The community help forum (help.nextcloud.com) is for home and non-enterprise users. Support is provided by other community members on a best effort / “as available” basis. All of those responding are volunteering their time to help you.
If you’re using Nextcloud in a business/critical setting, paid and SLA-based support services can be accessed via portal.nextcloud.com where Nextcloud engineers can help ensure your business keeps running smoothly.
Getting help
In order to help you as efficiently (and quickly!) as possible, please fill in as much of the below requested information as you can.
Before clicking submit: Please check if your query is already addressed via the following resources:
(Utilizing these existing resources is typically faster. It also helps reduce the load on our generous volunteers while elevating the signal to noise ratio of the forums otherwise arising from the same queries being posted repeatedly).
Hello there,
I’m running NextCloud AIO on my Synology NAS. I’ve also enabled the Collabora CODE container for NextCloud Office. I have a problem whereby my service provider regularly changes my IP address, and as soon as that happens, all WOPI access requests are denied.
I know I could set that setting to null (or 0.0.0.0/0) but I’d rather have something more secure than that. I have tried to set it to the URL of my NextCloud instance (e.g. cloud.mydomain.com) but it does not appear that such URL is translated into an IP address to check if a connection is allowed. I’ve tried to change the wopi_allowlist both from the WebUI and using the occ command but it (quite as expected) does not make a difference.
As soon as I update the IP address in that field to my new IP address, things work again… until the next change.
Is it possible to specify the list of connections allowed using FQDN instead of an IP (or IP range)?
If not, what are my options (besides opening up to the entire world by leaving it blank)?
One thought I had was to change the X-Real-IP setting of my reverse proxy so that such WOPI requests would always have the proxy’s IP address as the source… I have not tried that and I’m wondering if I should expect other problematic side-effect if I do it?
WOPI allow list restricts requests on the network layer - it’s low level like a firewall - only IP addresses are accepted there, no content awareness…
and just to be clear - it is not “insecure” to leave it open - every access is secured by dynamic token which changes all the time - chances are extremely low somebody could brute-force this token in a short timeframe it is valid.. on the other side if an attacker is in position to steal the token from the client or application - allowlist would not protect against such attack.
In my digging, I came across this parameter that is already used for the Collabora container (aliasgroup1=https://%NC_DOMAIN%:443). When I read its description, it made me believe that it should do the trick, and I’m not yet sure how that setting relates to the wopi_allowlist…
I’ve seen that the new release with your patch is out, I will upgrade my set-up at once!
As a quick follow-up to this thread, the new version works like a charm
My public IP address changed overnight but the WOPI requests are still working, although my wopi_allowlist was still populated (automatically) with the previous list of IP addresses (IPv4 and IPv6). Now, does this latest change make the wopi_allowlist obsolete, or if not obsolete, shouldn’t be populated only with the local IP address? It’s a minor risk from what I understand but now I’ll have an IP address in my wopi_allowlist that is not anymore mine and possibly attributed to some other connection from the same service provider.
Thanks again for the great work you’re doing (and your responsiveness)!
