From d4fec56859a7bbdcfc3f7c9d2294490f48cf5de5 Mon Sep 17 00:00:00 2001 From: Anja Barz Date: Mon, 29 Jun 2026 11:20:56 +0200 Subject: [PATCH 1/2] remove the wopi part from the external proxy docs --- .../docker-compose/docker-external-proxy.md | 32 +++++-------------- .../docker-compose/docker-external-proxy.md | 32 +++++-------------- .../docker-compose/docker-external-proxy.md | 32 +++++-------------- 3 files changed, 24 insertions(+), 72 deletions(-) diff --git a/docs/admin/getting-started/container/docker-compose/docker-external-proxy.md b/docs/admin/getting-started/container/docker-compose/docker-external-proxy.md index 9bf05a23f..4cf924652 100644 --- a/docs/admin/getting-started/container/docker-compose/docker-external-proxy.md +++ b/docs/admin/getting-started/container/docker-compose/docker-external-proxy.md @@ -20,7 +20,6 @@ If you don't have an existing reverse proxy or prefer to let Traefik manage cert - Proper DNS records for your domain: - `cloud.YOUR.DOMAIN` - `collabora.YOUR.DOMAIN` - - `wopiserver.YOUR.DOMAIN` - Installed software: - [Docker & Docker Compose](https://docs.docker.com/engine/install/) - `nginx` @@ -62,7 +61,7 @@ Paste the following config and adjust the URLs: ```nginx server { listen 80; - server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN wopiserver.YOUR.DOMAIN; + server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN; root /var/www/certbot; @@ -89,7 +88,6 @@ sudo certbot certonly --webroot \ -w /var/www/certbot \ -d cloud.YOUR.DOMAIN \ -d collabora.YOUR.DOMAIN \ - -d wopiserver.YOUR.DOMAIN \ --email your@email.com \ --agree-tos \ --no-eff-email @@ -123,12 +121,16 @@ OC_DOMAIN=cloud.YOUR.DOMAIN INITIAL_ADMIN_PASSWORD=YOUR.SECRET.PASSWORD COLLABORA_DOMAIN=collabora.YOUR.DOMAIN - -WOPISERVER_DOMAIN=wopiserver.YOUR.DOMAIN ``` The initial Admin password is mandatory for security reasons. +:::note +The WOPI endpoint is served by OpenCloud on the OpenCloud domain. It is available through the OpenCloud proxy under `/wopi` and `/collaboration`. + +A separate `wopiserver` domain, reverse proxy block, or exposed WOPI port is not required. +::: + Start the docker compose setup ```bash @@ -163,7 +165,7 @@ Paste the following configuration and adjust the URLs: # Redirect HTTP to HTTPS server { listen 80; - server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN wopiserver.YOUR.DOMAIN; + server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN; location /.well-known/acme-challenge/ { root /var/www/certbot; @@ -232,24 +234,6 @@ server { } } - -# WOPI Server -server { - listen 443 ssl http2; - server_name wopiserver.YOUR.DOMAIN; - - ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - - location / { - proxy_pass http://127.0.0.1:9300; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -} ``` :::info Version Differences diff --git a/versioned_docs/version-4.0/admin/getting-started/container/docker-compose/docker-external-proxy.md b/versioned_docs/version-4.0/admin/getting-started/container/docker-compose/docker-external-proxy.md index fd1a463dc..dec07b065 100644 --- a/versioned_docs/version-4.0/admin/getting-started/container/docker-compose/docker-external-proxy.md +++ b/versioned_docs/version-4.0/admin/getting-started/container/docker-compose/docker-external-proxy.md @@ -16,7 +16,6 @@ This guide walks you through setting up OpenCloud behind an external Nginx rever - Proper DNS records for your domain: - `cloud.YOUR.DOMAIN` - `collabora.YOUR.DOMAIN` - - `wopiserver.YOUR.DOMAIN` - Installed software: - [Docker & Docker Compose](https://docs.docker.com/engine/install/) - `nginx` @@ -72,7 +71,7 @@ Paste the following config and adjust the URLs: ```nginx server { listen 80; - server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN wopiserver.YOUR.DOMAIN; + server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN; root /var/www/certbot; @@ -99,7 +98,6 @@ sudo certbot certonly --webroot \ -w /var/www/certbot \ -d cloud.YOUR.DOMAIN \ -d collabora.YOUR.DOMAIN \ - -d wopiserver.YOUR.DOMAIN \ --email your@email.com \ --agree-tos \ --no-eff-email @@ -133,12 +131,16 @@ OC_DOMAIN=cloud.YOUR.DOMAIN INITIAL_ADMIN_PASSWORD=YOUR.SECRET.PASSWORD COLLABORA_DOMAIN=collabora.YOUR.DOMAIN - -WOPISERVER_DOMAIN=wopiserver.YOUR.DOMAIN ``` The initial Admin password is mandatory for security reasons. +:::note +The WOPI endpoint is served by OpenCloud on the OpenCloud domain. It is available through the OpenCloud proxy under `/wopi` and `/collaboration`. + +A separate `wopiserver` domain, reverse proxy block, or exposed WOPI port is not required. +::: + For production releases, please refer to the considerations outlined in the Docker Compose base instructions: [production setup consideration](./production-setup-consideration.md) @@ -169,7 +171,7 @@ Paste the following configuration and adjust the URLs: # Redirect HTTP to HTTPS server { listen 80; - server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN wopiserver.YOUR.DOMAIN; + server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN; location /.well-known/acme-challenge/ { root /var/www/certbot; @@ -238,24 +240,6 @@ server { } } - -# WOPI Server -server { - listen 443 ssl http2; - server_name wopiserver.YOUR.DOMAIN; - - ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - - location / { - proxy_pass http://127.0.0.1:9300; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -} ``` :::info Version Differences diff --git a/versioned_docs/version-7.2/admin/getting-started/container/docker-compose/docker-external-proxy.md b/versioned_docs/version-7.2/admin/getting-started/container/docker-compose/docker-external-proxy.md index 9bf05a23f..4cf924652 100644 --- a/versioned_docs/version-7.2/admin/getting-started/container/docker-compose/docker-external-proxy.md +++ b/versioned_docs/version-7.2/admin/getting-started/container/docker-compose/docker-external-proxy.md @@ -20,7 +20,6 @@ If you don't have an existing reverse proxy or prefer to let Traefik manage cert - Proper DNS records for your domain: - `cloud.YOUR.DOMAIN` - `collabora.YOUR.DOMAIN` - - `wopiserver.YOUR.DOMAIN` - Installed software: - [Docker & Docker Compose](https://docs.docker.com/engine/install/) - `nginx` @@ -62,7 +61,7 @@ Paste the following config and adjust the URLs: ```nginx server { listen 80; - server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN wopiserver.YOUR.DOMAIN; + server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN; root /var/www/certbot; @@ -89,7 +88,6 @@ sudo certbot certonly --webroot \ -w /var/www/certbot \ -d cloud.YOUR.DOMAIN \ -d collabora.YOUR.DOMAIN \ - -d wopiserver.YOUR.DOMAIN \ --email your@email.com \ --agree-tos \ --no-eff-email @@ -123,12 +121,16 @@ OC_DOMAIN=cloud.YOUR.DOMAIN INITIAL_ADMIN_PASSWORD=YOUR.SECRET.PASSWORD COLLABORA_DOMAIN=collabora.YOUR.DOMAIN - -WOPISERVER_DOMAIN=wopiserver.YOUR.DOMAIN ``` The initial Admin password is mandatory for security reasons. +:::note +The WOPI endpoint is served by OpenCloud on the OpenCloud domain. It is available through the OpenCloud proxy under `/wopi` and `/collaboration`. + +A separate `wopiserver` domain, reverse proxy block, or exposed WOPI port is not required. +::: + Start the docker compose setup ```bash @@ -163,7 +165,7 @@ Paste the following configuration and adjust the URLs: # Redirect HTTP to HTTPS server { listen 80; - server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN wopiserver.YOUR.DOMAIN; + server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN; location /.well-known/acme-challenge/ { root /var/www/certbot; @@ -232,24 +234,6 @@ server { } } - -# WOPI Server -server { - listen 443 ssl http2; - server_name wopiserver.YOUR.DOMAIN; - - ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - - location / { - proxy_pass http://127.0.0.1:9300; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -} ``` :::info Version Differences From 8d537c3ca0ecb36a80159bb31404815632846a8b Mon Sep 17 00:00:00 2001 From: Anja Barz Date: Mon, 29 Jun 2026 14:17:29 +0200 Subject: [PATCH 2/2] adjust Collabora headers, symlink targets, and verification step --- .../docker-compose/docker-external-proxy.md | 75 +++++++++++++------ .../docker-compose/docker-external-proxy.md | 75 +++++++++++++------ .../docker-compose/docker-external-proxy.md | 75 +++++++++++++------ 3 files changed, 156 insertions(+), 69 deletions(-) diff --git a/docs/admin/getting-started/container/docker-compose/docker-external-proxy.md b/docs/admin/getting-started/container/docker-compose/docker-external-proxy.md index 4cf924652..cd8f5d000 100644 --- a/docs/admin/getting-started/container/docker-compose/docker-external-proxy.md +++ b/docs/admin/getting-started/container/docker-compose/docker-external-proxy.md @@ -75,7 +75,7 @@ server { Enable and reload Nginx: ```bash -sudo ln -s /etc/nginx/sites-available/certbot-challenge /etc/nginx/sites-enabled/ +sudo ln -s /etc/nginx/sites-available/certbot-challenge /etc/nginx/sites-enabled/certbot-challenge sudo nginx -t && sudo systemctl reload nginx ``` @@ -212,27 +212,44 @@ server { # Collabora server { - listen 443 ssl http2; - server_name collabora.YOUR.DOMAIN; - - ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Increase max upload size to collabora editor - client_max_body_size 10M; - - location / { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Host $host; - } - - location ~ ^/cool/(.*)/ws$ { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - } + listen 443 ssl http2; + server_name collabora.YOUR.DOMAIN; + + ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + + client_max_body_size 10M; + + location / { + proxy_pass http://127.0.0.1:9980; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + proxy_read_timeout 36000s; + proxy_send_timeout 36000s; + } + location ~ ^/cool/(.*)/ws$ { + proxy_pass http://127.0.0.1:9980; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + proxy_read_timeout 36000s; + proxy_send_timeout 36000s; + } } ``` @@ -244,15 +261,27 @@ Starting from nginx 1.25.0, the `http2` directive syntax changed from: `listen 4 We enabled HTTP/2 and increased keep-alive limits to prevent large syncs from failing and ensure stable client connections, since nginx closes connections after ~1,000 requests by default. ::: -Thanks to [mitexleo](https://github.com/mitexleo) for the Ngnix example configuration on GitHub and [zerox80](https://github.com/zerox80) for the adjustments +Thanks to [mitexleo](https://github.com/mitexleo) for the Nginx example configuration on GitHub and [zerox80](https://github.com/zerox80) for the adjustments. Enable and reload Nginx: ```bash -sudo ln -s /etc/nginx/sites-available/opencloud /etc/nginx/sites-enabled/ +sudo ln -s /etc/nginx/sites-available/opencloud /etc/nginx/sites-enabled/opencloud sudo nginx -t && sudo systemctl reload nginx ``` +Verify that Nginx is listening on port `443`: + +```bash +sudo ss -tulpn | grep ':443' +``` + +Verify that Collabora is reachable through the external proxy: + +```bash +curl -k https://collabora.YOUR.DOMAIN/hosting/discovery | head +``` + ## Test Certificate Renewal ```bash diff --git a/versioned_docs/version-4.0/admin/getting-started/container/docker-compose/docker-external-proxy.md b/versioned_docs/version-4.0/admin/getting-started/container/docker-compose/docker-external-proxy.md index dec07b065..a183be7fb 100644 --- a/versioned_docs/version-4.0/admin/getting-started/container/docker-compose/docker-external-proxy.md +++ b/versioned_docs/version-4.0/admin/getting-started/container/docker-compose/docker-external-proxy.md @@ -85,7 +85,7 @@ server { Enable and reload Nginx: ```bash -sudo ln -s /etc/nginx/sites-available/certbot-challenge /etc/nginx/sites-enabled/ +sudo ln -s /etc/nginx/sites-available/certbot-challenge /etc/nginx/sites-enabled/certbot-challenge sudo nginx -t && sudo systemctl reload nginx ``` @@ -218,27 +218,44 @@ server { # Collabora server { - listen 443 ssl http2; - server_name collabora.YOUR.DOMAIN; - - ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Increase max upload size to collabora editor - client_max_body_size 10M; - - location / { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Host $host; - } - - location ~ ^/cool/(.*)/ws$ { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - } + listen 443 ssl http2; + server_name collabora.YOUR.DOMAIN; + + ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + + client_max_body_size 10M; + + location / { + proxy_pass http://127.0.0.1:9980; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + proxy_read_timeout 36000s; + proxy_send_timeout 36000s; + } + location ~ ^/cool/(.