How to Secure the Collabora/Languagetool Docker Image

I have been playing around with the collabora/languagetool docker image and have a few questions around how to secure it.

I am using an instance in Oracle cloud as my playground; VM.Standard.A1.Flex (arm64) with Ubuntu 22.04.

Below are my docker commands:

sudo docker run -t -d \
--name code \
-p \
-e "" \
-e "aliasgroup1=" \
-e "aliasgroup2=" \
-e "dictionaries=en_US" \
-e "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:languagetool.enabled=true --o:languagetool.base_url=" \
-e "username=username" \
-e "password=password" \
--restart always \

sudo docker run -d \
--name languagetool \
-p \
-v /ngrams:/ngrams:ro \
--restart=unless-stopped \

And here is the body of my Apache conf for the reverse proxy to add SSL:

AllowEncodedSlashes NoDecode
 ProxyPreserveHost On

 # static html, js, images, etc. served from coolwsd
 # browser is the client part of Collabora Online
 ProxyPass           /browser retry=0
 ProxyPassReverse    /browser

 # WOPI discovery URL
 ProxyPass           /hosting/discovery retry=0
 ProxyPassReverse    /hosting/discovery

 # Capabilities
 ProxyPass           /hosting/capabilities retry=0
 ProxyPassReverse    /hosting/capabilities

 # Main websocket
 ProxyPassMatch      "/cool/(.*)/ws$"      ws://$1/ws nocanon

 # Admin Console websocket
 ProxyPass           /cool/adminws ws://

 # Download as, Fullscreen presentation and Image upload operations
 ProxyPass           /cool
 ProxyPassReverse    /cool
 # Compatibility with integrations that use the /lool/convert-to endpoint
 ProxyPass           /lool
 ProxyPassReverse    /lool

 # LanguageTool API
 ProxyPass           /v2
 ProxyPassReverse    /v2

This works, however there is nothing protecting the LanguageTool API. That is, anyone that comes across the URL could start using it, which does not seem very secure. Is there a way of locking this down so that only the CODE instance wish are able to uses this?

Thank you for your help

I have been looking into this some more and as far as I can tell LanguageTool does not have the ability to add such protection, docker or otherwise. Or at least not for a self-hosted non-premium install. It seems like the best option would be to do something like basic auth in a reverse proxy. However, the client, in this case the CODE instance, would need to support this. I suspect CODE does not support this option.

Thank you

Good question, as you can read on the Docker page for this image, it’s based on this Dockerfile:

That’s probably a better place to check.

Thank you for the suggestion. I have look upstream and the issue is with the LanguageTool application itself, in a docker container or otherwise. The username and API key is for a premium feature, and there is currently no built-in way to protect a non-premium self-hosted instant.

The recommendation was to protect the LanguageTool instant with something like basic authentication in a revers proxy. Which is a good suggestion, however I don’t believe Collabora Online Development Edition (CODE) supports this as I see no option to do so in the coolwsd.xml:

    This is API settings. To turn it on, please set "enabled" property to true.
    "base_url" may be if the cloud version is used.
    However, your data in the document e.g. the text part of it will be sent to the cloud API. Please read the privacy policy:
<languagetool desc="LanguageTool Remote API settings for grammar checking">
    <enabled desc="Enable LanguageTool Remote Grammar Checker" type="bool" default="false"></enabled>
    <base_url desc="Http endpoint for the LanguageTool API server, without /check or /languages postfix at the end." type="string" default=""></base_url>
    <user_name desc="LanguageTool account username for premium usage." type="string" default=""></user_name>
    <api_key desc="Api key provided by LanguageTool account for premium usage." type="string" default=""></api_key>
    <ssl_verification desc="Enable or disable SSL verification" type="string" default="true"></ssl_verification>

Therefore, I don’t see any resolution at this time other than hoping LanguageTool adds the protection of a username and API key for non-premium users or Collabora adds support for something like basic authentication.

I would like to help try and resolve this better or purchase a premium LanguageTool and Collabora, however I don’t have the time or means right now.

Thank You