Hi,
maybe there is a short ‘no’ answer, so as TL;DR: (more details about my setup below..)
Is it possible to use Nextcloud AIO collabora, when Nextcloud is running behind a reverse proxy with self signed certificate? Is it e.g. possible to configure collabora to either trust self signed certificates, or to add one to its trusted list?
More details about my setup:
-
I’m running Nextcloud AIO via docker on my raspberry pi
-
On the raspberry I have a “native” (via package manager) installation of Nginx which is my reverse proxy for Nextcloud, it does SSL termination with a self signed certificate.
-
(This is because my Nextcloud isn’t public on the internet, so I can’t use letsencrypt or something similar. I’m using a certificate anyway so my clients don’t get any warnings when trying to open Nextcloud, all my clients have my personal root CA in their trust store)
-
I have a Pihole which is configured as DNS server and will serve the raspberry IP when asked for nextcloud.home.arpa
With that Nextcloud itself seems to be working fine, however I can’t open documents via Collabora. When I try to open a document I see the following error message in the Webinterface:
"Failed to establish socket connection or socket connection closed unexpectedly. The reverse proxy might be misconfigured, please contact the administrator. For more info on proxy configuration please checkout https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html"
I can’t remember where it was, but somewhere in the Nextcloud help articles I read that I should test if Collabora can reach Nextcloud, so I tested this with:
-
sudo docker exec -it nextcloud-aio-collabora /bin/sh -
curl -v https://nextcloud.home.arpa/login
And the result is:
$ curl -v https://nextcloud.home.arpa/login
* Host nextcloud.home.arpa:443 was resolved.
* IPv6: (none)
* IPv4: 192.168.178.11
* Trying 192.168.178.11:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.
Since I don’t want to make my Nextcloud public on the internet, and configure letsencrypt to get a valid certificate I’m wondering if there is a way to configure collabora to either trust any certificate (shouldn’t be a Problem since its only in my local network), or to add my own root CA to its trust store? (Hoping that this is the real issue here)
Thank you for reading and any suggestions! 
Some more infos in case they are needed:
- Nextcloud Server version (e.g., 29.x.x):
32.0.6
- Operating system and version (e.g., Ubuntu 24.04):
Raspberry OS Trixie
- Reverse proxy and version _(e.g. nginx 1.27.2)
Nginx 1.26.3
- Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
AIO
- Are you using CloudfIare, mod_security, or similar? (Yes / No)
No
Dockerfile
services:
nextcloud-aio-mastercontainer:
image: ghcr.io/nextcloud-releases/all-in-one:latest
init: true
restart: always
container_name: nextcloud-aio-mastercontainer
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /var/run/docker.sock:/var/run/docker.sock:ro
network_mode: bridge
ports:
- 8080:8080
environment:
AIO_DISABLE_BACKUP_SECTION: false
COLLABORA_ADDITIONAL_PARAMS: --o:ssl.enable=false
APACHE_PORT: 11000
APACHE_IP_BINDING: 127.0.0.1
COLLABORA_SECCOMP_DISABLED: true
NEXTCLOUD_DATADIR: /opt/nextcloud-data
NEXTCLOUD_UPLOAD_LIMIT: 100G
SKIP_DOMAIN_VALIDATION: true
volumes:
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer
Nginx config:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
if ($scheme = "http") {
return 301 https://$host$request_uri;
}
if ($http_x_forwarded_proto = "http") {
return 301 https://$host$request_uri;
}
listen 443 ssl;
listen [::]:443 ssl;
http2 on;v1.25.1+
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
client_body_buffer_size 512k;
proxy_read_timeout 86400s;
server_name nextcloud.home.arpa;
location / {
proxy_pass http://127.0.0.1:11000$request_uri;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header Early-Data $ssl_early_data;
# Websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/ssl/certs/nextcloud.home.arpa.crt;
ssl_certificate_key /etc/ssl/private/nextcloud.home.arpa.key;
ssl_dhparam /etc/dhparam;
ssl_early_data on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve x25519:x448:secp521r1:secp384r1:secp256r1;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SH
A384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;
}
