Add WOPI list . . . any clear answers?

James_O_Stanworth · October 1, 2024, 8:07am

I’m running Nextcloud Hub 6 27.1.11 with Nextcloud office (8.2.12) as a docker install.

I’m trying to setup the WOPI allow list. I’ve been trying to do this on-and-off for a while. It seems a desirable - although not necessary - step to get things running secure.

Steps so far.
Find docker details:

root@stanworth:/home/james# docker ps -a
CONTAINER ID   IMAGE            COMMAND                  CREATED         STATUS          PORTS                      NAMES
b7a2fccc4f26   collabora/code   "/start-collabora-on…"   9 minutes ago   Up 34 seconds   127.0.0.1:9980->9980/tcp   NEXTCLOUDOFFICE

Specifically checking the IP of the container:

root@stanworth:/home/james# docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' NEXTCLOUDOFFICE
172.17.0.2

My network gateway is 192.168.2.1

Adding that works. Others also have done this.

However, is this what I should be doing here? There is much confusion about this.

So it would be great if a “super tech” could dive in with some specific answers

wwe · October 10, 2024, 8:39pm

hi @James_O_Stanworth! this topic is in fact easy and complicated at the same time because there is mix two different concepts. WOPI protocol itself is completely about DNS (consult Collabora integration guide for details) but the WOPI allow list only works with Ip addresses.

Basically speaking this list should cover IP addresses where the request comes from (like in a firewall). To know where it comes from you must understand the whole way of the request from the CODE server to access Nextcloud. usually and as best practice both systems use public DNS names for communication. This make CODE resolving the public DNS name of Nextcloud to its public IP… in turn CODE connects to a public IP of NC often traveling all the way from internal CODE server to the router to the internet and coming back through the router public IP, port forwarding, maybe reverse proxy hitting the NC server… this is the reason why often your public IP must be included in the allow list to make CODE work…

PS: there are technics like splitbraindns addressing the issue and routing the traffic internally but this add complexity and require some understanding of networking basics.