Collabora/nextcloud on different server than reverse proxy

I Currently have a reverse proxy server set up that does nothing but proxy for servers behind it. I have Collabora and NextCloud on another server. I can not for the life of me get the reverse proxy to function correctly. I changed every instance of to the internal server address of the Nextcloud/Collabora server. Do I need the reverse proxy file in both servers?

I have maybe the same setting:

  • 1 reverse Proxy on one Server (Ubuntu 16.4 with Apache) proxing to
  • 1 nextcloud instance (on Ubunut 16.4) and
  • 1 colabora instance (on VmWare’s Photon)
    All together on a ESXi Host.

I don’t need a Proxy on the nextcloud instance. See the config-files. Maybe this helps:

File “nextcloud.mydomain.conf” (on reverse proxy)

File “office.mydomain.conf” (on reverse proxy)

Then, start docker with:
docker run -t -d -p photonVmIp:9980:9980 -e ‘domain=nextcloud\.mydomain\.ch’ --restart always --cap-add MKNOD collabora/code

Hmm that is what I had. I have opened the port 9980 on firewalld but does this port need opened on the main firewall as well? or does the collabora traffic come in on port 443 and then get routed into port 9980 via the rewrite rules?

I am getting an Access forbidden error in Nextcloud.

Does anyone know how to track down what is trying to be accessed? I am kind of stuck at this point.

I think that it is easier to use separated boxes.
Please share info, if you want answers.
What do you use? Debian, Ubuntu, CentOS
What version?
Are you using apache, nginx?

The easiest ways to get it working are using

  • *buntu 16.04 with aufs support.
  • Having 2 domains with valid SSL certs
  • running the latest docker image

The CODE container can be setup on another server, and still you don’t change the
That setting is handled by the you use on the admin configuration.
So, please do not change or any other configuration on the proxy or docker.

If you are running your own DNS please use the option: --dns= <- (your DNS server ip)

Hi! Thanks for the info.

CentOS 7 with apache
Internal DNS

I have server 1 server that is just the reverse proxy that all external web traffic comes through. I then have a second server that has Nextcloud and Collabora on it What would the conf web file look like then on the proxy for it to pass the information back to the Nextcloud/Collabora server? If it is easier to have all 3 pieces on different servers I can do that as well.

Edit: Running Both Nextcloud and Collabora on the same server and using the proxy config on the same server I can access Collabora flawlessly internally. Not sure what needs to go on the proxy server for external traffic.

@cobash, if you are getting access forbidden first you should check your ssl certificate.
Create a test page and test virtual host pointing to your collabora domain. Try accessing the, see if you get a valid certificate, if you do, then open port 9980 in your router and your local machine firewall and try to access
it may be possible that your proxy server or router is re-routing traffic to the wrong machine.

Ok I tried the test page and the ssl cert is valid and works. Also opened port 9980 to the Nextcloud/Collabora server and tried the link you sent and that prompted for login. I guess my question is should that port be opened to the proxy server or directly to the Nextcloud/Collabora server.

if you want to access it from the outside you must open port 9980 in your router, but each setup is different, best you could do is first get it to work with all ports open, then start closing the port in your collabora host, it it works block it in your proxy and so on. Basically get it working first, then you worry about securing your connection.

Just wanted to say thanks to everyone that was helping. I did get it to work so thanks! I will add to this tomorrow and write how I got it set up.

Please tell us a bit more about the nginx fix.

Hi, my problem originated from the proxy server running apache. I had it set up just like Raoul1 had suggested but selinux was blocking network access. I had to run the following command to get it to work. “setsebool -P httpd_can_network_connect on” To see if this is the same problem I was having try “setenforce 0” to temporaraly turn off selinux. After doing that see if it works or if your error message changes. “setenforce 1” will turn it back on.


I have an equal situation.
i have a reverse Proxy on server 1 (apache -Debian Raspian) wich is directly behind my router (port 80 and 443)
on my Server 2 runs nextcloud and docker with code (apache - ubuntu 16.04).

i use letsencrypt to run everything with ssl on my Server 1
my apache conf on Server 1 is like the standard conf from collabora

i only changed the localhost ip from to the ip of my Server 2
like this:

ProxyPass /loleaflet https://server2:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://server2:9980/loleaflet

to access the docker container i started it a little bit different then the manual to get this :
-> docker ps>9980/tcp
here is my run command :

docker run -t -d -p 9980:9980 -e ‘domain=subdomain1\.domain1\.de|subdomain2\.domain2\.de’ --restart always --name code --cap-add MKNOD collabora/code

it is important to use your nextcloud domain and not your office domain !

the last step is on the admin page on nextcloud.
setting up the the right office domain (incl. the port)

like this:

thats my workaround
i hope this is useful

sorry for my bad english :slight_smile: