Hi everyone,
We recently struggled with a Collabora Online integration in a Kubernetes environment (using Traefik as Ingress) where we could see the “Collabora Online server is reachable” green checkmark in the admin settings, but opening any document resulted in “Document loading failed” or a 404 error in the browser.
After debugging the Firefox/Chrome console, we found the culprit: Content Security Policy (CSP) mismatches and protocol confusion between internal pod communication and external browser access.
The Symptoms:
-
Admin panel shows Collabora is “Reachable”.
-
Browser console shows:
Content-Security-Policy: The page’s settings blocked the loading of a resource (form-action) because it violates... -
The browser tries to load a
http://URL for the office frame while the site is running onhttps://.
The Root Cause:
Nextcloud was generating internal WOPI links using http or internal Kubernetes DNS names (e.g., .svc.cluster.local), which the browser correctly blocks for security (Mixed Content / CSP).
The Solution:
You need to force Nextcloud to treat all Office traffic as HTTPS and explicitly whitelist the office domain in the CSP. If you are using the occ tool, apply these settings:
1. Force HTTPS and correct trusted domains:
Bash
# Ensure Nextcloud knows it's behind an SSL proxy
php occ config:system:set overwriteprotocol --value='https'
php occ config:system:set overwrite.cli.url --value='https://your-nextcloud-domain.com'
# Add your office subdomain to trusted domains
php occ config:system:set trusted_domains 2 --value='office.your-domain.com'
2. Fix the WOPI & CSP settings:
The key here is to allow the browser to talk to the office domain via HTTPS while allowing Nextcloud to skip internal resolving if the pods can’t reach the external Ingress IP (Hairpinning).
Bash
# Set the WOPI URL to the public HTTPS address
php occ config:app:set richdocuments wopi_url --value='https://office.your-domain.com'
# Disable internal resolving if you have NAT/Hairpinning issues in your cluster
php occ config:app:set richdocuments wopi_url_disable_internal_resolving --value='yes'
# Open the WOPI allowlist for internal pod communication
php occ config:app:set richdocuments wopi_allowlist --value='0.0.0.0/0,::/0'
# CRITICAL: Add both the domain and the full HTTPS URL to the CSP whitelist
php occ config:system:set content_security_policy_allowed_domains 0 --value='office.your-domain.com'
php occ config:system:set content_security_policy_allowed_domains 1 --value='https://office.your-domain.com'
3. Collabora Server Configuration (CODE):
Make sure your Collabora deployment has these environment variables set to handle SSL termination correctly:
-
extra_params:--o:ssl.enable=false --o:ssl.termination=true -
aliasgroup1:https://your-nextcloud-domain.com:443
After applying these, clear your browser cache and try again. The document should now load perfectly in the secure frame.
Hope this helps someone else saving a few hours of debugging!
