Solving Nextcloud Office (Collabora) "Unauthorized" and CSP Loading Errors

-

Setting up Nextcloud Office (Collabora Online) in Docker often leads to two frustrating errors: the "Unauthorized" message when opening documents and "Content Security Policy" (CSP) violations in the browser console. This guide explains how to fix these by correctly configuring your Docker environment and Nginx headers.

The Symptoms

  • A green checkmark in Nextcloud settings, but a "Document loading failed" or "Unauthorized" error when clicking a file.
  • Browser console logs showing: Violates the following Content Security Policy directive: "frame-src..."
  • Network errors for l10n.js or cool.html.

Step 1: Clean Docker Environment Variables

Using complex regex or escaped characters (like \\) in your docker-compose.yml can cause Nextcloud to generate malformed URLs. Use clean domain strings instead.

# Collabora (CODE) Service Section
collabora:
    image: collabora/code:latest
    container_name: nextcloud-collabora
    environment:
      - DONT_GENERATE_NODES=false
      - server_name=office.yourdomain.com
      - aliasgroup1=https://cloud.yourdomain.com:443
      - extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:net.post_allow.host[0]=172.18.0.0/16
    privileged: true
    restart: always

Step 2: Fix CSP and Framing in Nginx

Your reverse proxy must tell the browser that your Nextcloud instance is allowed to "frame" the Collabora suite. Add these directives to your Advanced Nginx configuration (or the server block for office.yourdomain.com):

# Fix CSP and Frame Options
add_header Content-Security-Policy "frame-src 'self' https://cloud.yourdomain.com; frame-ancestors 'self' https://cloud.yourdomain.com;" always;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "ALLOW-FROM https://cloud.yourdomain.com" always;

# Required WebSocket Support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;

Step 3: Reset the WOPI Allowlist

If you have a dynamic public IP, Nextcloud may reject the connection from your own server. Set the WOPI allowlist to a wildcard to ensure the handshake always succeeds:

docker exec -u 33 nextcloud-container-name php occ config:app:set richdocuments wopi_allowlist --value="0.0.0.0/0,::/0"

Step 4: Force a Discovery Refresh

Nextcloud caches the connection settings. If you previously had a broken configuration, you must delete the old discovery data to force Nextcloud to pull the new, clean headers:

# Clear cache and reset URL
docker exec -u 33 nextcloud-container-name php occ config:app:delete richdocuments info_version
docker exec -u 33 nextcloud-container-name php occ config:app:delete richdocuments wopi_url
docker exec -u 33 nextcloud-container-name php occ config:app:set richdocuments wopi_url --value="https://office.yourdomain.com"

Step 5: Final Verification

Restart your Docker stack with docker compose up -d --force-recreate. Clear your browser's site data/cache and log back into Nextcloud. Your documents should now load perfectly!


Support My Work

If this blog post helped you, please consider a small donation. Your support helps keep this content free and accessible for everyone. Thank you!

Donate with PayPal

The easiest way to support me is by buying me a coffee through PayPal. It's quick, secure, and uses a trusted platform.

Buy Me a Coffee! or a new Macbook!

Donate with Crypto

You can also support me with cryptocurrency. Just copy the address of your preferred coin below.

Bitcoin
31kpUFfNo8SSq5jidTY9Eihyb9qJS4FPP2
Ethereum
0x32fB1E082EB566bBbca3137a5a17a92db9C880F7
XRP
rsRy14FvipgqudiGmptJBhr1RtpsgfzKMM
XRP Tag
3802858062

Comments

Post a Comment

Popular posts from this blog

Self-Hosted Personal Cloud: From Old Laptop to Fully Private Cloud

-
Image
Assalamualaikum and greetings from Semenyih ! This is your complete A-to-Z guide for turning an old laptop and a WD My Cloud NAS into a secure, self-hosted cloud server — fully under your control and accessible from anywhere in the world. This journey combines the best of both worlds: the raw technical depth from my original build notes and a beginner-friendly, step-by-step flow. Whether you're here to learn the basics or to dive straight into Docker configs, you'll find what you need. Why I Built This Western Digital discontinued remote access support for older WD My Cloud devices, essentially turning them into local-only storage. Rather than letting mine gather dust, I built a replacement cloud service using Debian Linux, Docker, Nextcloud , and Nginx Proxy Manager — bringing back remote access and adding more privacy, flexibility, a...
Read more

How to Download AnyFlip Books as PDFs with Anyflip Downloader

-
Image
Have you ever needed an offline copy of a digital flipbook from AnyFlip for research, archiving, or easy reading on any device? While the platform is great for online viewing, saving content locally can be a challenge. Introducing anyflip-downloader , a powerful and efficient open-source command-line tool from developer Lofter1 , available on GitHub . It's designed to download any AnyFlip book and convert it into a single, high-quality PDF file. This guide will walk you through everything you need to know, from installation to advanced usage, to get the most out of this handy utility. Important Disclaimer This tool is provided for educational and personal use only. You should only use it to download books that you have the right to, or where the publisher officially allows PDF downloads. Please respect copyright laws and the terms of service of AnyFlip. Key Features Simple to Use: Works with a single command. ...
Read more

Mastering WordPress Multisite in cPanel: A Complete Guide

-
Image
Mastering WordPress Multisite in cPanel: A Complete Guide WordPress Multisite is a powerful feature that allows you to run a "network" of multiple websites from a single WordPress installation. For users managing their hosting through cPanel, this setup offers an efficient way to manage themes, plugins, and core updates for dozens or even hundreds of sites simultaneously. Whether you are building a university network, a franchise system, or a personal blog collection, understanding how this architecture works is the first step toward better web management. How Multisite Works Under the Hood Unlike a standard installation, a Multisite network shares its core PHP files and a single database. When you add a new site to the network, WordPress doesn't create a new folder on your server; instead, it creates unique tables within the existing database (e.g., wp_2_posts) and organizes media files into si...
Read more