Help needed with Network settings

Installation & Configuration
2

Hii @NaXal

To restrict access to your Collabora CODE server (office.mydomain.online) so that only your specific Nextcloud instance (nextcloud.mydomain.online) can connect and use it, you’ll need to configure the WOPI host settings in Collabora. This will limit which domains are allowed to use the server.

Step 1: Configure coolwsd.xml

  1. Open the coolwsd.xml file in the Collabora CODE container or host. This file controls the server’s configuration, including access control.

  2. Look for the <storage> section, and within it, locate or add the <wopi> block.

  3. Modify or add the <host> entry to allow only your Nextcloud instance:

<wopi>
  <host allow="true">
    <domain>nextcloud.mydomain.online</domain>
    <!-- You can also specify IP addresses if necessary -->
  </host>
</wopi>

This will allow only the specified domain (nextcloud.mydomain.online) to access the Collabora CODE server.

Step 2: Block Unauthorized Access with Nginx

You can also enforce this restriction at the Nginx reverse proxy level:

  1. Open your Nginx configuration for office.mydomain.online.
  2. Add a rule to allow only requests coming from the authorized domain:
server {
    server_name office.mydomain.online;

    location / {
        # Allow only requests from nextcloud.mydomain.online
        if ($http_origin !~* (https://nextcloud.mydomain.online)) {
            return 403;
        }

        proxy_pass http://localhost:9980; # or your Collabora CODE service
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

This configuration checks the Origin header of incoming requests and only allows those coming from nextcloud.mydomain.online.

Step 3: Restart the Services

After making these changes:

  1. Restart the Collabora CODE container or service to apply the coolwsd.xml changes.
  2. Reload or restart Nginx to apply the reverse proxy restrictions.

Step 4: Optional - Firewall Rules

You can add firewall rules (if you’re using a firewall like UFW or iptables) to allow traffic only from specific IP addresses, such as your Nextcloud server’s public IP.

This setup should ensure that only your specified Nextcloud instance (nextcloud.mydomain.online) can connect to the Collabora CODE server, preventing access from any other domains or instances.

Also, there are many forum topics available you just need to search the keyword, and you can read different approaches that people used in past :wink:

Ex: Regarding document security in Production - #2 by Tex

Thanks,
Darshan

1 Like