03-06T13:38:27.052446227-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052409 +0000 [ coolwsd ] INF  Maximum concurrent client Connections limit: 1000000| wsd/COOLWSD.cpp:2132
2026-03-06T13:38:27.052446227-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052421 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052446227-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052426 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052446227-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052429 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [127\.0\.0\.1]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052458717-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052436 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:127\.0\.0\.1]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052458717-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052439 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::1]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052458717-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052442 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052458717-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052445 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052464707-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052449 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052464707-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052452 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052464707-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052455 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052464707-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052459 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052496497-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052464 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052496497-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052467 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052496497-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052471 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [localhost]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052496497-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052483 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052502627-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052489 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052502627-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052492 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [127\.0\.0\.1]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052502627-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052495 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:127\.0\.0\.1]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052502627-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052498 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::1]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052520828-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052502 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052520828-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052505 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052520828-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052508 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052520828-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052511 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052535388-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052517 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052535388-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052520 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052535388-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052523 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.052535388-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.052526 +0000 [ coolwsd ] INF  Adding trusted LOK_ALLOW host: [::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}]| wsd/COOLWSD.cpp:198
2026-03-06T13:38:27.946011929-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.919209 +0000 [ coolwsd ] INF  Initializing OpenSSL 3.0.19 27 Jan 2026| net/Ssl.cpp:112
2026-03-06T13:38:27.946011929-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.919421 +0000 [ coolwsd ] INF  Using SSL_CERT_FILE of: /etc/ssl/certs/ca-certificates.crt| net/Ssl.cpp:157
2026-03-06T13:38:27.946011929-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.945885 +0000 [ coolwsd ] INF  Initialized Client SSL.| wsd/wopi/StorageConnectionManager.cpp:254
2026-03-06T13:38:27.946011929-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.945905 +0000 [ coolwsd ] INF  AdminModel ctor.| wsd/AdminModel.hpp:341
2026-03-06T13:38:27.946011929-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.945954 +0000 [ coolwsd ] INF  Admin ctor| wsd/Admin.cpp:535
2026-03-06T13:38:27.947111636-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.947005 +0000 [ coolwsd ] INF  Total available memory: 3002973 KB (2.9 GB), System memory: 3753716 KB (3.6 GB), cgroup limit: 0 KB, cgroup soft-limit: 0 KB, configured memproportion: 80%, actual percentage of system total: 80%, current usage: 66792 KB (2.2% of limit)| wsd/Admin.cpp:583
2026-03-06T13:38:27.947111636-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.947021 +0000 [ coolwsd ] INF  Hardware threads: 2| wsd/Admin.cpp:598
2026-03-06T13:38:27.947111636-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.947073 +0000 [ coolwsd ] INF  Adding trusted WOPI host: [office.example.com].| wsd/HostUtil.cpp:62
2026-03-06T13:38:27.953946391-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.948733 +0000 [ coolwsd ] INF  Coolwsd version details: 25.04.9.2 - a9b866688f - id 7ecbf64f - on Debian GNU/Linux 13 (trixie)| wsd/COOLWSD.cpp:3639
2026-03-06T13:38:27.953946391-05:00 stderr F wsd-00001-00001 2026-03-06 18:38:27.948818 +0000 [ coolwsd ] INF  Remote configuration is not specified in coolwsd.xml| wsd/RemoteConfig.cpp:43

Here is the rest, also trimmed to fit the limit…:

