[easy-HOWTO] Collabora, Ubuntu 16.04 with Docker and selfsigned | wildcard certificates

As I’ve seen tons and tons of questions about collabora and people often getting confused, I’ve decided to write down a very easy setup for nextcloud/owncloud to run with collabora on the same server in a few simple steps.

  1. Add keyserver to your OS:
    apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D

  2. Add repository & update repo:
    apt-add-repository 'deb https://apt.dockerproject.org/repo ubuntu-xenial main' && apt-get update

  3. Install docker & download collabora-container from repo:
    apt-get install -y docker-engine && service docker start && docker pull collabora/code

  4. Start docker with collabora:
    docker run -t -d -p -e 'domain=your\\.domain\\.ch' --restart always --cap-add MKNOD collabora/code

  5. Check if docker (with collabora) is running on the correct port:
    netstat -lntp

  6. Check all running docker-containers:
    docker ps

  7. Note the conainer-ID:
    ad934g496063... (just an example)

  8. Add your selfsigned or wildcard-certificate to the ca-bundle of ownCloud/Nextcloud:
    docker exec [containerID] cat /etc/loolwsd/ca-chain.cert.pem >> /var/www/html/nextcloud/resources/config/ca-bundle.crt

  9. Activate apache2-modules and restart the apache server:
    a2enmod proxy proxy_wstunnel proxy_http ssl && service apache2 restart

  10. add proxy-settings to your running apache-configuration (sites-enabled/owncloud.conf or nextcloud.conf) [maybe improvements needed?], add these lines right after at top of your SSL-settings (eq: <Virtualhost *.443):

AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet retry=0
ProxyPassReverse    /loleaflet
# WOPI discovery URL
ProxyPass           /hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://$1/ws nocanon
# Admin Console websocket
ProxyPass   /lool/adminws wss://
# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool
ProxyPassReverse    /lool

11 . Activate collabora-app and put the collabora-link to:

Hope this howto will help our mostly self-hosting administrators to work with :slight_smile:

(06.04.2017) Update - Adjusted the following settings to mach most recent collabora-image:
> Apache host-config: AllowEncodedSlashes NoDecode
> Apache host-config: ProxyPassMatch “/lool/(.*)/ws$” wss://$1/ws nocanon
> Collabora-APP URL: https://your.domain.ch

1 Like

That’s exactly what i tried, but unfortunately it does not work. I can’t open any office documents.

If you want to use the admin console, you should provide a username an password in the docker start command

Please see Collabora won't display any documents

Strange, it works pretty well on my side though…

I’ll check my how-to once again, probably ive missed to mention something which made it work flawlessly.

As I’ve read through the mentioned collabora-topic, is this anyhow related to that bug? https://github.com/owncloud/richdocuments/issues/140

@victorbw, i found it out by myself. My Apache config was a little bit too restrictive:

    `Header always set X-Frame-Options DENY`

After removing it, everything was fine :smile:

Anyway many thanks!

1 Like

thank you for participating your issue with me/us as well :slight_smile:

hope everybody enjoys that simple walkthrough then :blush:

1 Like


Thank you for this guide!

I followed it but when I want to open an office document, there is this message :
“localhost refused to connect”

How can I fix this?

Thank you for your help!

can you tell us a bit more about your environment?