Caddy reverse proxy + Nextcloud + Collabora + Vaultwarden with local HTTPS

Heads up here! Collabora recently changed their configuration, so this guide needs some tweaking.

  1. domain environment variable should be changed to server_name (although not sure if this var is needed)
  2. From Caddyfile loleaflet should be renamed to browser, lool should be renamed to cool

docker.compose.yml:

  collabora:
    image: collabora/code
    container_name: collabora
    restart: unless-stopped
    ports:
      - "9980:9980"
    volumes:
      - /etc/localtime:/etc/localtime
      - /etc/timezone:/etc/timezone
    environment:
      # Credentials for /browser/dist/admin/admin.html
      - username=${USER}
      - password=${PASSWORD}
      - server_name=${NEXTCLOUD_FQDN}
      - dictionaries=en_US
      - extra_params=--o:ssl.enable=true --o:ssl.termination=false # Set SSL options
    cap_add:
      - MKNOD
    tty: true

Caddyfile:

nextcloud.{$DOMAIN} {
	encode zstd gzip

	@collabora {
		path /browser/* # Browser is the client part of LibreOffice Online
		path /hosting/discovery # WOPI discovery URL
		path /hosting/capabilities # Show capabilities as json
		path /cool/* # Main websocket, uploads/downloads, presentations
	}

	reverse_proxy @collabora collabora:9980 {
		header_up Host "nextcloud.{$DOMAIN}"
		transport http {
			tls_insecure_skip_verify
		}
	}

	root * /var/www/html
	file_server

	php_fastcgi nextcloud:9000 {
		env front_controller_active true # Remove index.php form url
	}
	
	header {
		# enable HSTS
		Strict-Transport-Security "max-age=31536000;"
	}
	redir /.well-known/webfinger /public.php?service=webfinger 301
	redir /.well-known/carddav /remote.php/dav 301
	redir /.well-known/caldav /remote.php/dav 301
	@forbidden {
		path /.htaccess
		path /data/*
		path /config/*
		path /db_structure
		path /.xml
		path /README
		path /3rdparty/*
		path /lib/*
		path /templates/*
		path /occ
		path /console.php
	}
	respond @forbidden 403
}
1 Like