How to properly configure OnlyOffice behind Nextcloud without exposing it to Internet

Hello everyone,

I am trying to implement a secure architecture where:

• Nextcloud is publicly accessible via HTTPS

• OnlyOffice Document Server is internal only (LAN/VPN) and also uses HTTPS

• OnlyOffice is not exposed directly to the Internet

• Apache (httpd on Rocky Linux) is used as a reverse proxy inside the Nextcloud VirtualHost to route
  /onlyoffice/ → internal OnlyOffice server

Current behavior

• Everything works perfectly in LAN or via VPN.

• When accessing Nextcloud from the Internet, documents do not open in OnlyOffice.

• The goal is to allow external users to edit documents while keeping OnlyOffice fully internal and secure.

Setup details

• OS: Rocky Linux

• Web server: Apache httpd

• Nextcloud: HTTPS public domain

• OnlyOffice: HTTPS internal domain

• Reverse proxy configured in the same Nextcloud VirtualHost with:

  • ProxyPass /onlyoffice/ https://onlyoffice.internal/

  • WebSocket proxy (mod_proxy_wstunnel)

  • SSL proxy enabled

What I would like to confirm

1. Is it technically possible to keep OnlyOffice completely internal and still allow external editing through Nextcloud only?

2. Are there specific Apache reverse-proxy rules or headers required for OnlyOffice WebSocket and callback communication?

3. Does OnlyOffice require direct browser access in all cases, or can full proxying through Nextcloud work reliably?

Any guidance, working configuration examples, or architectural recommendations would be greatly appreciated.

Thank you in advance for your help.

I’m afraid what you want won’t be possible, as the user’s browser must be able to reach the OnlyOffice Document Server directly. If OnlyOffice is completely internal and not exposed (directly or via a reverse proxy), external users simply can’t load the editor or establish the necessary WebSocket connections.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.