Collabora - ssl / reverse proxy setup when on different domain and server than NC

Thank you for your reply.
As usual, while writing my problems down in the original post, things became a bit clearer (“talking to the rubber duck…”).

Thing is, I had tried out several different nginx.conf settings. Searching the web for this problem results in 2 or 3 slightly different such configs, which is a bit suspicious in itself, each setting resulting in “almost-working-but-yet-not-quite” with different things broken for each setting (only constantly broken thing over all of them was my self-esteem…).

So I ditched nginx, and tried out treafik instead, which seems to make do with even less verbose config. This thread has excellent write-up of this. The thread describes NC and collabora running on dockers side-by-side, but using just the traefik and collabora bits works perfectly for the case when the nextcloud server runs somewhere else.

So apparently, my original problem was a wrong configuration of routes in the nginx config file. But since the traefik-based setup works, I’m not going to try to find out what I messed up…

For reference, this is the docker-compose setup that ended up working for me :

version: "3.9"

services:

  traefik:
    image: traefik:v2.8.5
    container_name: traefik
    hostname: traefik
    restart: always
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /var/log:/var/log
      - /data/traefik:/data/traefik
    command:
      - --log.level=DEBUG
      - --accesslog=true
      - --accesslog.filepath=/var/log/traefik-access.log
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --entryPoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entryPoints.websecure.address=:443
      - --entryPoints.traefik.address=:8080
      - --certificatesresolvers.myresolver.acme.email=my.email@somehost.org
      - --certificatesresolvers.myresolver.acme.storage=/data/traefik/acme.json
      - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.dashboard.entryPoints=traefik'
      - 'traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`) || PathPrefix(`/debug`)'
      - 'traefik.http.routers.dashboard.service=api@internal'
      - 'traefik.http.routers.dashboard.middlewares=auth'
      - 'traefik.http.middlewares.auth.basicauth.users=<someusername>:<somepassword>'

  collabora:
    image: collabora/code
    container_name: collabora
    ports: 
      - 9980:9980
    cap_add:
      - MKNOD 
    environment:
      - aliasgroup1=https://nextcloudsubdomain.mydomain.com
      - username=<someusername>
      - password=<somepassword>
      - "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.collabora.tls=true'
      - 'traefik.http.routers.collabora.tls.certresolver=myresolver'
      - 'traefik.http.routers.collabora.entrypoints=websecure'
      - 'traefik.http.routers.collabora.rule=Host(`collaborasubdomain.mydomain.com`)'
      - 'traefik.http.routers.collabora.middlewares=collabora-header'
      - 'traefik.http.services.collabora.loadbalancer.server.port=9980'
      - 'traefik.http.middlewares.collabora-header.headers.referrerPolicy=no-referrer'
      - 'traefik.http.middlewares.collabora-header.headers.stsSeconds=15552000'
      - 'traefik.http.middlewares.collabora-header.headers.forceSTSHeader=true'
      - 'traefik.http.middlewares.collabora-header.headers.stsPreload=true'
      - 'traefik.http.middlewares.collabora-header.headers.stsIncludeSubdomains=true'
      - 'traefik.http.middlewares.collabora-header.headers.browserXssFilter=true'
      - 'traefik.http.middlewares.collabora-header.headers.customRequestHeaders.X-Forwarded-Proto=https'