I assume you still have some issues in tern which component communicates how with others. My setup looks like this:
- each URL is https
- TLS termination is done at reverse proxy, communication behind reverse proxy is plain http
- connections between Nextcloud and Collabora container flow through reverse proxy (because direct connection has no TLS)
Maybe there are other way to setup but you should keep in mind how the access works:
- once the the client access a a file and wants to edit is using Collabora
- Nextcloud generates URL and access token for this file and passes it to the client (simplified: https:/collaboraurl?openfile=https://nextcloudurl/file=xyz&token=secret)
- Collabora in turn access the file on https://nextcloudurl/file=xyz remotely and provides editing features
this is why each component must be reachable using valid public URL (with https) in detail: client must reach both NC and Collabora, Collabora must reach NC and NC must reach Collabora. In my eyes the easiest way is to have only one entry point (reverse proxy) where you can do TLS handling and avoid complexity of TLS behind the RP which adds a challenge that internal communications between Nextcloud and Collabora must flow through RP as well.
take a look at the docker config here: