Thanks @eneubauer for your respons.
i have experimented a little more and have an 99% working system:
- docker owncloud/server (setup as in manual)
- collabora code with ubuntu package
- apache as reverse proxy (config at bottom)
- certbot for Let’s Encrypt
What does not work?
new user email link → the initial set password field on this site uses http and therefore breaks…
i found this thread but it only points to the Traefik docker tutorial.
and currently i have no motivation left to learn and experiment with something new again 
fixed:
add
OWNCLOUD_OVERWRITE_PROTOCOL=HTTPS
to your owncloud-docker-server/docker-compose.yml file in the environment: section.
my apache VirtualHost configs:
cloud.conf
<VirtualHost *:80>
ServerName cloud.example.de
Options -Indexes
RewriteEngine on
RewriteCond %{SERVER_NAME} =cloud.example.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
cloud-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cloud.example.de:443
Options -Indexes
## letsencrypt
SSLCertificateFile /etc/letsencrypt/live/cloud.example.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.example.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
# SSLProxyEngine On
# SSLProxyVerify None
# SSLProxyCheckPeerCN Off
# SSLProxyCheckPeerName Off
# keep the host
ProxyPreserveHost On
# redirect to owncloud
ProxyPass / http://127.0.0.1:8080/ retry=0
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
</IfModule>
lool.conf
<VirtualHost *:80>
ServerName lool.example.de
Options -Indexes
RewriteEngine on
RewriteCond %{SERVER_NAME} =lool.example.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
lool-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName lool.example.de:443
Options -Indexes
# letsencrypt
SSLCertificateFile /etc/letsencrypt/live/lool.example.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lool.example.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# keep the host
ProxyPreserveHost On
# basic run check
# ProxyPass / http://127.0.0.1:9980/ retry=0
# ProxyPassReverse / http://127.0.0.1:9980/
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of Collabora Online
ProxyPass /loleaflet http://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet http://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery http://127.0.0.1:9980/hosting/discovery
# Capabilities
ProxyPass /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" ws://127.0.0.1:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws ws://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool http://127.0.0.1:9980/lool
ProxyPassReverse /lool http://127.0.0.1:9980/lool
</VirtualHost>
</IfModule>
[edit: added virtual host configs]
[edit: fixed http passwort set error]