<TRY_TO_OPEN_DOCUMENT_IN_NEXTCLOUD>

2026-03-06T13:39:35.215328330-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.214478 +0000 [ websrv_poll ] DBG  Preprocessing file: /browser/dist/cool.html| wsd/FileServer.cpp:1721
2026-03-06T13:39:35.215328330-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.214551 +0000 [ websrv_poll ] INF  WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:1622
2026-03-06T13:39:35.215328330-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.214863 +0000 [ websrv_poll ] DBG  Sanitized URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078] to [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078]| wsd/RequestDetails.cpp:305
2026-03-06T13:39:35.215328330-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.214887 +0000 [ websrv_poll ] INF  DocKey from URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078] => [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078]| wsd/RequestDetails.cpp:331
2026-03-06T13:39:35.215328330-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.214895 +0000 [ websrv_poll ] DBG  RequestKey: [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078_dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf], wopiSrc: [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078], accessToken: [dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf], noAuthHeader: []| wsd/ClientRequestDispatcher.cpp:678
2026-03-06T13:39:35.215328330-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.214924 +0000 [ websrv_poll ] DBG  Sanitized URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&] to [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0]| wsd/RequestDetails.cpp:305
2026-03-06T13:39:35.215328330-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.214932 +0000 [ websrv_poll ] INF  DocKey from URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0] => [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078]| wsd/RequestDetails.cpp:331
2026-03-06T13:39:35.215328330-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.214942 +0000 [ websrv_poll ] INF  #-1: URL [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&] will be proactively vetted. Sanitized uriPublic: [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0], docKey: [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078], session: [001], fileId: [6_ocbjhcv8p078] (writable)| wsd/RequestVettingStation.cpp:75
2026-03-06T13:39:35.215328330-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.214954 +0000 [ websrv_poll ] DBG  No Storage configured or invalid URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0]| wsd/Storage.cpp:217
2026-03-06T13:39:35.215328330-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.214957 +0000 [ websrv_poll ] ERR  #-1: Unsupported URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0] or no storage configured| wsd/RequestVettingStation.cpp:89
2026-03-06T13:39:35.215328330-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.215068 +0000 [ websrv_poll ] ERR  #30: Bad request: POSTHTTP/1.1 /browser/a9b866688f/cool.html?WOPISrc=https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078&lang=de&closebutton=1&revisionhistory=1, length: 4244, chunked: false, closeConnection false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Content-Type: application/x-www-form-urlencoded / Origin: null / Upgrade-Insecure-Requests: 1 / Sec-Fetch-Dest: iframe / Sec-Fetch-Mode: navigate / Sec-Fetch-Site: same-site / Sec-Fetch-User: ?1 / Priority: u=4 / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Content-Length: 4244 / Connection: Keep-Alive, socket-data: []: No Storage configured or invalid URI https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0]| wsd/ClientRequestDispatcher.cpp:1271
2026-03-06T13:39:35.307993892-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.215169 +0000 [ websrv_poll ] DBG  Removing [/opt/cool/child-roots/1-016034b9//tmp/incoming/cool-w1uVMNLNlwhU5IiO/] recursively.| common/FileUtil-unix.cpp:112
2026-03-06T13:39:35.307993892-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.215302 +0000 [ websrv_poll ] DBG  #30: Closed socket Socket[#30, IPv6 @ ::ffff:127.0.0.1:8868]| net/Socket.hpp:496
2026-03-06T13:39:35.307993892-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.307935 +0000 [ websrv_poll ] INF  #30: parseHeader: Client HTTP Request: GET, uri: [/cool/https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078%3Faccess_token%3Ddh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf%26access_token_ttl%3D0%26no_auth_header%3D/ws?WOPISrc=https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078&compat=/ws] HTTP/1.1, sz[header 1018, content -1], offset 1018, chunked false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-WebSocket-Version: 13 / Origin: https://office.example.com / Sec-WebSocket-Extensions: permessage-deflate / Sec-WebSocket-Key: 02UW7HLrdYMXqWqN53mDMQ== / Sec-Fetch-Dest: empty / Sec-Fetch-Mode: websocket / Sec-Fetch-Site: same-origin / Pragma: no-cache / Cache-Control: no-cache / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Upgrade: WebSocket / Connection: Upgrade| net/Socket.cpp:1806
2026-03-06T13:39:35.307993892-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.307953 +0000 [ websrv_poll ] DBG  #30: Handling request: /cool/https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078%3Faccess_token%3Ddh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf%26access_token_ttl%3D0%26no_auth_header%3D/ws?WOPISrc=https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078&compat=/ws, closeConnection false| wsd/ClientRequestDispatcher.cpp:982
