How to Secure the Collabora/Languagetool Docker Image

I have been playing around with the collabora/languagetool docker image and have a few questions around how to secure it.

I am using an instance in Oracle cloud as my playground; VM.Standard.A1.Flex (arm64) with Ubuntu 22.04.

Below are my docker commands:

sudo docker run -t -d \
--name code \
-p 127.0.0.1:9980:9980 \
-e "server_name=code.example.com" \
-e "aliasgroup1=https://mynextcloud.example.com:443" \
-e "aliasgroup2=https://friendsnextcloud.example.com:443" \
-e "dictionaries=en_US" \
-e "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:languagetool.enabled=true --o:languagetool.base_url=https://code.example.com/v2" \
-e "username=username" \
-e "password=password" \
--restart always \
collabora/code

sudo docker run -d \
--name languagetool \
-p 127.0.0.1:8081:8010 \
-v /ngrams:/ngrams:ro \
--restart=unless-stopped \
collabora/languagetool

And here is the body of my Apache conf for the reverse proxy to add SSL:

AllowEncodedSlashes NoDecode
 ProxyPreserveHost On

 # static html, js, images, etc. served from coolwsd
 # browser is the client part of Collabora Online
 ProxyPass           /browser http://127.0.0.1:9980/browser retry=0
 ProxyPassReverse    /browser http://127.0.0.1:9980/browser


 # WOPI discovery URL
 ProxyPass           /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
 ProxyPassReverse    /hosting/discovery http://127.0.0.1:9980/hosting/discovery


 # Capabilities
 ProxyPass           /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
 ProxyPassReverse    /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities


 # Main websocket
 ProxyPassMatch      "/cool/(.*)/ws$"      ws://127.0.0.1:9980/cool/$1/ws nocanon


 # Admin Console websocket
 ProxyPass           /cool/adminws ws://127.0.0.1:9980/cool/adminws


 # Download as, Fullscreen presentation and Image upload operations
 ProxyPass           /cool http://127.0.0.1:9980/cool
 ProxyPassReverse    /cool http://127.0.0.1:9980/cool
 # Compatibility with integrations that use the /lool/convert-to endpoint
 ProxyPass           /lool http://127.0.0.1:9980/cool
 ProxyPassReverse    /lool http://127.0.0.1:9980/cool

 # LanguageTool API
 ProxyPass           /v2 http://127.0.0.1:8081/v2
 ProxyPassReverse    /v2 http://127.0.0.1:8081/v2

This works, however there is nothing protecting the LanguageTool API. That is, anyone that comes across the URL could start using it, which does not seem very secure. Is there a way of locking this down so that only the CODE instance wish are able to uses this?

Thank you for your help

I have been looking into this some more and as far as I can tell LanguageTool does not have the ability to add such protection, docker or otherwise. Or at least not for a self-hosted non-premium install. It seems like the best option would be to do something like basic auth in a reverse proxy. However, the client, in this case the CODE instance, would need to support this. I suspect CODE does not support this option.

Thank you