Nextcloud&Collabora Configuration Struggle

ambarusa · 15 August 2023 18:12

Hello everyone,

I was spending so much time on hooking up Nextcloud with an external Collabora server, but I just simply can’t make it. Is there anyone who succeeded to do it?
Both Nextcloud and Collabora containers are working fine, everything responds nicely through the Reverse Proxy (Apache used), but when I want to open a .docx file, I get the following errors:

Collabora logs:

wsd-00001-00035 2023-08-15 18:04:39.973340 +0000 [ websrv_poll ] ERR  #24: #24 bad request: [GET /cool/https:%252F%252Fcloud.xxx.net%252Findex.php%252Fapps%252Frichdocuments%252Fwopi%252Ffiles%252F149329_oc4i6djp333q%3Faccess_token=NqwoDsPneU8NiXe8ymsIlKvrc5Hzpb3C&access_token_ttl=1692158677000&permission=edit/ws?WOPISrc=https%3A%2F%2Fcloud.xxx.net%2Findex.php%2Fapps%2Frichdocument...]: Invalid or unknown request.| wsd/COOLWSD.cpp:40661.1

Nextcloud Chrome Console:

I am attaching all my docker and Apache configurations:

  collabora:
    image: collabora/code
    container_name: collabora
    restart: unless-stopped
    ports:
      - 9980:9980
    environment:
#      - 'extra_params=--o:ssl.enable=false'
      - aliasgroup=https://$COLLABORA_DOMAIN
    cap_add:
      - MKNOD

  nextcloud:
    image: linuxserver/nextcloud:latest
    container_name: nextcloud
    restart: unless-stopped
    ports:
      - 8083:443    
    volumes:
      - $ROOT_DIR/nextcloud:/config
      - /media:/media
    depends_on:
      - mariadb
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Stockholm

<VirtualHost *:80>
    ServerName cloud.xxx.net
    
    Redirect permanent / https://cloud.xxx.net/
</VirtualHost>

<VirtualHost *:443>
    ServerName cloud.xxx.net

    SSLEngine on
    SSLCertificateFile "/etc/acme/xxx.net/xxx.net.cer"
    SSLCertificateChainFile "/etc/acme/xxx.net/fullchain.cer"
    SSLCertificateKeyFile "/etc/acme/xxx.net/xxx.net.key"

    SSLProxyEngine On
    ProxyRequests Off
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

   Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
   Header unset X-Content-Type-Options
   Header unset X-XSS-Protection
   Header unset X-Download-Options
   Header unset Referrer-Policy
   Header unset Content-Security-Policy
    # Header always set X-XSS-Protection "1; mode=block"
    # Header always set X-Content-Type-Options "nosniff"
    # Header always set X-Frame-Options "SAMEORIGIN"
    # Header always set Referrer-Policy "no-referrer"
    # Header always set X-Download-Options "noopen"
    # Header always set X-Permitted-Cross-Domain-Policies "none"
    # Header always set X-Robots-Tag "noindex,nofollow"

    ProxyPreserveHost On
    ProxyPass / https://xxx.lan:8083/
    ProxyPassReverse / https://xxx.lan:8083/

    RewriteEngine On
    RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
    RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName collabora.xxx.net

    SSLEngine on
    SSLCertificateFile "/etc/acme/xxx.net/xxx.net.cer"
    SSLCertificateChainFile "/etc/acme/xxx.net/fullchain.cer"
    SSLCertificateKeyFile "/etc/acme/xxx.net/xxx.net.key"

    AllowEncodedSlashes NoDecode
    SSLProxyEngine On

    # cert is issued for collaboraonline.example.com and we proxy to localhost
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off

    ProxyPreserveHost On
    ProxyPass / https://amblab.lan:9980/
    ProxyPassReverse / https://amblab.lan:9980/

    # static html, js, images, etc. served from coolwsd
    # browser is the client part of Collabora Online
      # loleaflet/browser is the client part of Collabora Online
    ProxyPass           /loleaflet https://amblab.lan:9980/loleaflet retry=0
    ProxyPassReverse    /loleaflet https://amblab.lan:9980/loleaflet
    ProxyPass           /browser https://amblab.lan:9980/browser retry=0
    ProxyPassReverse    /browser https://amblab.lan:9980/browser

    # WOPI discovery URL
    ProxyPass           /hosting/discovery https://amblab.lan:9980/hosting/discovery retry=0
    ProxyPassReverse    /hosting/discovery https://amblab.lan:9980/hosting/discovery

    # Capabilities
    ProxyPass           /hosting/capabilities https://amblab.lan:9980/hosting/capabilities retry=0
    ProxyPassReverse    /hosting/capabilities https://amblab.lan:9980/hosting/capabilities

    # Main websocket
    ProxyPassMatch      "/cool/(.*)/ws$"      wss://amblab.lan:9980/cool/$1/ws nocanon

    # Admin Console websocket
    ProxyPass           /cool/adminws wss://amblab.lan:9980/cool/adminws

    # Download as, Fullscreen presentation and Image upload operations
    ProxyPass           /cool https://amblab.lan:9980/cool
    ProxyPassReverse    /cool https://amblab.lan:9980/cool

    # Compatibility with integrations that use the /lool/convert-to endpoint
    #ProxyPass           /lool https://amblab.lan:9980/cool
    #ProxyPassReverse    /lool https://amblab.lan:9980/cool
</VirtualHost>

Nextcloud’s nginx default.conf is the default, except that the https header are temporarily disabled.
If someone needs more information, please let me know!!!

driz · 21 August 2023 12:56

We do not support any reverse proxy solution except our own. I do not think we have any team members even using apache in general.

ambarusa · 23 August 2023 15:20

I see. Currently with my setup I can only run Apache server, but I would like to see a working Nginx example as well. Can you help me with that?

I came across this example on the linuxserver’s github.I am a bit confused though how this should work with authentication, I have never seen auth enabled in any other configs.

Thank you

driz · 23 August 2023 15:52

ignore the authentication, it’s commented out. That is our known-working config, though it has dependencies on other configs swag has by default.

ambarusa · 23 August 2023 16:25

Ah right, I overlooked that! In that case this config seems too simple. Many proxy rules, for /cool, /browser, etc. appear in all the examples for Collabora to work with Nextcloud, that I recall.
Is this covering all of them for you example in that case? (I don’t know anything about proxy.conf, and resolver.conf files yet)

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app collabora;
        set $upstream_port 9980;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }

Did you make this Nginx example for collabora/code docker image?

driz · 24 August 2023 12:05

it was made for collabora. If you are finding anything is missing because of newly added features, feel free to test and PR them in. We use this conf for our team nextcloud and collabora successfully.