Deploy Collabora Online with your Nextcloud instance to enable real-time document editing, spreadsheets, and presentations directly in your private cloud. This guide covers the complete setup process using Docker, nginx reverse proxy configuration, and security hardening for production deployments.

Why Collabora Office with Nextcloud

Collabora Online provides a self-hosted alternative to Google Docs or Microsoft 365. When integrated with Nextcloud, you gain full control over your documents without sending data to third-party services. The integration supports real-time collaboration, version history, and the full LibreOffice feature set.

For developers, this setup demonstrates reverse proxy configuration, Docker networking, and secure internal service communication. For organizations, it delivers enterprise document editing while maintaining data sovereignty.

Prerequisites

Before starting, verify these requirements:

• Nextcloud instance running (version 24 or newer recommended)
• A domain name with DNS configured
• Docker and Docker Compose installed on your server
• nginx as your reverse proxy (other web servers work but this guide uses nginx)
• SSL certificates (Let’s Encrypt recommended)

Architecture Overview

Understanding the communication flow between components helps during troubleshooting. When a user opens a document in Nextcloud, the following happens:

1. Nextcloud generates a WOPI (Web Application Open Platform Interface) token for the document
2. The browser receives a redirect to the Collabora iframe with the WOPI token
3. Collabora fetches the document from Nextcloud using the WOPI token and your internal network
4. The user edits in the browser; changes are saved back via WOPI calls to Nextcloud
5. All document content stays within your infrastructure — only the rendered interface reaches the browser

This architecture means Collabora and Nextcloud must be able to reach each other over the network, either on the same Docker network or via your public hostnames. Placing them on a shared Docker network is more efficient and avoids hairpin NAT issues on some hosting environments.

Step 1: Deploy Collabora Online via Docker

Create a Docker Compose file for Collabora. The official Collabora image includes everything needed for the office suite.

mkdir -p /opt/collabora && cd /opt/collabora

Create the docker-compose.yml file:

version: '3.8'

services:
  collabora:
    image: collabora/code:24.04.5.2.1
    container_name: collabora-online
    restart: unless-stopped
    ports:
      - "9980:9980"
    environment:
      - domain=cloud\\.yourdomain\\.com
      - username=admin
      - password=your-secure-password
      - DONT_GEN_SSL_CERT=1
      - extra_params=--o:security.enableTLS=false
    cap_add:
      - MKNOD
    volumes:
      - ./loolwsd.xml:/etc/loolwsd/loolwsd.xml
    networks:
      - office-network

networks:
  office-network:
    name: nextcloud-network
    external: true

Replace cloud\\.yourdomain\\.com with your Nextcloud domain, escaping dots for the regex pattern. Generate a strong password for the admin user.

Create the shared network if it doesn’t exist:

docker network create nextcloud-network 2>/dev/null || true

Start the container:

docker-compose up -d

Verify the container is running:

docker ps | grep collabora

Step 2: Configure nginx Reverse Proxy

Set up nginx to forward HTTPS requests to the Collabora container. This separates the office backend from your main Nextcloud URL while maintaining SSL termination.

Create the nginx configuration:

server {
    listen 443 ssl http2;
    server_name office.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/office.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/office.yourdomain.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    location / {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # WebSocket support for real-time collaboration
        proxy_http_version 1.1;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
    }

    # LOOL WSD specific headers
    location /lool {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;
    }
}

Enable the site and test the configuration:

ln -s /etc/nginx/sites-available/collabora /etc/nginx/sites-enabled/
nginx -t
systemctl reload nginx

Step 3: Install and Configure the Nextcloud App

Install the Collabora Online app through the Nextcloud web interface or via occ:

cd /var/www/nextcloud
occ app:install richdocuments

After installation, configure the server URL in Nextcloud settings:

1. Navigate to Settings → Administration → Office
2. Enter your Collabora URL: https://office.yourdomain.com
3. Enable “Use your own server”
4. Save the configuration

Alternatively, set this via the command line:

occ config:app:set richdocuments wopi_url --value="https://office.yourdomain.com"
occ config:app:set richdocuments disable_certificate_verification --value="yes"

Step 4: Security Hardening

For production deployments, apply these security measures:

Restrict Access by IP

Edit the Collabora container environment in docker-compose.yml:

environment:
  - domain=cloud\\.yourdomain\\.com
  - allowed_origin=cloud.yourdomain.com

Enable SSL in Production

Remove the DONT_GEN_SSL_CERT setting and ensure your reverse proxy handles SSL properly:

environment:
  - domain=cloud\\.yourdomain\\.com
  - username=admin
  - password=your-secure-password

Configure WOPI Isolation

Edit /etc/loolwsd/loolwsd.xml inside the container or mount a custom configuration:

