Security Setting for Nextcloud Office

Hi there,

i have a question. Under the Settings: Nextcloud office (with the integratet Collabora Server) i get the following error Message:
“You have not configured the allow-list for WOPI requests. Without this setting users may download restricted files via WOPI requests to the Nextcloud server.”

If have tried to add several IP Adresses in this list. But with no ip Adress the Documents are Loading. Only if i make it blank all Documents Loading. I tried my local Network: 192.168.0.0/24, localhost, 127.0.0.1. All dont work.

Can you tell me which i IP i should Enter here? Is it necessary to restrict the Access when the Port 9983 is not accessable over the Internet

Kind Regards
Andi

2 Likes

Hi, I have the same problem :frowning: If I use my public IP it works also - but with internal IPs not.
I hope someone can help us.

I don’t understand the Dokumentation.
https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html

Does it mean, default=empty, any ip on the internet is allowed to access any file in my nextcloud installation just by sending wopi requests to nextcloud?

what kind of CODE server are u usin ?

the build in CODE Server
in my case her does NOT need any entries in the WOPI seciton, you can ignore the
“error / informatin” message

seems like the same problem i got earlier →

keep me postet brNP

ok i switche to build in version
as Build in collabora server only runs on TLSv1.2 i use the first option, use my own server: https://office.mydomain.de
this domain leads to my nextcloud installation and there Collabora Online is running in the docker container.
nextcloud and office have the same public dynamic IP at home

snippet for apache2 revproxy to docker container
  <VirtualHost *:443>
    ServerName office.mydomain.de
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # SSL configuration, you may want to take the easy route instead and use Let's Encrypt!
    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/office/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/office/key.pem

    # Encoded slashes need to be allowed
    AllowEncodedSlashes NoDecode

    # Container uses a unique non-signed certificate
    SSLProxyEngine On
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off

    # keep the host
    ProxyPreserveHost On

    # static html, js, images, etc. served from coolwsd
    # browser is the client part of LibreOffice Online
    ProxyPass           /browser https://127.0.0.1:9980/browser retry=0
    ProxyPassReverse    /browser https://127.0.0.1:9980/browser

    # WOPI discovery URL
    ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
    ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

    # Main websocket
    ProxyPassMatch "/cool/(.*)/ws$" wss://127.0.0.1:9980/cool/$1/ws nocanon

    # Admin Console websocket
    ProxyPass   /cool/adminws wss://127.0.0.1:9980/cool/adminws

    # Download as, Fullscreen presentation and Image upload operations
    ProxyPass           /cool https://127.0.0.1:9980/cool
    ProxyPassReverse    /cool https://127.0.0.1:9980/cool

    # Endpoint with information about availability of various features
    ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
    ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
  </VirtualHost>
command to start Collabora Online in docker
docker run -t -d -p 127.0.0.1:9980:9980 -e "aliasgroup1=https://office.mydomain.de:443,https://office\\.mydomain\\.de:443" --restart always --name mycollabora collabora/code

That’s a good question.
I have Collabora office (docker; CODE) and NC running on the same server, but when I put in the public server IP, or 127.0.0.1, or localhost, office stops working (“document loading failed”).

For me it worked when I added the ip range of the Docker network: 172.17.0.1/16

ip a
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:0f:41:a6:54 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:fff:fe41:a654/64 scope link 
       valid_lft forever preferred_lft forever
2 Likes

Thanks a lot for the hint! Also in my case this works.

1 Like

This sadly didn’t work for me. Any other ideas?

It seems my public IP is used for the connection, though I have no idea why.