I have multiple nextcloud servers, f.e. cloud1.mysrv.com, cloud2.mysrv.com and build-in CODE server on cloud1.mysrv.com. And now i recognized that i can connect from cloud2.mysrv.com to https://cloud1.mysrv.com/apps/richdocumentscode/proxy.php?req= without any restrictions. I don’t want let the whole Internet to use my code server, so what can i do to avoid this?
I have no idea about built-in CODE server but standard Collabora installation has built-in settings to define which WOPI host is allowed to use the specific Collabora instance (source). I would have expected this hardening is applied to integrated CODE server by default…
<storage desc="Backend storage">
<filesystem allow="false" />
<wopi desc="Allow/deny wopi storage." allow="true">
<host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host>
<host desc="Regex pattern of hostname to allow or deny." allow="true">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host desc="Regex pattern of hostname to allow or deny." allow="true">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host desc="Regex pattern of hostname to allow or deny." allow="true">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host desc="Regex pattern of hostname to allow or deny." allow="true">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host desc="Regex pattern of hostname to allow or deny." allow="true">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host desc="Regex pattern of hostname to allow or deny." allow="false">192\.168\.1\.1</host>
<max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
<locking desc="Locking settings">
<refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
</locking>
</wopi>