Nextcloud&Collabora Configuration Struggle

Hello everyone,

I was spending so much time on hooking up Nextcloud with an external Collabora server, but I just simply can’t make it. Is there anyone who succeeded to do it?
Both Nextcloud and Collabora containers are working fine, everything responds nicely through the Reverse Proxy (Apache used), but when I want to open a .docx file, I get the following errors:

Collabora logs:

wsd-00001-00035 2023-08-15 18:04:39.973340 +0000 [ websrv_poll ] ERR  #24: #24 bad request: [GET /cool/https:%252F%252Fcloud.xxx.net%252Findex.php%252Fapps%252Frichdocuments%252Fwopi%252Ffiles%252F149329_oc4i6djp333q%3Faccess_token=NqwoDsPneU8NiXe8ymsIlKvrc5Hzpb3C&access_token_ttl=1692158677000&permission=edit/ws?WOPISrc=https%3A%2F%2Fcloud.xxx.net%2Findex.php%2Fapps%2Frichdocument...]: Invalid or unknown request.| wsd/COOLWSD.cpp:40661.1

Nextcloud Chrome Console:

image801×427 30.5 KB

I am attaching all my docker and Apache configurations:

  collabora:
    image: collabora/code
    container_name: collabora
    restart: unless-stopped
    ports:
      - 9980:9980
    environment:
#      - 'extra_params=--o:ssl.enable=false'
      - aliasgroup=https://$COLLABORA_DOMAIN
    cap_add:
      - MKNOD

  nextcloud:
    image: linuxserver/nextcloud:latest
    container_name: nextcloud
    restart: unless-stopped
    ports:
      - 8083:443    
    volumes:
      - $ROOT_DIR/nextcloud:/config
      - /media:/media
    depends_on:
      - mariadb
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Stockholm

<VirtualHost *:80>
    ServerName cloud.xxx.net
    
    Redirect permanent / https://cloud.xxx.net/
</VirtualHost>

<VirtualHost *:443>
    ServerName cloud.xxx.net

    SSLEngine on
    SSLCertificateFile "/etc/acme/xxx.net/xxx.net.cer"
    SSLCertificateChainFile "/etc/acme/xxx.net/fullchain.cer"
    SSLCertificateKeyFile "/etc/acme/xxx.net/xxx.net.key"

    SSLProxyEngine On
    ProxyRequests Off
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

   Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
   Header unset X-Content-Type-Options
   Header unset X-XSS-Protection
   Header unset X-Download-Options
   Header unset Referrer-Policy
   Header unset Content-Security-Policy
    # Header always set X-XSS-Protection "1; mode=block"
    # Header always set X-Content-Type-Options "nosniff"
    # Header always set X-Frame-Options "SAMEORIGIN"
    # Header always set Referrer-Policy "no-referrer"
    # Header always set X-Download-Options "noopen"
    # Header always set X-Permitted-Cross-Domain-Policies "none"
    # Header always set X-Robots-Tag "noindex,nofollow"

    ProxyPreserveHost On
    ProxyPass / https://xxx.lan:8083/
    ProxyPassReverse / https://xxx.lan:8083/

    RewriteEngine On
    RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
    RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName collabora.xxx.net

    SSLEngine on
    SSLCertificateFile "/etc/acme/xxx.net/xxx.net.cer"
    SSLCertificateChainFile "/etc/acme/xxx.net/fullchain.cer"
    SSLCertificateKeyFile "/etc/acme/xxx.net/xxx.net.key"

    AllowEncodedSlashes NoDecode
    SSLProxyEngine On

    # cert is issued for collaboraonline.example.com and we proxy to localhost
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off

    ProxyPreserveHost On
    ProxyPass / https://amblab.lan:9980/
    ProxyPassReverse / https://amblab.lan:9980/

    # static html, js, images, etc. served from coolwsd
    # browser is the client part of Collabora Online
      # loleaflet/browser is the client part of Collabora Online
    ProxyPass           /loleaflet https://amblab.lan:9980/loleaflet retry=0
    ProxyPassReverse    /loleaflet https://amblab.lan:9980/loleaflet
    ProxyPass           /browser https://amblab.lan:9980/browser retry=0
    ProxyPassReverse    /browser https://amblab.lan:9980/browser

