I feel like I have read every post regarding this and even tried using chatGPT but I have yet to figure this one out.
I am using Open Media Vault on my server and am using Docker container. I have duckdns, collabora, nextcloud, mysql, and swag containers. I have it all set up so I can use nextcloud office to view and edit documents. I get the following warning though,
You have not configured the allow-list for WOPI requests.
Without this setting users may download restricted files via WOPI requests to the Nextcloud server.
I have tried everything I can think of for iP’s in the allow list, but nothing has worked so far.
I have tried:
just using the IP for the collabora container
doing docker network inspect bridge (the network that the collabora container is using) and getting the subnet
docker inspect collabora (the container name) to get the subnet
inspect [docker container ID] | grep IPAddress
DNS lookup
So far none of the IP’s I have tried have worked. If it isn’t apparent from my post, I am new to this type of stuff. Any help to me, a newbie, would be much appreciated.
I had same issue, resolved by adding a big subnet of IP, because the network changes from time to time.
First lookup the IP range of your nextcloud containers, probably something like 172.20.0.2/16 (/16 goes from 172.20.0.0 till 172.20.255.255)
Then login as Nextcloud admin, go to Administration Settings.
Under Administration, click on Office. Not the one under Personal.
Scroll down to ‘Allow list for WOPI requests’ and add the range you found.
My list looks like this:
10.0.10.209,127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1
I had to add my docker host specifically, not sure why. I am using Traefik as proxy.
I hope this helps.
Edit: above allow list is indeed very big, and there are some few risks. See below.
Edit: removed typo, accidentally included on non-private address.
Edit: Yes, 10.0.10.209 is the IP of docker host.
your config is pretty huge and complicated. usually there is no harm to add rfc1918 addresses: 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 as this addresses are not routeable in internet so attack vector remains internal. …but you still have some duplicates I would remove for the sake of clarity:
you definitely don’t need 127.0.0.1/8 as this translates to localhost which is never the case for communication between different docker containers
likely you don’t need 172.100.0.0/16
you should explain what is 10.0.10.209 - your Docker host IP? depending on the setup you might need it… but in your case this one is covered by 10.0.0.0/8 as well
If you want to concise wopi allowlist and and make both system talking to each other through internal Docker networks look at this post:
The approach shows you generic config it might differ if you have no reverseproxy in place.
Thank you both for your help! With your comments (and the help of chatGPT) I was able to narrow it down to a single IP. Apparently, I needed to give it the IP of my wifi router in order to work. I’m just glad it is working!
I’m using an nginx reverse proxy along with tailscale to forward ports for my nextcloud server. I added the public ip of my server and the various subnets of the docker containers and it didn’t work.
I had to specify the tailscale ips in order to get this to work.