I have been playing around with the collabora/languagetool docker image and have a few questions around how to secure it.
I am using an instance in Oracle cloud as my playground; VM.Standard.A1.Flex (arm64) with Ubuntu 22.04.
Below are my docker commands:
sudo docker run -t -d \
--name code \
-p 127.0.0.1:9980:9980 \
-e "server_name=code.example.com" \
-e "aliasgroup1=https://mynextcloud.example.com:443" \
-e "aliasgroup2=https://friendsnextcloud.example.com:443" \
-e "dictionaries=en_US" \
-e "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:languagetool.enabled=true --o:languagetool.base_url=https://code.example.com/v2" \
-e "username=username" \
-e "password=password" \
--restart always \
collabora/code
sudo docker run -d \
--name languagetool \
-p 127.0.0.1:8081:8010 \
-v /ngrams:/ngrams:ro \
--restart=unless-stopped \
collabora/languagetool
And here is the body of my Apache conf for the reverse proxy to add SSL:
AllowEncodedSlashes NoDecode
ProxyPreserveHost On
# static html, js, images, etc. served from coolwsd
# browser is the client part of Collabora Online
ProxyPass /browser http://127.0.0.1:9980/browser retry=0
ProxyPassReverse /browser http://127.0.0.1:9980/browser
# WOPI discovery URL
ProxyPass /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery http://127.0.0.1:9980/hosting/discovery
# Capabilities
ProxyPass /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities
# Main websocket
ProxyPassMatch "/cool/(.*)/ws$" ws://127.0.0.1:9980/cool/$1/ws nocanon
# Admin Console websocket
ProxyPass /cool/adminws ws://127.0.0.1:9980/cool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /cool http://127.0.0.1:9980/cool
ProxyPassReverse /cool http://127.0.0.1:9980/cool
# Compatibility with integrations that use the /lool/convert-to endpoint
ProxyPass /lool http://127.0.0.1:9980/cool
ProxyPassReverse /lool http://127.0.0.1:9980/cool
# LanguageTool API
ProxyPass /v2 http://127.0.0.1:8081/v2
ProxyPassReverse /v2 http://127.0.0.1:8081/v2
This works, however there is nothing protecting the LanguageTool API. That is, anyone that comes across the URL could start using it, which does not seem very secure. Is there a way of locking this down so that only the CODE instance wish are able to uses this?
Thank you for your help