2026-03-06T13:39:35.307993892-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.307957 +0000 [ websrv_poll ] DBG  #30: Handling request: GETHTTP/1.1 /cool/https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078%3Faccess_token%3Ddh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf%26access_token_ttl%3D0%26no_auth_header%3D/ws?WOPISrc=https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078&compat=/ws, content -1, chunked false, closeConnection false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-WebSocket-Version: 13 / Origin: https://office.example.com / Sec-WebSocket-Extensions: permessage-deflate / Sec-WebSocket-Key: 02UW7HLrdYMXqWqN53mDMQ== / Sec-Fetch-Dest: empty / Sec-Fetch-Mode: websocket / Sec-Fetch-Site: same-origin / Pragma: no-cache / Cache-Control: no-cache / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Upgrade: WebSocket / Connection: Upgrade| wsd/ClientRequestDispatcher.cpp:1004
2026-03-06T13:39:35.308311986-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.308004 +0000 [ websrv_poll ] INF  #30: WebSocket version: 13, key: [02UW7HLrdYMXqWqN53mDMQ==], protocol: [chat]| net/WebSocketHandler.hpp:1025
2026-03-06T13:39:35.308311986-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.308058 +0000 [ websrv_poll ] DBG  Sanitized URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078] to [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078]| wsd/RequestDetails.cpp:305
2026-03-06T13:39:35.308311986-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.308104 +0000 [ websrv_poll ] INF  DocKey from URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078] => [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078]| wsd/RequestDetails.cpp:331
2026-03-06T13:39:35.308311986-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.308154 +0000 [ websrv_poll ] DBG  Sanitized URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&no_auth_header=] to [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&no_auth_header=]| wsd/RequestDetails.cpp:305
2026-03-06T13:39:35.308311986-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.308170 +0000 [ websrv_poll ] INF  DocKey from URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&no_auth_header=] => [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078]| wsd/RequestDetails.cpp:331
2026-03-06T13:39:35.308311986-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.308185 +0000 [ websrv_poll ] INF  #30: URL [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&no_auth_header=] for WS Request. Sanitized uriPublic: [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&no_auth_header=], docKey: [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078], session: [002], fileId: [6_ocbjhcv8p078] (writable)| wsd/RequestVettingStation.cpp:242
2026-03-06T13:39:35.308311986-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.308193 +0000 [ websrv_poll ] DBG  No Storage configured or invalid URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&no_auth_header=]| wsd/Storage.cpp:217
2026-03-06T13:39:35.308311986-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.308197 +0000 [ websrv_poll ] ERR  #30: Unsupported URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&no_auth_header=] or no storage configured| wsd/RequestVettingStation.cpp:255
2026-03-06T13:39:35.308311986-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.308224 +0000 [ websrv_poll ] ERR  #30: Error while handling Client WS Request: No Storage configured or invalid URI https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&no_auth_header=]| wsd/ClientRequestDispatcher.cpp:2621
2026-03-06T13:39:35.308311986-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.308257 +0000 [ websrv_poll ] DBG  #30: Handled request: /cool/https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078%3Faccess_token%3Ddh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf%26access_token_ttl%3D0%26no_auth_header%3D/ws?WOPISrc=https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078&compat=/ws, inBuf[sz 1018 -> 0, rm 1018], connection open true| wsd/ClientRequestDispatcher.cpp:1321
2026-03-06T13:39:35.384546205-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.308292 +0000 [ websrv_poll ] DBG  #30: Closed socket Socket[#30, IPv6 @ ::ffff:127.0.0.1:9892]| net/Socket.hpp:496
2026-03-06T13:39:35.384546205-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384494 +0000 [ websrv_poll ] INF  #30: parseHeader: Client HTTP Request: GET, uri: [/cool/https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078%3Faccess_token%3Ddh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf%26access_token_ttl%3D0%26permission%3Dedit/ws?WOPISrc=https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078&compat=/ws] HTTP/1.1, sz[header 1018, content -1], offset 1018, chunked false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-WebSocket-Version: 13 / Origin: https://office.example.com / Sec-WebSocket-Extensions: permessage-deflate / Sec-WebSocket-Key: 2ViO5IlC+Sf/JTnBpqLeiA== / Sec-Fetch-Dest: empty / Sec-Fetch-Mode: websocket / Sec-Fetch-Site: same-origin / Pragma: no-cache / Cache-Control: no-cache / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Upgrade: WebSocket / Connection: Upgrade| net/Socket.cpp:1806
2026-03-06T13:39:35.384546205-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384518 +0000 [ websrv_poll ] DBG  #30: Handling request: /cool/https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078%3Faccess_token%3Ddh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf%26access_token_ttl%3D0%26permission%3Dedit/ws?WOPISrc=https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078&compat=/ws, closeConnection false| wsd/ClientRequestDispatcher.cpp:982
