Support intro
Sorry to hear youâre facing problems. 
The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / âas availableâ basis. All of those responding are volunteering their time to help you.
If youâre using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.
Getting help
In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.
Before clicking submit: Please check if your query is already addressed via the following resources:
- most of office issues are handled in Collabora integration guide
- Official documentation (searchable and regularly updated)
- How to topics and FAQs
- Forum search
(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).
Some or all of the below information will be requested if it isnât supplied; for fastest response please provide as much as you can. 
The Basics
- Nextcloud Server version (e.g., 29.x.x):
32.0.5
- Operating system and version (e.g., Ubuntu 24.04):
Ubuntu 22.04
- Web server and version (e.g, Apache 2.4.25):
Apache 2.4
- Reverse proxy and version _(e.g. nginx 1.27.2)
Traefik 3.3.4
- PHP version (e.g, 8.3):
8.3
- Is this the first time youâve seen this error? (Yes / No):
Yes
- When did this problem seem to first start?
When introducing Authentik
- Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
Docker Compose
- Are you using CloudfIare, mod_security, or similar? (Yes / No)
No
Summary of the issue you are facing:
Cannot open document in Collabora Office after protecting Nextcloud with Authentik
Steps to replicate it (hint: details matter!):
-
Put Nextcloud behind Authentik
-
Click document in web UI
-
Witness error
Log entries
Nextcloud
Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.
N/A
Web Browser
If the problem is related to the Web interface, open your browser inspector Console and Network tabs while refreshing (reloading) and reproducing the problem. Provide any relevant output/errors here that appear.
N/A
Web server / Reverse Proxy
The output of your Apache/nginx/system log in /var/log/____:
N/A
Configuration
Nextcloud
I have had Nextcloud and Collabora setup behind Traefik using Docker Compose for years. It works fine. But recently I had the idea of adding more security, and have setup Authentik as MFA layer. I have put it in front of all my internet facing apps, and I saved Nextcloud last, as it seems most complex.
I am running:
Nextcloud 32.0.5
Traefik 3.3.4
Collabora 25.04.7.3
My Nextcloud/Collabora stack Before adding Authentik was this:
networks:
nextcloud-network:
external: true
traefik-network:
external: true
volumes:
redis-data:
traefik-certificates:
nextcloud-html:
services:
postgres:
container_name: postgres
image: ${NEXTCLOUD_POSTGRES_IMAGE_TAG}
user: â1999:1999â
volumes:
- /mnt/nextcloud/db:/var/lib/postgresql/data
environment:
TZ: ${NEXTCLOUD_TIMEZONE}
POSTGRES_DB: ${NEXTCLOUD_DB_NAME}
POSTGRES_USER: ${NEXTCLOUD_DB_USER}
POSTGRES_PASSWORD: ${NEXTCLOUD_DB_PASSWORD}
networks:
- nextcloud-network
healthcheck:
test: [ âCMDâ, âpg_isreadyâ, â-qâ, â-dâ, â${NEXTCLOUD_DB_NAME}â, â-Uâ, â${NEXTCLOUD_DB_USER}â ]
interval: 10s
timeout: 5s
retries: 3
start_period: 60s
restart: unless-stopped
redis:
environment:
TZ: ${NEXTCLOUD_TIMEZONE}
image: ${NEXTCLOUD_REDIS_IMAGE_TAG}
container_name: redis
command: [âredis-serverâ, âârequirepassâ, â$NEXTCLOUD_REDIS_PASSWORDâ]
volumes:
- redis-data:/data
networks:
- nextcloud-network
healthcheck:
test: [âCMDâ, âredis-cliâ, âpingâ]
interval: 10s
timeout: 5s
retries: 3
start_period: 60s
restart: unless-stopped
nextcloud:
image: ${NEXTCLOUD_IMAGE_TAG}
container_name: nextcloud
volumes:
- nextcloud-html:/var/www/html
- /mnt/nextcloud/data:/var/www/html/data
- /mnt/nextcloud/config:/var/www/html/config
environment:
TZ: ${NEXTCLOUD_TIMEZONE}
