UPDATE:
So I have still not successfully blocked www access to my document server, but I have finally cracked the simple) code for securing working access to the editors, which is better than where I was.
On your onlyoffice document server, you have to edit this file:
/etc/onlyoffice/documentserver/default.json
And do a search for “secret” (and in this case, you DO NEED the quotes as otherwise you get several hits). This will take you to the “secret”: json section, where there are three passwords…all of which are called “secret”. These are the DEFAULT secret passwords needed to enable the editors to function. Change these three entries to a new, identical password. Then goto nextcloud–>settings–>basic-settings and click on the advanced options for the onlyoffice app. Just find the “secret” entry and change it to your password in the json config file (this time WITHOUT the quotes of course) , then click save. Now your document server is password protected.
If I ever figure out how to block access from anything but my nextcloud instance, I will update this thread. Right now, things are better than they were (anyone could have used my onlyoffice server, but now at least it’s password-protected).
Apologies for being so slow to figure this out. As old as I am, I am a newbie to running a server. 