How to Secure the Collabora/Languagetool Docker Image

I have been playing around with the collabora/languagetool docker image and have a few questions around how to secure it.

I am using an instance in Oracle cloud as my playground; VM.Standard.A1.Flex (arm64) with Ubuntu 22.04.

Below are my docker commands:

sudo docker run -t -d \
--name code \
-p 127.0.0.1:9980:9980 \
-e "server_name=code.example.com" \
-e "aliasgroup1=https://mynextcloud.example.com:443" \
-e "aliasgroup2=https://friendsnextcloud.example.com:443" \
-e "dictionaries=en_US" \
-e "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:languagetool.enabled=true --o:languagetool.base_url=https://code.example.com/v2" \
-e "username=username" \
-e "password=password" \
--restart always \
collabora/code

sudo docker run -d \
--name languagetool \
-p 127.0.0.1:8081:8010 \
-v /ngrams:/ngrams:ro \
--restart=unless-stopped \
collabora/languagetool

And here is the body of my Apache conf for the reverse proxy to add SSL:

AllowEncodedSlashes NoDecode
 ProxyPreserveHost On

 # static html, js, images, etc. served from coolwsd
 # browser is the client part of Collabora Online
 ProxyPass           /browser http://127.0.0.1:9980/browser retry=0
 ProxyPassReverse    /browser http://127.0.0.1:9980/browser


 # WOPI discovery URL
 ProxyPass           /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
 ProxyPassReverse    /hosting/discovery http://127.0.0.1:9980/hosting/discovery


 # Capabilities
 ProxyPass           /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
 ProxyPassReverse    /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities


 # Main websocket
 ProxyPassMatch      "/cool/(.*)/ws$"      ws://127.0.0.1:9980/cool/$1/ws nocanon


 # Admin Console websocket
 ProxyPass           /cool/adminws ws://127.0.0.1:9980/cool/adminws


 # Download as, Fullscreen presentation and Image upload operations
 ProxyPass           /cool http://127.0.0.1:9980/cool
 ProxyPassReverse    /cool http://127.0.0.1:9980/cool
 # Compatibility with integrations that use the /lool/convert-to endpoint
 ProxyPass           /lool http://127.0.0.1:9980/cool
 ProxyPassReverse    /lool http://127.0.0.1:9980/cool

 # LanguageTool API
 ProxyPass           /v2 http://127.0.0.1:8081/v2
 ProxyPassReverse    /v2 http://127.0.0.1:8081/v2

This works, however there is nothing protecting the LanguageTool API. That is, anyone that comes across the URL could start using it, which does not seem very secure. Is there a way of locking this down so that only the CODE instance wish are able to uses this?

Thank you for your help

I have been looking into this some more and as far as I can tell LanguageTool does not have the ability to add such protection, docker or otherwise. Or at least not for a self-hosted non-premium install. It seems like the best option would be to do something like basic auth in a reverse proxy. However, the client, in this case the CODE instance, would need to support this. I suspect CODE does not support this option.

Thank you

Good question, as you can read on the Docker page for this image, it’s based on this Dockerfile:

That’s probably a better place to check.

Thank you for the suggestion. I have look upstream and the issue is with the LanguageTool application itself, in a docker container or otherwise. The username and API key is for a premium feature, and there is currently no built-in way to protect a non-premium self-hosted instant.

https://forum.languagetool.org/t/self-hosted-instance-of-languagetool-with-a-username-and-api-key/8451

The recommendation was to protect the LanguageTool instant with something like basic authentication in a revers proxy. Which is a good suggestion, however I don’t believe Collabora Online Development Edition (CODE) supports this as I see no option to do so in the coolwsd.xml:

<!--
    This is LanguageTool.org API settings. To turn it on, please set "enabled" property to true.
    "base_url" may be https://api.languagetoolplus.com/v2 if the cloud version is used.
    However, your data in the document e.g. the text part of it will be sent to the cloud API. Please read the privacy policy: https://languagetool.org/legal/privacy
-->
<languagetool desc="LanguageTool Remote API settings for grammar checking">
    <enabled desc="Enable LanguageTool Remote Grammar Checker" type="bool" default="false"></enabled>
    <base_url desc="Http endpoint for the LanguageTool API server, without /check or /languages postfix at the end." type="string" default=""></base_url>
    <user_name desc="LanguageTool account username for premium usage." type="string" default=""></user_name>
    <api_key desc="Api key provided by LanguageTool account for premium usage." type="string" default=""></api_key>
    <ssl_verification desc="Enable or disable SSL verification" type="string" default="true"></ssl_verification>
</languagetool>

Therefore, I don’t see any resolution at this time other than hoping LanguageTool adds the protection of a username and API key for non-premium users or Collabora adds support for something like basic authentication.

I would like to help try and resolve this better or purchase a premium LanguageTool and Collabora, however I don’t have the time or means right now.

Thank You