WOPI access denied when running NextCloud AIO and Collabora (CODE)

gvancuts · September 17, 2025, 2:01pm

Support intro

Sorry to hear you’re facing problems.

The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.

If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.

Getting help

In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.

Before clicking submit: Please check if your query is already addressed via the following resources:

most of office issues are handled in Collabora integration guide
Official documentation (searchable and regularly updated)
How to topics and FAQs
Forum search

(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).

Hello there,

I’m running NextCloud AIO on my Synology NAS. I’ve also enabled the Collabora CODE container for NextCloud Office. I have a problem whereby my service provider regularly changes my IP address, and as soon as that happens, all WOPI access requests are denied.

I know I could set that setting to null (or 0.0.0.0/0) but I’d rather have something more secure than that. I have tried to set it to the URL of my NextCloud instance (e.g. cloud.mydomain.com) but it does not appear that such URL is translated into an IP address to check if a connection is allowed. I’ve tried to change the wopi_allowlist both from the WebUI and using the occ command but it (quite as expected) does not make a difference.

As soon as I update the IP address in that field to my new IP address, things work again… until the next change.

Is it possible to specify the list of connections allowed using FQDN instead of an IP (or IP range)?

If not, what are my options (besides opening up to the entire world by leaving it blank)?

One thought I had was to change the X-Real-IP setting of my reverse proxy so that such WOPI requests would always have the proxy’s IP address as the source… I have not tried that and I’m wondering if I should expect other problematic side-effect if I do it?

Thanks!|
Geoffroy

wwe · September 17, 2025, 8:10pm

WOPI allow list restricts requests on the network layer - it’s low level like a firewall - only IP addresses are accepted there, no content awareness…

and just to be clear - it is not “insecure” to leave it open - every access is secured by dynamic token which changes all the time - chances are extremely low somebody could brute-force this token in a short timeframe it is valid.. on the other side if an attacker is in position to steal the token from the client or application - allowlist would not protect against such attack.

what you can do is implement 101: Split-Brain DNS (split-horizon) so WOPI requests remain internal and you could lmit wopi_allowlist to internal network range the idea was deeply discussed in Local access for Collabora with different possible solutions.

asavageiv · September 18, 2025, 5:24am

Configure WOPI requests to remain within the Docker network by asavageiv · Pull Request #6676 · nextcloud/all-in-one · GitHub was accepted that keeps the WOPI requests local and works with the allow list without split-dns. If your reverse proxy is remote you should see significantly improved performance. If you’re running split-dns with Nextcloud AIO because of this, you might want to try the 11.8.0 beta!

gvancuts · September 18, 2025, 8:37pm

Thanks for the insights! And nice to hear that using null does not make the whole installation insecure.

gvancuts · September 18, 2025, 8:44pm

Ah, very nice!!

In my digging, I came across this parameter that is already used for the Collabora container (aliasgroup1=https://%NC_DOMAIN%:443). When I read its description, it made me believe that it should do the trick, and I’m not yet sure how that setting relates to the wopi_allowlist…

I’ve seen that the new release with your patch is out, I will upgrade my set-up at once!

wwe · September 18, 2025, 8:58pm

this is one side

and this is the other (Nextcloud)

gvancuts · September 18, 2025, 9:11pm

Thanks for the clarification!

gvancuts · September 19, 2025, 7:21am

As a quick follow-up to this thread, the new version works like a charm

My public IP address changed overnight but the WOPI requests are still working, although my wopi_allowlist was still populated (automatically) with the previous list of IP addresses (IPv4 and IPv6). Now, does this latest change make the wopi_allowlist obsolete, or if not obsolete, shouldn’t be populated only with the local IP address? It’s a minor risk from what I understand but now I’ll have an IP address in my wopi_allowlist that is not anymore mine and possibly attributed to some other connection from the same service provider.

Thanks again for the great work you’re doing (and your responsiveness)!