    # WOPI discovery URL
    ProxyPass           /hosting/discovery https://amblab.lan:9980/hosting/discovery retry=0
    ProxyPassReverse    /hosting/discovery https://amblab.lan:9980/hosting/discovery

    # Capabilities
    ProxyPass           /hosting/capabilities https://amblab.lan:9980/hosting/capabilities retry=0
    ProxyPassReverse    /hosting/capabilities https://amblab.lan:9980/hosting/capabilities

    # Main websocket
    ProxyPassMatch      "/cool/(.*)/ws$"      wss://amblab.lan:9980/cool/$1/ws nocanon

    # Admin Console websocket
    ProxyPass           /cool/adminws wss://amblab.lan:9980/cool/adminws

    # Download as, Fullscreen presentation and Image upload operations
    ProxyPass           /cool https://amblab.lan:9980/cool
    ProxyPassReverse    /cool https://amblab.lan:9980/cool

    # Compatibility with integrations that use the /lool/convert-to endpoint
    #ProxyPass           /lool https://amblab.lan:9980/cool
    #ProxyPassReverse    /lool https://amblab.lan:9980/cool
</VirtualHost> 

Nextcloud’s nginx default.conf is the default, except that the https header are temporarily disabled.
If someone needs more information, please let me know!!!

We do not support any reverse proxy solution except our own. I do not think we have any team members even using apache in general.

I see. Currently with my setup I can only run Apache server, but I would like to see a working Nginx example as well. Can you help me with that?

I came across this example on the linuxserver’s github.I am a bit confused though how this should work with authentication, I have never seen auth enabled in any other configs.

Thank you

ignore the authentication, it’s commented out. That is our known-working config, though it has dependencies on other configs swag has by default.

Ah right, I overlooked that! In that case this config seems too simple. Many proxy rules, for /cool, /browser, etc. appear in all the examples for Collabora to work with Nextcloud, that I recall.
Is this covering all of them for you example in that case? (I don’t know anything about proxy.conf, and resolver.conf files yet)

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app collabora;
        set $upstream_port 9980;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }

Did you make this Nginx example for collabora/code docker image?

it was made for collabora. If you are finding anything is missing because of newly added features, feel free to test and PR them in. We use this conf for our team nextcloud and collabora successfully.

Hello @driz,

Coming back to after moving my proxies to nginx. I based my environment on the swag, using the templates that I referred to above, but also proxy.conf and ssl.conf taken out from the container.

Collabora and Nextcloud both work again separately, however the documents still don’t open.

Here are my latest configs (delete all the commented sections to shorten them):

ssl.conf:

## Version 2023/08/13
ssl_certificate /etc/acme/abc.net/fullchain.cer;
ssl_certificate_key /etc/acme/abc.net/abc.net.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparams.pem;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

ssl_stapling on;
ssl_stapling_verify on;

ssl_trusted_certificate /etc/acme/abc.net/fullchain.cer;

add_header Referrer-Policy "same-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;

proxy.conf:

## Version 2023/02/09
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;

proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;

proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;

nextcloud.conf

## Version 2023/06/24
server {
    listen 443 ssl http2;
    server_name cloud.abc.net;

    include ssl.conf;

    client_max_body_size 0;

    location / {
        include proxy.conf;
        proxy_pass https://xyz.lan:8083;

        proxy_hide_header Referrer-Policy;
        proxy_hide_header X-Content-Type-Options;
        proxy_hide_header X-Frame-Options;
        proxy_hide_header X-XSS-Protection;

        proxy_buffering off;
    }
}

collabora.conf

## Version 2023/05/31
server {
    listen 443 ssl http2;
    server_name collabora.abc.net;

    include ssl.conf;
    
    client_max_body_size 0;

    location / {
        include proxy.conf;
        proxy_pass https://xyz.lan:9980;
    }
}