So I have Collabora running on https://office.mydomain.com. I’m a little concerned with the security of this setup. It’s an application available to the internet and no login. To get my setup working (non-docker install;apt-get), I had to modify the configuration to allow MOPI domain of cloud.mydomain.com. So theoretically Collabora is only accessible from a local network or cloud.mydomain.com.
This still gives my bad vibes, the discovery service is available, which means you can all URLs and pass it ‘stuff’. I assume the server won’t ‘let’ anything happen unless it’s from the correct domain/host/IP, etc… However I don’t know enough of the Collabora API to validate this…
So base question: How secure is this? An open non-secured webapp available to the internet? Thx!
Well, i asked myself the same question today and unfortunately noone replied to you here.
My setup is a little bit different from what i usually seen. I run collabora online on the same domain as my nextcloud instance. (Same apache virtualhost). The CODE itself runs inside a docker, and the nextcloud in the host itself. I use self signed certificates.
How did you get it working with self-signed certificates?
You can just add your own CA cert (used to self-sign) to linux’s trusted ca certificate folder.
It should not matter. just find where OSX saves its trusted certificate list.
Very secure - checkout eg. “The Security Onion” slide here for example: https://indico.cern.ch/event/663264/contributions/2819350/attachments/1592312/2520431/cs3-2018-collabora-online.pdf of course - adding extra layers such as VPNs around that can’t hurt too - but shouldn’t be necessary.