<net>
    <alias_group>
        <host desc="Allow nextcloud.yourdomain.com">nextcloud.yourdomain.com</host>
        <host desc="Allow office.yourdomain.com">office.yourdomain.com</host>
    </alias_group>
</net>
<security>
    <capabilities>
        <!-- Restrict file capabilities -->
    </capabilities>
</security>

Restart the container after changes:

docker-compose down && docker-compose up -d

Firewall Rules

Collabora’s port 9980 should never be exposed directly to the internet. nginx handles all external access. Enforce this with a firewall rule:

# Block direct access to Collabora port from outside
ufw deny in 9980
ufw allow in on lo to any port 9980

If you run nginx on the same host as Docker, use 127.0.0.1:9980 as the proxy target rather than 0.0.0.0:9980 in Docker’s port binding. This prevents the Docker daemon from opening the port on the public interface, which can bypass UFW rules on some configurations.

Step 5: Verify the Integration

Test your setup by:

1. Logging into Nextcloud
2. Creating a new document (Text, Spreadsheet, or Presentation)
3. Opening the document and verifying it loads the Collabora editor
4. Making edits and saving to confirm file operations work

Check container logs if issues occur:

docker logs collabora-online

Monitor nginx access logs for connection issues:

tail -f /var/log/nginx/office.access.log

Multi-User and Team Configuration

For teams using Nextcloud collaboratively, configure Collabora to support concurrent document editing. By default, multiple users opening the same document each get independent sessions. Enable collaborative editing in the Nextcloud richdocuments app settings:

occ config:app:set richdocuments federation_enable --value="1"

Set a unique federation server ID so Nextcloud can coordinate sessions across Collabora instances if you later scale to multiple Collabora containers:

occ config:app:set richdocuments wopi_url --value="https://office.yourdomain.com"
occ config:app:set richdocuments token_ttl --value="86400"

The token_ttl value controls how long WOPI tokens remain valid in seconds. The default is 12 hours; increase it for long editing sessions where users keep documents open all day without reloading.

For guest access — allowing external collaborators to edit documents via shared links without Nextcloud accounts — ensure the allow_local_remote_links setting in loolwsd.xml is enabled and that your Collabora instance’s domain regex pattern would match any hostnames used in the WOPI callback URLs.

Backup and Update Strategy

Backing Up Collabora Configuration

The primary backup concern for Collabora is the loolwsd.xml configuration file. The application itself is stateless — all documents live in Nextcloud. Back up your Docker Compose file and mounted configuration:

tar -czf collabora-config-$(date +%Y%m%d).tar.gz \
  /opt/collabora/docker-compose.yml \
  /opt/collabora/loolwsd.xml

Store this archive alongside your Nextcloud backup. When restoring after a server failure, you only need to restore Nextcloud’s data directory and database; Collabora requires only its configuration file.

Updating Collabora

Update the image tag in docker-compose.yml to the latest Collabora release, then pull and restart:

cd /opt/collabora
docker-compose pull
docker-compose up -d

Check the Collabora release notes before updating — major version bumps occasionally require changes to the WOPI configuration or nginx proxy headers. Testing on a staging Nextcloud instance before updating production avoids document loading failures during business hours.

Troubleshooting Common Issues

Document Fails to Load

Check that the domain in your Collabora configuration matches your Nextcloud URL exactly. Dots must be escaped in the domain environment variable.

WebSocket Connection Errors

Verify nginx has WebSocket proxy headers configured correctly. The Upgrade and Connection headers are required for real-time collaboration.

Slow Document Loading

Increase container memory limits:

deploy:
  resources:
    limits:
      memory: 4G

SSL Certificate Errors

Ensure your reverse proxy SSL certificates are valid. For testing, you can disable certificate verification in Nextcloud:

occ config:app:set richdocuments disable_certificate_verification --value="yes"

Performance Optimization

For deployments with multiple users, consider these optimizations:

• Increase container memory allocation to 4GB or more
• Use a separate PostgreSQL database for Collabora (enterprise feature)
• Implement caching with Redis for session management
• Configure nginx caching for static assets

location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
  proxy_pass http://127.0.0.1:9980;
  proxy_cache_valid 200 1h;
  add_header Cache-Control "public, immutable";
}

Collabora allocates a separate process per open document. On a shared server, set the max_connections parameter in loolwsd.xml to prevent the service from consuming all available memory when many users open documents simultaneously. A starting point for small teams is 20 concurrent documents; monitor container memory usage and adjust accordingly.

Related Articles

• Nextcloud End to End Encryption Setup Guide
• Nextcloud External Storage Setup Guide 2026
• Nextcloud Setup Guide Raspberry Pi 2026
• Nextcloud Talk Video Calls Setup Guide
• How To Use State Attorney General Office To Enforce Privacy

Built by theluckystrike — More at zovo.one