And here is the body of my Apache conf for the reverse proxy to add SSL:
# static html, js, images, etc. served from coolwsd
# browser is the client part of Collabora Online
ProxyPass /browser http://127.0.0.1:9980/browser retry=0
ProxyPassReverse /browser http://127.0.0.1:9980/browser
# WOPI discovery URL
ProxyPass /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery http://127.0.0.1:9980/hosting/discovery
ProxyPass /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities
# Main websocket
ProxyPassMatch "/cool/(.*)/ws$" ws://127.0.0.1:9980/cool/$1/ws nocanon
# Admin Console websocket
ProxyPass /cool/adminws ws://127.0.0.1:9980/cool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /cool http://127.0.0.1:9980/cool
ProxyPassReverse /cool http://127.0.0.1:9980/cool
# Compatibility with integrations that use the /lool/convert-to endpoint
ProxyPass /lool http://127.0.0.1:9980/cool
ProxyPassReverse /lool http://127.0.0.1:9980/cool
# LanguageTool API
ProxyPass /v2 http://127.0.0.1:8081/v2
ProxyPassReverse /v2 http://127.0.0.1:8081/v2
This works, however there is nothing protecting the LanguageTool API. That is, anyone that comes across the URL could start using it, which does not seem very secure. Is there a way of locking this down so that only the CODE instance wish are able to uses this?
I have been looking into this some more and as far as I can tell LanguageTool does not have the ability to add such protection, docker or otherwise. Or at least not for a self-hosted non-premium install. It seems like the best option would be to do something like basic auth in a reverse proxy. However, the client, in this case the CODE instance, would need to support this. I suspect CODE does not support this option.
Thank you for the suggestion. I have look upstream and the issue is with the LanguageTool application itself, in a docker container or otherwise. The username and API key is for a premium feature, and there is currently no built-in way to protect a non-premium self-hosted instant.
The recommendation was to protect the LanguageTool instant with something like basic authentication in a revers proxy. Which is a good suggestion, however I don’t believe Collabora Online Development Edition (CODE) supports this as I see no option to do so in the coolwsd.xml:
This is LanguageTool.org API settings. To turn it on, please set "enabled" property to true.
"base_url" may be https://api.languagetoolplus.com/v2 if the cloud version is used.
<languagetool desc="LanguageTool Remote API settings for grammar checking">
<enabled desc="Enable LanguageTool Remote Grammar Checker" type="bool" default="false"></enabled>
<base_url desc="Http endpoint for the LanguageTool API server, without /check or /languages postfix at the end." type="string" default=""></base_url>
<user_name desc="LanguageTool account username for premium usage." type="string" default=""></user_name>
<api_key desc="Api key provided by LanguageTool account for premium usage." type="string" default=""></api_key>
<ssl_verification desc="Enable or disable SSL verification" type="string" default="true"></ssl_verification>
Therefore, I don’t see any resolution at this time other than hoping LanguageTool adds the protection of a username and API key for non-premium users or Collabora adds support for something like basic authentication.
I would like to help try and resolve this better or purchase a premium LanguageTool and Collabora, however I don’t have the time or means right now.