Thank you for your reply.
As usual, while writing my problems down in the original post, things became a bit clearer (“talking to the rubber duck…”).
Thing is, I had tried out several different nginx.conf settings. Searching the web for this problem results in 2 or 3 slightly different such configs, which is a bit suspicious in itself, each setting resulting in “almost-working-but-yet-not-quite” with different things broken for each setting (only constantly broken thing over all of them was my self-esteem…).
So I ditched nginx, and tried out treafik instead, which seems to make do with even less verbose config. This thread has excellent write-up of this. The thread describes NC and collabora running on dockers side-by-side, but using just the traefik and collabora bits works perfectly for the case when the nextcloud server runs somewhere else.
So apparently, my original problem was a wrong configuration of routes in the nginx config file. But since the traefik-based setup works, I’m not going to try to find out what I messed up…
For reference, this is the docker-compose setup that ended up working for me :
version: "3.9"
services:
traefik:
image: traefik:v2.8.5
container_name: traefik
hostname: traefik
restart: always
ports:
- 80:80
- 443:443
- 8080:8080
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /var/log:/var/log
- /data/traefik:/data/traefik
command:
- --log.level=DEBUG
- --accesslog=true
- --accesslog.filepath=/var/log/traefik-access.log
- --api.dashboard=true
- --providers.docker=true
- --providers.docker.exposedByDefault=false
- --entryPoints.web.address=:80
- --entrypoints.web.http.redirections.entryPoint.to=websecure
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entryPoints.websecure.address=:443
- --entryPoints.traefik.address=:8080
- --certificatesresolvers.myresolver.acme.email=my.email@somehost.org
- --certificatesresolvers.myresolver.acme.storage=/data/traefik/acme.json
- --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.dashboard.entryPoints=traefik'
- 'traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`) || PathPrefix(`/debug`)'
- 'traefik.http.routers.dashboard.service=api@internal'
- 'traefik.http.routers.dashboard.middlewares=auth'
- 'traefik.http.middlewares.auth.basicauth.users=<someusername>:<somepassword>'
collabora:
image: collabora/code
container_name: collabora
ports:
- 9980:9980
cap_add:
- MKNOD
environment:
- aliasgroup1=https://nextcloudsubdomain.mydomain.com
- username=<someusername>
- password=<somepassword>
- "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.collabora.tls=true'
- 'traefik.http.routers.collabora.tls.certresolver=myresolver'
- 'traefik.http.routers.collabora.entrypoints=websecure'
- 'traefik.http.routers.collabora.rule=Host(`collaborasubdomain.mydomain.com`)'
- 'traefik.http.routers.collabora.middlewares=collabora-header'
- 'traefik.http.services.collabora.loadbalancer.server.port=9980'
- 'traefik.http.middlewares.collabora-header.headers.referrerPolicy=no-referrer'
- 'traefik.http.middlewares.collabora-header.headers.stsSeconds=15552000'
- 'traefik.http.middlewares.collabora-header.headers.forceSTSHeader=true'
- 'traefik.http.middlewares.collabora-header.headers.stsPreload=true'
- 'traefik.http.middlewares.collabora-header.headers.stsIncludeSubdomains=true'
- 'traefik.http.middlewares.collabora-header.headers.browserXssFilter=true'
- 'traefik.http.middlewares.collabora-header.headers.customRequestHeaders.X-Forwarded-Proto=https'