Security Setting for Nextcloud Office

Hi there,

i have a question. Under the Settings: Nextcloud office (with the integratet Collabora Server) i get the following error Message:
“You have not configured the allow-list for WOPI requests. Without this setting users may download restricted files via WOPI requests to the Nextcloud server.”

If have tried to add several IP Adresses in this list. But with no ip Adress the Documents are Loading. Only if i make it blank all Documents Loading. I tried my local Network:, localhost, All dont work.

Can you tell me which i IP i should Enter here? Is it necessary to restrict the Access when the Port 9983 is not accessable over the Internet

Kind Regards


Hi, I have the same problem :frowning: If I use my public IP it works also - but with internal IPs not.
I hope someone can help us.

I don’t understand the Dokumentation.

Does it mean, default=empty, any ip on the internet is allowed to access any file in my nextcloud installation just by sending wopi requests to nextcloud?

what kind of CODE server are u usin ?

the build in CODE Server
in my case her does NOT need any entries in the WOPI seciton, you can ignore the
“error / informatin” message

seems like the same problem i got earlier →

keep me postet brNP

ok i switche to build in version
as Build in collabora server only runs on TLSv1.2 i use the first option, use my own server:
this domain leads to my nextcloud installation and there Collabora Online is running in the docker container.
nextcloud and office have the same public dynamic IP at home

snippet for apache2 revproxy to docker container
  <VirtualHost *:443>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # SSL configuration, you may want to take the easy route instead and use Let's Encrypt!
    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/office/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/office/key.pem

    # Encoded slashes need to be allowed
    AllowEncodedSlashes NoDecode

    # Container uses a unique non-signed certificate
    SSLProxyEngine On
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off

    # keep the host
    ProxyPreserveHost On

    # static html, js, images, etc. served from coolwsd
    # browser is the client part of LibreOffice Online
    ProxyPass           /browser retry=0
    ProxyPassReverse    /browser

    # WOPI discovery URL
    ProxyPass           /hosting/discovery retry=0
    ProxyPassReverse    /hosting/discovery

    # Main websocket
    ProxyPassMatch "/cool/(.*)/ws$" wss://$1/ws nocanon

    # Admin Console websocket
    ProxyPass   /cool/adminws wss://

    # Download as, Fullscreen presentation and Image upload operations
    ProxyPass           /cool
    ProxyPassReverse    /cool

    # Endpoint with information about availability of various features
    ProxyPass           /hosting/capabilities retry=0
    ProxyPassReverse    /hosting/capabilities
command to start Collabora Online in docker
docker run -t -d -p -e "aliasgroup1=,https://office\\.mydomain\\.de:443" --restart always --name mycollabora collabora/code

That’s a good question.
I have Collabora office (docker; CODE) and NC running on the same server, but when I put in the public server IP, or, or localhost, office stops working (“document loading failed”).

1 Like

For me it worked when I added the ip range of the Docker network:

ip a
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:0f:41:a6:54 brd ff:ff:ff:ff:ff:ff
    inet brd scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:fff:fe41:a654/64 scope link 
       valid_lft forever preferred_lft forever

Thanks a lot for the hint! Also in my case this works.

1 Like

This sadly didn’t work for me. Any other ideas?

It seems my public IP is used for the connection, though I have no idea why.

Helpful cross-links:

For me it worked adding the Docker network range to the allowed list. However, as @ies asked, I do not fully understand the impact of not setting the allowed list. What is the exact problem? Was anyone able to access files without authorization while it was not set? May files be compromised? What exactly is the warning about?

This is a very important topic. Please someone help to clarify the facts:

  • why is the public IP address used for WOPI requests of the Built In Code server instead of localhost?
  • what happens if you keep the WOPI allow list empty? Has anyone access to the files without authentication?

It’s even worse for instances hosted on the internet - documents won’t open unless the WOPI list is empty, since the client browser needs to have access.
So, what is the point of the list if it needs to be empty anyway?

And, as has been asked, what are the security implications?

1 Like