Help! Unauthorized WOPI host. Please try again later and report to your administrator if the issue persists

I feel like I have read every post regarding this and even tried using chatGPT but I have yet to figure this one out.
I am using Open Media Vault on my server and am using Docker container. I have duckdns, collabora, nextcloud, mysql, and swag containers. I have it all set up so I can use nextcloud office to view and edit documents. I get the following warning though,

You have not configured the allow-list for WOPI requests.
Without this setting users may download restricted files via WOPI requests to the Nextcloud server.

I have tried everything I can think of for iP’s in the allow list, but nothing has worked so far.

I have tried:

  • just using the IP for the collabora container
  • doing docker network inspect bridge (the network that the collabora container is using) and getting the subnet
  • docker inspect collabora (the container name) to get the subnet
  • inspect [docker container ID] | grep IPAddress
  • DNS lookup

So far none of the IP’s I have tried have worked. If it isn’t apparent from my post, I am new to this type of stuff. Any help to me, a newbie, would be much appreciated.

take a look at this similar topic: WOPI endpoint security question usually the request to Nextcloud comes from reverseproxy and this is the IP you have to allow. you find more references in Collabora integration guide

1 Like

I had same issue, resolved by adding a big subnet of IP, because the network changes from time to time.
First lookup the IP range of your nextcloud containers, probably something like 172.20.0.2/16 (/16 goes from 172.20.0.0 till 172.20.255.255)
Then login as Nextcloud admin, go to Administration Settings.
Under Administration, click on Office. Not the one under Personal.
Scroll down to ‘Allow list for WOPI requests’ and add the range you found.
My list looks like this:
10.0.10.209,127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1
I had to add my docker host specifically, not sure why. I am using Traefik as proxy.

I hope this helps.

Edit: above allow list is indeed very big, and there are some few risks. See below.
Edit: removed typo, accidentally included on non-private address.
Edit: Yes, 10.0.10.209 is the IP of docker host.

1 Like

your config is pretty huge and complicated. usually there is no harm to add rfc1918 addresses: 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 as this addresses are not routeable in internet so attack vector remains internal. …but you still have some duplicates I would remove for the sake of clarity:

  • you definitely don’t need 127.0.0.1/8 as this translates to localhost which is never the case for communication between different docker containers
  • likely you don’t need 172.100.0.0/16
  • you should explain what is 10.0.10.209 - your Docker host IP? depending on the setup you might need it… but in your case this one is covered by 10.0.0.0/8 as well

If you want to concise wopi allowlist and and make both system talking to each other through internal Docker networks look at this post:

The approach shows you generic config it might differ if you have no reverseproxy in place.

1 Like

Thank you both for your help! With your comments (and the help of chatGPT) I was able to narrow it down to a single IP. Apparently, I needed to give it the IP of my wifi router in order to work. I’m just glad it is working!

I’m using an nginx reverse proxy along with tailscale to forward ports for my nextcloud server. I added the public ip of my server and the various subnets of the docker containers and it didn’t work.

I had to specify the tailscale ips in order to get this to work.

I’ve also found it to work after I’ve specified my router’s public IP address. The problem is that it is dynamic and can change any way. Is there any safe way to add this to my settings?

Also is there any need to contact collabora from the internet? Can’t it be reached directly from nextcloud container instead of reaching it from the internet?

The user’s browser is given the Collabora URL, so no, it needs to be reachable via the internet.