Just got my setup working, using onlyoffice integrated in nextcloud. I notice however, that onlyoffice remains unsecured. Any other nextcloud/owncloud instance out there could use it.
What it the usual way to go to prevent this. I’d like that only users of my nextcloud setup can access onlyoffice.
I naively thought that nextcloud onlyoffice app integration would proxy my onlyoffice app, but nope, it gotta be publicly accessible. I did see another user trying to achieve the same, with partial success. Restricting Domain Access to OnlyOffice doc server from nextcloud only
You can try to configure your proxy, so it forwards the requests to the document server. Please find our example configs for nginx and apache under the links.
Another possibility is to make access to the document server public and enable JWT token to secure the connection. Please find more information about JWT in our API documentation. You can set your own secret token in /etc/onlyoffice/documentserver/default.json, after that you need to enter the same secret token to the appropriate field in the Advanced server settings in Nextcloud administrator section.
Thanks for the answer, I went with the JWT token