LibreOffice Online doesn't open - please wait circle forever -> is my workaround a solution or security flaw?

I’ve installed the latest LibreOffice Online version into a fresh Ubuntu 18.04 directly. I then configured two Apache proxies to route the traffic from the internet via the DMZ into the nextcloud/collabora server - which offers both services. As I have Let’s encrypt - I terminate SSL in the DMZ and route http.

Unfortunately it doesn’t work - “Please Wait” forever showing the circle turning nicely.

What next? I analysed the LOOLWSD-Log (I had to enable it) and discovered

wsd-24175-24177 2019-01-13 18:15:30.062096 [ prisoner_poll ] INF  Have 1 spare child after adding      [24182].| wsd/LOOLWSD.cpp:471
wsd-24175-24177 2019-01-13 18:15:30.062099 [ prisoner_poll ] TRC  Notifying NewChildrenCV| wsd/LOOLWSD.cpp:474
wsd-24175-24175 2019-01-13 18:15:30.062124 [ loolwsd ] TRC  Have 1 new children.| wsd/LOOLWSD.cpp:3172
wsd-24175-24175 2019-01-13 18:15:30.062139 [ loolwsd ] INF  WSD initialization complete: setting log-level to [warning] as configured.| wsd/LOOLWSD.cpp:3179
wsd-24175-24186 2019-01-13 18:15:46.286805 [ websrv_poll ] *RR  Requesting address is denied:| wsd/LOOLWSD.cpp:1997
wsd-24175-24186 2019-01-13 18:15:53.128984 [ websrv_poll ] WRN  WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:610
wsd-24175-24221 2019-01-13 18:15:53.780938 [ docbroker_001 ] ERR  No acceptable WOPI hosts found matching the target host [] in config.| wsd/Storage.cpp:250
wsd-kit-24222-24178 2019-01-13 18:15:53.889211 [ loolkit ] ERR  mknod(/opt/lool/child-roots/T7Shs0SPSFu3wAGW//dev/random) failed. (EPERM: Operation not permitted)| kit/Kit.cpp:2357
kit-24222-24178 2019-01-13 18:15:53.889279 [ loolkit ] ERR  mknod(/opt/lool/child-roots/T7Shs0SPSFu3wAGW//dev/urandom) failed. (EPERM: Operation not permitted)| kit/Kit.cpp:2364
kit-24182-24178 2019-01-13 18:15:54.782334 [ loolkit ] WRN  Kit connection lost without exit arriving from wsd. Setting TerminationFlag| kit/Kit.cpp:2202

With beeing the address of the user accessing (not the public IP of the server).

As it looks, the proxy somehow preserves the caller’s IP (which it normally doen’t) I set both up according to the instructions (Collaboraoffice Apache Reverse Proxy

I’ve found a workaround which I works but which I do not trust yet:

In /etc/loolwsd/loolwsd.xml I added in the storage Section

<wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true">
      <host desc="Scheunentor" allow="true">.*</host>

Which opens the filter for all addresses and gets rid of the error message. Libre Office then works.

My question here: is it safe what I’m doing here? Would’t I open security wholes?

You probably should set it to the domain of your Nextcloud server instead of a wildcard. That is at least how you do it with the Docker container.

Thanks. I did so and it works.