2026-03-06T13:39:35.384546205-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384522 +0000 [ websrv_poll ] DBG  #30: Handling request: GETHTTP/1.1 /cool/https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078%3Faccess_token%3Ddh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf%26access_token_ttl%3D0%26permission%3Dedit/ws?WOPISrc=https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078&compat=/ws, content -1, chunked false, closeConnection false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-WebSocket-Version: 13 / Origin: https://office.example.com / Sec-WebSocket-Extensions: permessage-deflate / Sec-WebSocket-Key: 2ViO5IlC+Sf/JTnBpqLeiA== / Sec-Fetch-Dest: empty / Sec-Fetch-Mode: websocket / Sec-Fetch-Site: same-origin / Pragma: no-cache / Cache-Control: no-cache / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Upgrade: WebSocket / Connection: Upgrade| wsd/ClientRequestDispatcher.cpp:1004
2026-03-06T13:39:35.384692217-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384561 +0000 [ websrv_poll ] INF  #30: WebSocket version: 13, key: [2ViO5IlC+Sf/JTnBpqLeiA==], protocol: [chat]| net/WebSocketHandler.hpp:1025
2026-03-06T13:39:35.384692217-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384606 +0000 [ websrv_poll ] DBG  Sanitized URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078] to [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078]| wsd/RequestDetails.cpp:305
2026-03-06T13:39:35.384692217-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384648 +0000 [ websrv_poll ] INF  DocKey from URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078] => [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078]| wsd/RequestDetails.cpp:331
2026-03-06T13:39:35.384692217-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384666 +0000 [ websrv_poll ] DBG  Sanitized URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&permission=edit] to [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&permission=edit]| wsd/RequestDetails.cpp:305
2026-03-06T13:39:35.384692217-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384674 +0000 [ websrv_poll ] INF  DocKey from URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&permission=edit] => [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078]| wsd/RequestDetails.cpp:331
2026-03-06T13:39:35.384709867-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384685 +0000 [ websrv_poll ] INF  #30: URL [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&permission=edit] for WS Request. Sanitized uriPublic: [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&permission=edit], docKey: [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078], session: [003], fileId: [6_ocbjhcv8p078] (writable)| wsd/RequestVettingStation.cpp:242
2026-03-06T13:39:35.384709867-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384696 +0000 [ websrv_poll ] DBG  No Storage configured or invalid URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&permission=edit]| wsd/Storage.cpp:217
2026-03-06T13:39:35.384709867-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384700 +0000 [ websrv_poll ] ERR  #30: Unsupported URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&permission=edit] or no storage configured| wsd/RequestVettingStation.cpp:255
2026-03-06T13:39:35.384982091-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384722 +0000 [ websrv_poll ] ERR  #30: Error while handling Client WS Request: No Storage configured or invalid URI https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/6_ocbjhcv8p078?access_token=dh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf&access_token_ttl=0&permission=edit]| wsd/ClientRequestDispatcher.cpp:2621
2026-03-06T13:39:35.384982091-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384747 +0000 [ websrv_poll ] DBG  #30: Handled request: /cool/https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078%3Faccess_token%3Ddh3ujbg3ZCWWmSxo11GYJMfHo1MhlFUf%26access_token_ttl%3D0%26permission%3Dedit/ws?WOPISrc=https%3A%2F%2Fnextcloud.example.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F6_ocbjhcv8p078&compat=/ws, inBuf[sz 1018 -> 0, rm 1018], connection open true| wsd/ClientRequestDispatcher.cpp:1321
2026-03-06T13:39:35.399618254-05:00 stderr F wsd-00001-00030 2026-03-06 18:39:35.307811 +0000 [ accept_poll ] DBG  #30: Created socket. Thread affinity set to 0x7f12ff1326c0, Socket[#30, IPv6 @ :0]| net/Socket.hpp:465
2026-03-06T13:39:35.399618254-05:00 stderr F wsd-00001-00030 2026-03-06 18:39:35.384393 +0000 [ accept_poll ] DBG  #30: Created socket. Thread affinity set to 0x7f12ff1326c0, Socket[#30, IPv6 @ :0]| net/Socket.hpp:465
2026-03-06T13:39:35.399618254-05:00 stderr F wsd-00001-00030 2026-03-06 18:39:35.399566 +0000 [ accept_poll ] DBG  #30: Created socket. Thread affinity set to 0x7f12ff1326c0, Socket[#30, IPv6 @ :0]| net/Socket.hpp:465
2026-03-06T13:39:35.399681965-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.384776 +0000 [ websrv_poll ] DBG  #30: Closed socket Socket[#30, IPv6 @ ::ffff:127.0.0.1:12452]| net/Socket.hpp:496
2026-03-06T13:39:35.399681965-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.399648 +0000 [ websrv_poll ] INF  #30: parseHeader: Client HTTP Request: GET, uri: [/browser/a9b866688f/src/app/TaskWorker.js] HTTP/1.1, sz[header 516, content -1], offset 516, chunked false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-Fetch-Dest: worker / Sec-Fetch-Mode: same-origin / Sec-Fetch-Site: same-origin / Priority: u=4 / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Connection: Keep-Alive| net/Socket.cpp:1806
2026-03-06T13:39:35.399681965-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.399669 +0000 [ websrv_poll ] DBG  #30: Handling request: /browser/a9b866688f/src/app/TaskWorker.js, closeConnection false| wsd/ClientRequestDispatcher.cpp:982