POSTGRES_HOST: postgres
DB_PORT: 5432
POSTGRES_DB: ${NEXTCLOUD_DB_NAME}
POSTGRES_USER: ${NEXTCLOUD_DB_USER}
POSTGRES_PASSWORD: ${NEXTCLOUD_DB_PASSWORD}
REDIS_HOST: redis
REDIS_HOST_PORT: 6379
REDIS_HOST_PASSWORD: ${NEXTCLOUD_REDIS_PASSWORD}
NEXTCLOUD_ADMIN_USER: ${NEXTCLOUD_ADMIN_USERNAME}
NEXTCLOUD_ADMIN_PASSWORD: ${NEXTCLOUD_ADMIN_PASSWORD}
NEXTCLOUD_TRUSTED_DOMAINS: ${NEXTCLOUD_HOSTNAME}
APACHE_SERVER_NAME: ${NEXTCLOUD_HOSTNAME}
#Allowing upload files > 1gb. (10gb limit)
APACHE_BODY_LIMIT: 10737418240 #5GB = 5368709120
PHP_MEMORY_LIMIT: 2G
PHP_UPLOAD_LIMIT: 10737418240
TRUSTED_PROXIES: ${TRAEFIK_STATIC_IP}, ${COLLABORA_STATIC_IP}
OVERWRITECLIURL: ${NEXTCLOUD_URL}
OVERWRITEPROTOCOL: https
OVERWRITEHOST: ${NEXTCLOUD_HOSTNAME}
networks:
- nextcloud-network
- traefik-network
extra_hosts:
- "${COLLABORA_HOSTNAME}:${TRAEFIK_STATIC_IP}" #Traefik IP. Static since 20250904.
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:80/"]
interval: 10s
timeout: 5s
retries: 3
start_period: 90s
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik-network"
# Main Nextcloud router
- "traefik.http.routers.nextcloud.rule=Host(`${NEXTCLOUD_HOSTNAME}`)"
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls=true"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
- "traefik.http.services.nextcloud.loadbalancer.server.port=80"
- "traefik.http.services.nextcloud.loadbalancer.passhostheader=true"
- "traefik.http.routers.nextcloud.middlewares=dav-redirectregex,nextcloudHeader,compresstraefik"
# Middleware: WebDAV well-known redirect (absolute URL version)
- "traefik.http.middlewares.dav-redirectregex.redirectregex.regex=^https://(.*?)/.well-known/ca(l|rd)dav"
- "traefik.http.middlewares.dav-redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav/"
- "traefik.http.middlewares.dav-redirectregex.redirectregex.permanent=true"
# Middleware: Compression
- "traefik.http.middlewares.compresstraefik.compress=true"
# Middleware: HSTS + Forwarded headers
- "traefik.http.middlewares.nextcloudHeader.headers.stsSeconds=15552000"
- "traefik.http.middlewares.nextcloudHeader.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.nextcloudHeader.headers.stsPreload=true"
- "traefik.http.middlewares.nextcloudHeader.headers.forceSTSHeader=true"
- "traefik.http.middlewares.nextcloudHeader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.nextcloudHeader.headers.customrequestheaders.X-Forwarded-Ssl=on"
- "traefik.http.middlewares.nextcloudHeader.headers.customrequestheaders.X-Forwarded-Host=${NEXTCLOUD_HOSTNAME}"
restart: unless-stopped
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
nextcloud-collabora:
image: collabora/code:latest
container_name: collabora
privileged: true #enabling bind mounts, loading documents faster
restart: unless-stopped
ports:
- 127.0.0.1:9980:9980
expose:
- â9980â
#extra_hosts:
# - âcloud.berglind.eu:172.25.0.10â
environment:
#should work as âdomain=cloud1.nextcloud.com|cloud2.nextcloud.comâ
- TZ=${NEXTCLOUD_TIMEZONE}
- domain=${COLLABORA_DOMAIN}
- aliasgroup1=${NEXTCLOUD_URL}
- âdictionaries=en_US,se_SEâ
- username=${COLLABORA_USERNAME}
- password=${COLLABORA_PASSWORD}
- "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
networks:
- nextcloud-network
- traefik-network
cap_add:
- MKNOD
- SYS_ADMIN
- CHOWN
- FOWNER
- FSETID
- SETGID
- SETUID
- DAC_OVERRIDE
security_opt:
- seccomp=unconfined
tty: true
labels:
- "traefik.enable=true"
# ===== Collabora main router =====
- "traefik.http.routers.collabora.rule=Host(`office.berglind.eu`)"
- "traefik.http.routers.collabora.entrypoints=websecure"
- "traefik.http.routers.collabora.tls=true"
- "traefik.http.routers.collabora.tls.certresolver=letsencrypt"
