Collabora - unauthorised WOPI-Host


I upgraded my Nextcloud Server to v11 and make any step of the Collabora install manual:

… I install the the Collabora-App, then it say that isn’t the latest version (I tested to install Collabora at Nextcloud v10 without success), then I update the App. But then, the Icon in the left side disappeared. And when I click at an doc or xls it shows me this message:

I don’t know whats a ‘WOPI-Host’?

The other strange and dangerous thing is, when I open my office-Domain ‘’ it shows my normal homepage ‘’. But when I open the SSL URL ‘’ it shwos me the “/var/www/” folder, and I can download every file (but can’t open a sub folder).

What’s wrong?


Apache config
(I’m sure)


And what? My /etc/apache2/apache2.conf:

Mutex file:${APACHE_LOCK_DIR} default


Timeout 300

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 5


HostnameLookups Off

ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel warn

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Include ports.conf

<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied

<Directory /usr/share>
	AllowOverride None
	Require all granted

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride All
	Require all granted

AccessFileName .htaccess

<FilesMatch "^\.ht">
	Require all denied

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/*.conf


This one also needs an Apache config


yes … like it’s described at “2. Install the Apache reverse proxy” … and I wrote, that I make any step of this manual … any step, like the step “2. Install the Apache reverse proxy”. And now? What else should been configure?



Maybe Syntax:
docker run -t -d -p -e ‘domain=cloud\.nextcloud\.com’ --restart always --cap-add MKNOD collabora/code

this domain should be your nextcloud domain. In this case

pls try to restart the docker image, and reload the page.

Did you add the domain to collaboration admin-page (from nextcloud)?

In my case, i used a new virtualhost.conf file and activated (for

You can add an index.html file to reload ( to your nextcloud page
very simple:

Or you can config apache for error 403:


I saved the log of my instalation of Collabora and I type in the right domain.

I type in “” in the “Collabora Online Server” input form.

I added “DocumentRoot /var/www/nextcloud” to the “VirtualHost” of Collabora and now I just get redirected to nextcloud, if s.o. visits Good idea, thx.

I also restart docker, but nothing happend. The Icon “Office” in the Menu is still missing and I get the same error message.



The DocumentRoot in the Collaboration VirtualHost File - i think it’s not a good idea.

My VirtualHost File -> eg. (/etc/apache2/site-available)
-> a2ensite (to link in /etc/apache2/site-enabled)

I used Letsencrypt

Did you enabled:
a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl

and restarted the apache2 server?

sudo service apache2 restart
sudo systemctl restart apache2.service


Please post your string to start Docker. If you don’t find it -> type “history” in your terminal and copie - thx



<VirtualHost *:443>

	# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/
	SSLCertificateKeyFile /etc/letsencrypt/live/
	SSLCertificateChainFile /etc/letsencrypt/live/
	SSLProtocol             all -SSLv2 -SSLv3
	SSLHonorCipherOrder     on

	# Encoded slashes need to be allowed
	AllowEncodedSlashes On

	# Container uses a unique non-signed certificate
	SSLProxyEngine On
	SSLProxyVerify None
	SSLProxyCheckPeerCN Off
	SSLProxyCheckPeerName Off

	# keep the host
	ProxyPreserveHost On

	# static html, js, images, etc. served from loolwsd
	# loleaflet is the client part of LibreOffice Online
	ProxyPass           /loleaflet retry=0
	ProxyPassReverse    /loleaflet

	# WOPI discovery URL
	ProxyPass           /hosting/discovery retry=0
	ProxyPassReverse    /hosting/discovery

	# Main websocket
	ProxyPassMatch "/lool/(.*)/ws$" wss://$1/ws

	# Admin Console websocket
	ProxyPass   /lool/adminws wss://

	# Download as, Fullscreen presentation and Image upload operations
	ProxyPass           /lool
	ProxyPassReverse    /lool

Docker starts with:

docker run -t -d -p -e 'domain=cloud\\.DOMAIN\\.com' --restart always --cap-add MKNOD collabora/code

And I enabled all a2enmod services and restarted apache2 often.

Cant open collabora online


Thank you, for your answer. looks like the same.

I tried the config with the DocumentRoot /…/nextcloud/ - and it works too. But you have to add the domain to the docker start Syntax.

Reasen: I had reproduced your error :slight_smile:

Have you more than one domain for your Nextcloud installation? like and

I hope that can help

Sometimes unauthorised WOPI-Host


I found some other topic:

Link: Collabora Docker capabilities problem

Maybe that can help



Please try it again.
The tutorial has some differnt syntaxes like befor


I installed a new Ubuntu 16.04. LTS server. I try it again … and now I get: “permission denied”


Same here - I get a 403 when trying to open a file with the error “You don’t have permission to access /loleaflet/2.0.4/loleaflet.html on this server.”

Were you able to find a solution?



    <Location />
            Require all granted

in the Apache2 virtual host config file helped me. I also changed docker to utilize devicemapper as storage driver first, which did not help, but I also did not change it back.


How would the solution look for nginx? Thx!

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

proxy_buffering off;

# static files
location ^~ /loleaflet {
	proxy_pass https://localhost:8110;
	proxy_set_header Host $http_host;

# WOPI discovery URL
location ^~ /hosting/discovery {
	proxy_pass https://localhost:8110;
	proxy_set_header Host $http_host;

# main websocket
location ~ ^/lool/(.*)/ws$ {
   proxy_pass https://localhost:8110;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
   proxy_set_header Host $http_host;
   proxy_read_timeout 36000s;

# download, presentation and image upload
location ~ ^/lool {
   proxy_pass https://localhost:8110;
   proxy_set_header Host $http_host;

# Admin Console websocket
location ^~ /lool/adminws {
   proxy_pass https://localhost:8110;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
   proxy_set_header Host $http_host;
   proxy_read_timeout 36000s;