Working Caddy v2 Nextcloud + Collabora config?

1. Caddy version (caddy version):


2. How I run Caddy:

systemd + Caddyfile

a. System environment:

Linux Mint 19.1 (ie, Ubuntu 18.04).

b. Command:

caddy start
caddy reload


systemctl start caddy
systemctl restart caddy

c. Service/unit/compose file:


# caddy.service
# For using Caddy with a config file.
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
# See for instructions.
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.


ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile


d. My complete Caddyfile or JSON config: {
    root * /var/www/nextcloud
    encode gzip zstd
    php_fastcgi unix//run/php/php7.3-fpm.sock {
                env PATH /bin
                env modHeadersAvailable true
                env front_controller_active true
    log {
        output file     /tmp/nextcloud.log
        format single_field common_log
   header {
        # enable HSTS
        Strict-Transport-Security max-age=31536000;
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301
    # .htaccess / data / config / ... shouldn't be accessible from outside
    @forbidden {
        path    /.htaccess
        path    /data/*
        path    /config/*
        path    /db_structure
        path    /.xml
        path    /README
        path    /3rdparty/*
        path    /lib/*
        path    /templates/*
        path    /occ
        path    /console.php

   respond @forbidden 403

} {
  encode gzip
  @collabora {
    path /loleaflet/* # Loleaflet is the client part of LibreOffice Online
    path /hosting/discovery # WOPI discovery URL
    path /hosting/capabilities # Show capabilities as json
    path /lool/* # Main websocket, uploads/downloads, presentations

3. The problem I’m having:

My home server has numerous services/applications being hosted, currently served by apache. Decided to try out Caddy as it seemed like it could potentially be better for easier reverse proxying stuff and one less thing to worry about with the HTTPS stuff. It turned out to be the case for some things, but I got stuck being unable to get Nextcloud to work properly with Collabora. I have it working with Apache so I know I must be missing something to configure it correctly in Caddy.

4. Error messages and/or full log output:

When trying to open a document in Nextcloud:
“Collabora Online is not setup yet.
Click here to configure your own server or connect to a demo server.”
Clicking on it goes to the Collabora Online page in settings with error “Could not establish connection to the Collabora Online server.”

“Use your own server - Collabora Online requires a seperate server acting as a WOPI-like Client to provide editing capabilities.” is selected and “” is shown, the same as when it’s working with Apache.

Sorry, I’m not sure how/where to get logs for this, aside from just systemctl status caddy, where I do see something saying “cannot validate certificate”. I feel like this either has to be something to do with Caddy not having permissions for this, or wrong syntax / something missing to reverse proxy that part properly.

The proxy parts of working Apache config for Collabora looks like this:

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet retry=0
ProxyPassReverse    /loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool
ProxyPassReverse    /lool

# Endpoint with information about availability of various features
ProxyPass           /hosting/capabilities retry=0
ProxyPassReverse    /hosting/capabilities

5. What I already tried:

Tried various different setups like the Snap version of Nextcloud and built in Collabora plugin, the Docker version of Nextcloud and the Docker version of Collabora, but even with Apache those other setups give me a lot of trouble so I always circle back to the full non-docker version of Nextcloud. With a fully working setup on Apache (latest Nextcloud + the collabora/code docker on 9980), I:

systemctl stop apache2
systemctl start caddy

Nextcloud works. I can add other sites/services and they work. I’ve tried using,, localhost instead of, 192.x.x.x instead, etc for the Collabora reverse proxy config in the Caddyfile. Same result in each case.

It’s probably something really stupid and obvious that I’m overlooking, I’m hoping someone here has been through it and can point it out. If not, any help on how to dig into this better would be greatly appreciated! Love the concept for Caddy, will fully switch over if I can iron this out I think. Thanks in advance!

6. Links to relevant resources:

Hmm, there’s a few things incorrect here.

First, is there any static files you need to serve, that aren’t proxied? If so then you need to use the root directive to tell Caddy where to look for those files, when paired with reverse_proxy.

Next, you’re not actually using your @collabora matcher, you need to add it a the first argument to reverse_proxy, like this:

reverse_proxy @collabora

As-is, all requests are being proxied, ignoring your matcher (that might be fine if you actually don’t have any static files for Caddy to serve).

Finally, if you’re proxying over HTTPS (by specifying https://), you should make sure that Caddy trusts the certificate served by the upstream. Is it in your system’s trust store? If not, then you’ll need to configure the tls_trusted_ca_certs option of the http transport to tell Caddy which certificate to trust:

What do you see in your Caddy logs? Run journalctl -u caddy --no-pager | less to see your logs.

1 Like

Thank you so much for the quick response and help. I finally managed to get it working with: {
  encode gzip
  @collabora {
    path /loleaflet/* # Loleaflet is the client part of LibreOffice Online
    path /hosting/discovery # WOPI discovery URL
    path /hosting/capabilities # Show capabilities as json
    path /lool/* # Main websocket, uploads/downloads, presentations
  reverse_proxy @collabora {
    transport http {

This topic was automatically closed after 30 days. New replies are no longer allowed.