# ===== Service =====
- "traefik.http.services.collabora-service.loadbalancer.server.port=9980"
# ===== Docker network =====
- "traefik.docker.network=traefik-network"
And it worked fine. In adding Authentik, I replaced my Nextcloud labels with these:
# ==========================
# NEXTCLOUD WEB UI (AUTHENTIK)
# ==========================
- "traefik.http.routers.nextcloud.priority=10"
- "traefik.http.routers.nextcloud.rule=Host(`${NEXTCLOUD_HOSTNAME}`)"
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls=true"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
- "traefik.http.routers.nextcloud.middlewares=nextcloud-auth,dav-redirectregex,nextcloudHeader,compresstraefik"
- "traefik.http.services.nextcloud.loadbalancer.server.port=80"
- "traefik.http.services.nextcloud.loadbalancer.passhostheader=true"
# ==========================
# AUTHENTIK FORWARD AUTH
# ==========================
- "traefik.http.middlewares.nextcloud-auth.forwardauth.address=http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
- "traefik.http.middlewares.nextcloud-auth.forwardauth.trustForwardHeader=true"
# Middleware: WebDAV well-known redirect (absolute URL version)
- "traefik.http.middlewares.dav-redirectregex.redirectregex.regex=^https://(.*?)/.well-known/ca(l|rd)dav"
- "traefik.http.middlewares.dav-redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav/"
- "traefik.http.middlewares.dav-redirectregex.redirectregex.permanent=true"
# Middleware: Compression
- "traefik.http.middlewares.compresstraefik.compress=true"
# Middleware: HSTS + Forwarded headers
- "traefik.http.middlewares.nextcloudHeader.headers.stsSeconds=15552000"
- "traefik.http.middlewares.nextcloudHeader.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.nextcloudHeader.headers.stsPreload=true"
- "traefik.http.middlewares.nextcloudHeader.headers.forceSTSHeader=true"
- "traefik.http.middlewares.nextcloudHeader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.nextcloudHeader.headers.customrequestheaders.X-Forwarded-Ssl=on"
- "traefik.http.middlewares.nextcloudHeader.headers.customrequestheaders.X-Forwarded-Host=${NEXTCLOUD_HOSTNAME}"
And I setup Nextcloud as an app with a Proxy Provider in Authentik. This also works great. As long as I only use Nextcloud. But I cannot get Collabora to work. In Nextcloud UI, it connects to Collabora on https://office.berglind.eu
In a browser:
https://office.berglind.eu - OK
https://office.berglind.eu/hosting/discovery - XML page
https://office.berglind.eu/browser/dist/admin/admin.html - Collabora admin page
I have been trying for days now, googled, searched forums, and lots of ChatGPT. But I am getting nowhere.
Now I have rolled back Collabora to what it was Before trying with Authentik.
The message in the browser when clicking a doc in Nextcloud web is this:
Document loading failed
Failed to establish socket connection or socket connection closed unexpectedly. The reverse proxy might be misconfigured, please contact the administrator.
Not sure if I should put Collabora behind Authentik or not, but it doesnt matter. Whatever is best practice and/or easiest to acheive. I just want it to work.
Does anyone have, or know of, a working setup for this?
Not sure I am in the right place, please let me know if I should turn elsewhere.
N/A
Apps
The output of occ app:list (if possible).
Tips for increasing the likelihood of a response
- Use the
preformatted textformatting option in the editor for all log entries and configuration output. - If screenshots are useful, feel free to include them.
- If possible, also include key error output in text form so it can be searched for.
- Try to edit log output only minimally (if at all) so that it can be ran through analyzers / formatters by those trying to help you.