So I have made great progress: I have onlyoffice running in an LXC container, fully https accessible and everything works brilliantly from nextcloud. I use haproxy at the front of my LAN as I have a nextcloud, WordPress and now an onlyoffice documents server - all on different LAN Ip’s. haproxy directs traffic well. So far, so good.
What I think I need to do though is restrict access to the onlydocument server so that only requests from my nextcloud instance (cloud.mydomain.com) are accepted by onlyoffice, otherwise anyone can connect to it and edit documents to their hearts content - which would waste my resource but also expose a potential security issue. As it is, anyone can access my document servr via a web portal at onlyoffice.mydomain.com - and I just know that’s not good.
Does anyone know how I can restrict access to my documents server to be exclusively from my cloud.mydomain.com instance?