Nextcloud 28.0.4
runs in VM in proxmox.
SSL is configured on nextcloud’s VM using *.$domain cert
Nextcloud VM’s hostname is nextcloud-host.$mydomain
There is additional VM with Nginx proxymanager (it does SSL termination and routing to different hosts for all my VMs) which just proxies request to nextcloud-host via http (No sense in https between 2 VMs).
$mydomain is hosted on cloudflare which forwards outside requests to nginx proxy manager.
There is no docker.
Both VMs use 192.168.88.0/24 range. Clients also here.
Collabora with built-in CODE works but says You have not configured the allow-list for WOPI requests. Without this setting users may download restricted files via WOPI requests to the Nextcloud server.
If I try to configure it with 192.168.88.0/24 - I can’t edit documents via mobile app both from internal network or via cellular connection. it just stuck opening.
How to fix this?
What are risks NOT fixing it? Will non-authenticated users from internet be able to access documents? will authenticated Nextcloud users who doesn’t have access to this document be able to access it?
Please consult Collabora integration guide for mechanics and references of WOPI protocol.
I would say nothing bad happens as WOPI server requires a “token” to access files stored in Nextcloud.
Creating WOPI access list means limiting WOPI access to specific machines - in case of reverse proxy it would be this IP… but Cloudflare in front of the installation makes WOPI allow-list useless - Cloudeflare IPs are almost half of the internet…
you could setup local splitbraindns and make your WOPI server and Nextcloud talk internally - depending on the setup it might be hard (requires internal reverse proxy with TLS termination - but you have it in place 
) Look at this post the solution is similar - you just need to send both URLs to your local NPM…
So there is access control anyway. Thanks.
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.