*)/ws$ { + proxy_pass http://127.0.0.1:9980; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + proxy_read_timeout 36000s; + proxy_send_timeout 36000s; + } } ``` @@ -250,15 +267,27 @@ Starting from nginx 1.25.0, the `http2` directive syntax changed from: `listen 4 We enabled HTTP/2 and increased keep-alive limits to prevent large syncs from failing and ensure stable client connections, since nginx closes connections after ~1,000 requests by default. ::: -Thanks to [mitexleo](https://github.com/mitexleo) for the Ngnix example configuration on GitHub and [zerox80](https://github.com/zerox80) for the adjustments +Thanks to [mitexleo](https://github.com/mitexleo) for the Nginx example configuration on GitHub and [zerox80](https://github.com/zerox80) for the adjustments. Enable and reload Nginx: ```bash -sudo ln -s /etc/nginx/sites-available/opencloud /etc/nginx/sites-enabled/ +sudo ln -s /etc/nginx/sites-available/opencloud /etc/nginx/sites-enabled/opencloud sudo nginx -t && sudo systemctl reload nginx ``` +Verify that Nginx is listening on port `443`: + +```bash +sudo ss -tulpn | grep ':443' +``` + +Verify that Collabora is reachable through the external proxy: + +```bash +curl -k https://collabora.YOUR.DOMAIN/hosting/discovery | head +``` + ## Test Certificate Renewal ```bash diff --git a/versioned_docs/version-7.2/admin/getting-started/container/docker-compose/docker-external-proxy.md b/versioned_docs/version-7.2/admin/getting-started/container/docker-compose/docker-external-proxy.md index 4cf924652..cd8f5d000 100644 --- a/versioned_docs/version-7.2/admin/getting-started/container/docker-compose/docker-external-proxy.md +++ b/versioned_docs/version-7.2/admin/getting-started/container/docker-compose/docker-external-proxy.md @@ -75,7 +75,7 @@ server { Enable and reload Nginx: ```bash -sudo ln -s /etc/nginx/sites-available/certbot-challenge /etc/nginx/sites-enabled/ +sudo ln -s /etc/nginx/sites-available/certbot-challenge /etc/nginx/sites-enabled/certbot-challenge sudo nginx -t && sudo systemctl reload nginx ``` @@ -212,27 +212,44 @@ server { # Collabora server { - listen 443 ssl http2; - server_name collabora.YOUR.DOMAIN; - - ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - # Increase max upload size to collabora editor - client_max_body_size 10M; - - location / { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Host $host; - } - - location ~ ^/cool/(.*)/ws$ { - proxy_pass http://127.0.0.1:9980; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - } + listen 443 ssl http2; + server_name collabora.YOUR.DOMAIN; + + ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + + client_max_body_size 10M; + + location / { + proxy_pass http://127.0.0.1:9980; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + proxy_read_timeout 36000s; + proxy_send_timeout 36000s; + } + location ~ ^/cool/(.*)/ws$ { + proxy_pass http://127.0.0.1:9980; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + proxy_read_timeout 36000s; + proxy_send_timeout 36000s; + } } ``` @@ -244,15 +261,27 @@ Starting from nginx 1.25.0, the `http2` directive syntax changed from: `listen 4 We enabled HTTP/2 and increased keep-alive limits to prevent large syncs from failing and ensure stable client connections, since nginx closes connections after ~1,000 requests by default. ::: -Thanks to [mitexleo](https://github.com/mitexleo) for the Ngnix example configuration on GitHub and [zerox80](https://github.com/zerox80) for the adjustments +Thanks to [mitexleo](https://github.com/mitexleo) for the Nginx example configuration on GitHub and [zerox80](https://github.com/zerox80) for the adjustments. Enable and reload Nginx: ```bash -sudo ln -s /etc/nginx/sites-available/opencloud /etc/nginx/sites-enabled/ +sudo ln -s /etc/nginx/sites-available/opencloud /etc/nginx/sites-enabled/opencloud sudo nginx -t && sudo systemctl reload nginx ``` +Verify that Nginx is listening on port `443`: + +```bash +sudo ss -tulpn | grep ':443' +``` + +Verify that Collabora is reachable through the external proxy: + +```bash +curl -k https://collabora.YOUR.DOMAIN/hosting/discovery | head +``` + ## Test Certificate Renewal ```bash