I’m trying to set up collabora and nextcloud in docker compose. My setup is the following:
I’m running this on a machine with tailscale, https is on vpn.mydomain.com, but and although mydomain.com is owned by me, the .vpn. DNS addresses are provided by tailscale and point to tailscale IP-s (the SSL cert used on the machine is a wildcard created elsewhere and copied here). I have an nginx reverse proxy in front of everything, running on the same machine, with settings copied from the official SDK (SSL termination - sdk.collaboraonline[.com]/docs/installation/Proxy_settings.html#reverse-proxy-settings-in-nginx-config-ssl-termination) verbatim, except obviously SSL paths and server_name.
My docker-compose for collabora looks like this:
collabora:
image: collabora/code:latest
cap_add:
- MKNOD
env_file:
- collabora.env
environment:
- server_name=office.vpn.mydomain.com
- username=nextcloud
- TZ=Europe/Budapest
- WOPI_URL=https://nc.vpn.mydomain.com/index.php/apps/richdocuments/wopi/
- extra_params=--o:ssl.enable=false --o:ssl.termination=true
- aliasgroup1=https://nc\\.vpn\\.mydomain\\.com:443
ports:
- 9980:9980
restart: always
For setup I followed this guide: Collabora integration guide - 📑 How to - Nextcloud community.
Connectivity is not an issue, the curl calls work from inside the docker containers, the nextcloud admin interface is green and in the nextcloud admin interface the “allow list for WOPI requests” is empty, which as far as I know means there is no restriction on it.
If I open a document in nextcloud I get the error
“Unauthorized WOPI host. Please try again later and report to your administrator if the issue persists.”
I have the following error messages in collabora logs:
collabora-1 | wsd-00001-00041 2025-07-21 10:24:10.198727 +0200 [ websrv_poll ] WRN Client - server version mismatch, disabling browser cache. Expected: 5aa2ead294; Actual URI path with version hash: /browser/dist/fetch-settings-file| wsd/FileServer.cpp:914
collabora-1 | wsd-00001-00041 2025-07-21 10:24:10.199393 +0200 [ websrv_poll ] WRN #34: Socket still open post onDisconnect(), forced shutdown.| net/Socket.hpp:1272
collabora-1 | wsd-00001-00041 2025-07-21 10:24:10.199481 +0200 [ websrv_poll ] ERR #28: #28 Exception while processing incoming request: []: Integrator wopi call failed: Moved Permanently. Response: <html>
collabora-1 | <head><title>301 Moved Permanently</title></head>
collabora-1 | <body>
collabora-1 | <center><h1>301 Moved Permanently</h1></center>
collabora-1 | <hr><center>nginx/1.24.0 (Ubuntu)</center>
collabora-1 | </body>
collabora-1 | </html>
collabora-1 | | wsd/ClientRequestDispatcher.cpp:1251
collabora-1 | wsd-00001-00041 2025-07-21 10:25:02.523939 +0200 [ websrv_poll ] ERR #-1: No authorized hosts found matching the target host [nc.vpn.mydomain.com] in config| wsd/RequestVettingStation.cpp:96
collabora-1 | wsd-00001-00041 2025-07-21 10:25:02.551125 +0200 [ websrv_poll ] ERR #28: No authorized hosts found matching the target host [nc.vpn.mydomain.com] in config| wsd/RequestVettingStation.cpp:262
Note, that it seems the correct nc.vpn.mydomain.com is sent, but it is not recognized by collabora. Documentation and forum messages suggest that I might be giving the aliasgroup1 wrong in some way, but if anything else is the first entry in it, then the timeout for the error when opening a file is much longer and the error message in nextcloud is different:
Failed to establish socket connection or socket connection closed unexpectedly. The reverse proxy might be misconfigured, please contact the administrator. For more info on proxy configuration please checkout
What am I doing wrong here and how do I fix this?