2026-03-06T13:39:35.399681965-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.399672 +0000 [ websrv_poll ] DBG  #30: Handling request: GETHTTP/1.1 /browser/a9b866688f/src/app/TaskWorker.js, content -1, chunked false, closeConnection false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-Fetch-Dest: worker / Sec-Fetch-Mode: same-origin / Sec-Fetch-Site: same-origin / Priority: u=4 / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Connection: Keep-Alive| wsd/ClientRequestDispatcher.cpp:1004
2026-03-06T13:39:35.401278563-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.399744 +0000 [ websrv_poll ] DBG  Preprocessing file: /browser/dist/src/app/TaskWorker.js| wsd/FileServer.cpp:1702
2026-03-06T13:39:35.401278563-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.399789 +0000 [ websrv_poll ] DBG  #30: Handled request: /browser/a9b866688f/src/app/TaskWorker.js, inBuf[sz 516 -> 0, rm 516], connection open true| wsd/ClientRequestDispatcher.cpp:1321
2026-03-06T13:39:35.401278563-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.401239 +0000 [ websrv_poll ] INF  #30: parseHeader: Client HTTP Request: GET, uri: [/browser/a9b866688f/src/app/TaskWorker.js] HTTP/1.1, sz[header 516, content -1], offset 516, chunked false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-Fetch-Dest: worker / Sec-Fetch-Mode: same-origin / Sec-Fetch-Site: same-origin / Priority: u=4 / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Connection: Keep-Alive| net/Socket.cpp:1806
2026-03-06T13:39:35.401278563-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.401260 +0000 [ websrv_poll ] DBG  #30: Handling request: /browser/a9b866688f/src/app/TaskWorker.js, closeConnection false| wsd/ClientRequestDispatcher.cpp:982
2026-03-06T13:39:35.401278563-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.401262 +0000 [ websrv_poll ] DBG  #30: Handling request: GETHTTP/1.1 /browser/a9b866688f/src/app/TaskWorker.js, content -1, chunked false, closeConnection false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-Fetch-Dest: worker / Sec-Fetch-Mode: same-origin / Sec-Fetch-Site: same-origin / Priority: u=4 / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Connection: Keep-Alive| wsd/ClientRequestDispatcher.cpp:1004
2026-03-06T13:39:35.402608739-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.401302 +0000 [ websrv_poll ] DBG  Preprocessing file: /browser/dist/src/app/TaskWorker.js| wsd/FileServer.cpp:1702
2026-03-06T13:39:35.402608739-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.401341 +0000 [ websrv_poll ] DBG  #30: Handled request: /browser/a9b866688f/src/app/TaskWorker.js, inBuf[sz 516 -> 0, rm 516], connection open true| wsd/ClientRequestDispatcher.cpp:1321
2026-03-06T13:39:35.402608739-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.402573 +0000 [ websrv_poll ] INF  #30: parseHeader: Client HTTP Request: GET, uri: [/browser/a9b866688f/src/app/TaskWorker.js] HTTP/1.1, sz[header 516, content -1], offset 516, chunked false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-Fetch-Dest: worker / Sec-Fetch-Mode: same-origin / Sec-Fetch-Site: same-origin / Priority: u=4 / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Connection: Keep-Alive| net/Socket.cpp:1806
2026-03-06T13:39:35.402608739-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.402590 +0000 [ websrv_poll ] DBG  #30: Handling request: /browser/a9b866688f/src/app/TaskWorker.js, closeConnection false| wsd/ClientRequestDispatcher.cpp:982
2026-03-06T13:39:35.402608739-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.402593 +0000 [ websrv_poll ] DBG  #30: Handling request: GETHTTP/1.1 /browser/a9b866688f/src/app/TaskWorker.js, content -1, chunked false, closeConnection false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-Fetch-Dest: worker / Sec-Fetch-Mode: same-origin / Sec-Fetch-Site: same-origin / Priority: u=4 / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Connection: Keep-Alive| wsd/ClientRequestDispatcher.cpp:1004
2026-03-06T13:39:35.404226418-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.402641 +0000 [ websrv_poll ] DBG  Preprocessing file: /browser/dist/src/app/TaskWorker.js| wsd/FileServer.cpp:1702
2026-03-06T13:39:35.404226418-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.402676 +0000 [ websrv_poll ] DBG  #30: Handled request: /browser/a9b866688f/src/app/TaskWorker.js, inBuf[sz 516 -> 0, rm 516], connection open true| wsd/ClientRequestDispatcher.cpp:1321
2026-03-06T13:39:35.404226418-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.404191 +0000 [ websrv_poll ] INF  #30: parseHeader: Client HTTP Request: GET, uri: [/browser/a9b866688f/src/app/TaskWorker.js] HTTP/1.1, sz[header 516, content -1], offset 516, chunked false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-Fetch-Dest: worker / Sec-Fetch-Mode: same-origin / Sec-Fetch-Site: same-origin / Priority: u=4 / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Connection: Keep-Alive| net/Socket.cpp:1806
2026-03-06T13:39:35.404226418-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.404206 +0000 [ websrv_poll ] DBG  #30: Handling request: /browser/a9b866688f/src/app/TaskWorker.js, closeConnection false| wsd/ClientRequestDispatcher.cpp:982
2026-03-06T13:39:35.404226418-05:00 stderr F wsd-00001-00031 2026-03-06 18:39:35.404208 +0000 [ websrv_poll ] DBG  #30: Handling request: GETHTTP/1.1 /browser/a9b866688f/src/app/TaskWorker.js, content -1, chunked false, closeConnection false, Host: office.example.com / User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0 / Accept: */* / Accept-Language: de,en-US;q=0.9,en;q=0.8 / Accept-Encoding: gzip, deflate, br, zstd / Sec-Fetch-Dest: worker / Sec-Fetch-Mode: same-origin / Sec-Fetch-Site: same-origin / Priority: u=4 / X-Forwarded-For: 192.168.56.1 / X-Forwarded-Host: office.example.com / X-Forwarded-Server: office.example.com / Connection: Keep-Alive| wsd/ClientRequestDispatcher.cpp:1004

Hi @jejo86

First of all, I am not an AI. You can check my GitHub profile Darshan-upadhyay1110 (Darshan-Upadhyay) · GitHub. I am an active contributor to Collabora Online and participate in the community to help users where I can.

To be honest, it is quite discouraging to receive comments like this. The forum is a community space, and people who reply are volunteers trying to help others. Being treated as if I am an AI tool or someone who must provide instant solutions is a bit disheartening.

I try to help with as many questions as possible, but I cannot always test every configuration or environment that is posted on the forum. As you can see, the forum is quite active and many different setups are discussed. I do my best to guide people based on experience and available information.

Also, just to clarify, support on the forum is community support, not paid support.

Regarding your issue, I will still try to reproduce it on my side and see what might be going wrong. If I find something useful, I will update you here.

I am aware that my reply was harsh and I am sorry I hurt your feelings, but I had my reasons. I believe it is better not to reply at all than to suggest just anything. I am also taking care of this in my spare time and am not getting payed. Be sure that it is equally frustrating getting sent on a wild goose chase.

Here are some further failed attempts to solve the problem.

Using <alias> also does not work:

<wopi allow="false">
  <alias_groups mode="groups">
    <group>
      <host allow="true" desc="hostname to allow or deny.">https://nextcloud.example.com</host>
      <alias allow="true" desc="hostname to allow or deny.">https://office.example.com</alias>
    </group>
  </alias_groups>
...
</wopi>

Passing the domain to the container does not work:

docker run -d \
  -p 127.0.0.1:9980:9980 \
  -e "domain=nextcloud\.example\.com|office\.example\.com" \
  -e "username=admin" \
  -e "password=strongpassword" \
  collabora/code

Using the following Apache/httpd server rules also do not work as expected.

<VirtualHost>
...

  RewriteEngine On
  
  # Allow public access to browser endpoint
  RewriteCond %{REQUEST_URI} ^/browser
  RewriteRule ^ - [L]
  
  # Allow public access to discovery endpoint
  RewriteCond %{REQUEST_URI} ^/hosting/discovery
  RewriteRule ^ - [L]
  
  # Allow public access to capabilities (often required)
  RewriteCond %{REQUEST_URI} ^/hosting/capabilities
  RewriteRule ^ - [L]
  
  # Restrict everything else
  RewriteCond %{REMOTE_ADDR} !^127\.0\.0\.1$
  RewriteRule ^ - [F]
  </VirtualHost>

I now created an issue since files cannot be opened anymore as soon as <wopi allow="false"> is set.