AIO: Document loading failed

Hi,
I am having this issue with my Nextcloud AIO server. When I try to open any document using Collabora I get this message:


Copy/Paste of the error:

Document loading failed

Failed to establish socket connection or socket connection closed unexpectedly. The reverse proxy might be misconfigured, please contact the administrator. For more info on proxy configuration please checkout https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html

In the https://cloud.mydomain.com/settings/admin/richdocuments it tells me Collabora Online server is reachable:

I noticed the issue about a week ago, but I am not sure exactly when it started as I do not use the web editor very often.

I have found similar reports with this issue and usually it is solved by using this guide How to debug problems with Collabora and/or Talk · nextcloud/all-in-one · Discussion #1358 · GitHub. In my case the /etc/hosts or Allow list for WOPI requests changes does not solve the issue.

After running these commands:

# Go into the container
sudo docker exec -it nextcloud-aio-nextcloud bash
# Now inside the container
curl -vvv https://$NC_DOMAIN:443/hosting/discovery
exit

I get this output:

$ curl -vvv https://$NC_DOMAIN:443/hosting/discovery
* Host cloud.mydomain.com:443 was resolved.
* IPv6: (none)
* IPv4: my.public.nextcloud.ip
*   Trying my.public.nextcloud.ip:443...
* Connected to cloud.mydomain.com (my.public.nextcloud.ip) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=cloud.mydomain.com
*  start date: Jun  4 11:56:09 2024 GMT
*  expire date: Sep  2 11:56:08 2024 GMT
*  subjectAltName: host "cloud.mydomain.com" matched cert's "cloud.mydomain.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://cloud.mydomain.com:443/hosting/discovery
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: cloud.mydomain.com]
* [HTTP/2] [1] [:path: /hosting/discovery]
* [HTTP/2] [1] [user-agent: curl/8.8.0]
* [HTTP/2] [1] [accept: */*]
> GET /hosting/discovery HTTP/2
> Host: cloud.mydomain.com
> User-Agent: curl/8.8.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Request completely sent off
< HTTP/2 200 
< content-length: 30719
< content-type: text/xml
< date: Fri, 02 Aug 2024 09:15:00
< last-modified: Fri, 02 Aug 2024 09:15:00
< x-content-type-options: nosniff
< vary: Accept-Encoding
< server: Apache/2.4.52 (Ubuntu)
< 
<wopi-discovery>
    <net-zone name="external-http">

        <!-- Writer documents -->
        <app favIconUrl="https://cloud.mydomain.com/browser/ca2ed20/images/x-office-document.svg" name="writer">
            <action default="true" ext="sxw" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="odt" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="fodt" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- Text template documents -->
            <action default="true" ext="stw" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="ott" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- MS Word -->
            <action default="true" ext="doc" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="dot" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- OOXML wordprocessing -->
            <action default="true" ext="docx" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="docm" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="dotx" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="dotm" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- Others -->
            <action default="true" ext="wpd" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="pdb" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="hwp" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="wps" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="wri" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="lrf" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="mw" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="rtf" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="txt" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="fb2" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="cwk" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="pages" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="abw" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="602" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <app name="writer-global">
            <!-- Text master documents -->
            <action default="true" ext="sxg" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="odm" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- Writer master document templates -->
            <action default="true" ext="otm" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <app name="writer-web">
            <action default="true" ext="oth" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Calc documents -->
        <app favIconUrl="https://cloud.mydomain.com/browser/ca2ed20/images/x-office-spreadsheet.svg" name="calc">
            <action default="true" ext="sxc" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="ods" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="fods" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- Spreadsheet template documents -->
            <action default="true" ext="stc" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="ots" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- MS Excel -->
            <action default="true" ext="xls" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="xla" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- OOXML spreadsheet -->
            <action default="true" ext="xltx" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="xltm" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="xlsx" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="xlsb" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="xlsm" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- Others -->
            <action default="true" ext="dif" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="slk" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="csv" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="dbf" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="wk1" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="gnumeric" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="numbers" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Impress documents -->
        <app favIconUrl="https://cloud.mydomain.com/browser/ca2ed20/images/x-office-presentation.svg" name="impress">
            <action default="true" ext="sxi" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="odp" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="fodp" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- Presentation template documents -->
            <action default="true" ext="sti" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="otp" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- MS PowerPoint -->
            <action default="true" ext="ppt" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="pot" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- OOXML presentation -->
            <action default="true" ext="pptx" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="pptm" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="potx" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="potm" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="ppsx" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- Others -->
            <action default="true" ext="cgm" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="key" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Draw documents -->
        <app name="draw">
            <action default="true" ext="sxd" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="odg" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="fodg" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- Drawing template documents -->
            <action default="true" ext="std" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="otg" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <!-- Others -->
            <action ext="svg" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="dxf" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="emf" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="wmf" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="cdr" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="vsd" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="vsdx" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="vss" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="pub" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="p65" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="wpg" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action default="true" ext="fh" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action ext="bmp" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action ext="png" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action ext="gif" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action ext="tiff" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action ext="jpg" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action ext="jpeg" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
            <action ext="pdf" name="view_comment" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Math documents -->
        <!-- In fact Math documents are not supported at all.
             See: https://bugs.documentfoundation.org/show_bug.cgi?id=97006
        <app name="math">
            <action name="view" default="true" ext="sxm"/>
            <action name="edit" default="true" ext="odf"/>
        </app>
        -->

        <!-- Legacy MIME-type actions (compatibility) -->

        <app name="image/svg+xml">
            <action ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.ms-powerpoint">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.ms-excel">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Writer documents -->
        <app name="application/vnd.sun.xml.writer">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.text">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.text-flat-xml">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Calc documents -->
        <app name="application/vnd.sun.xml.calc">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.spreadsheet">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.spreadsheet-flat-xml">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Impress documents -->
        <app name="application/vnd.sun.xml.impress">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.presentation">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.presentation-flat-xml">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Draw documents -->
        <app name="application/vnd.sun.xml.draw">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.graphics">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.graphics-flat-xml">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Chart documents -->
        <app name="application/vnd.oasis.opendocument.chart">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Text master documents -->
        <app name="application/vnd.sun.xml.writer.global">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.text-master">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Math documents -->
        <!-- In fact Math documents are not supported at all.
             See: https://bugs.documentfoundation.org/show_bug.cgi?id=97006
        <app name="application/vnd.sun.xml.math">
            <action name="view" default="true" ext=""/>
        </app>
        <app name="application/vnd.oasis.opendocument.formula">
            <action name="edit" default="true" ext=""/>
        </app>
        -->
        <!-- Text template documents -->
        <app name="application/vnd.sun.xml.writer.template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.text-template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Writer master document templates -->
        <app name="application/vnd.oasis.opendocument.text-master-template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Spreadsheet template documents -->
        <app name="application/vnd.sun.xml.calc.template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.spreadsheet-template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Presentation template documents -->
        <app name="application/vnd.sun.xml.impress.template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.presentation-template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Drawing template documents -->
        <app name="application/vnd.sun.xml.draw.template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.graphics-template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- MS Word -->
        <app name="application/msword">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/msword">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- MS Excel -->
        <app name="application/vnd.ms-excel">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- MS PowerPoint -->
        <app name="application/vnd.ms-powerpoint">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- OOXML wordprocessing -->
        <app name="application/vnd.openxmlformats-officedocument.wordprocessingml.document">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.ms-word.document.macroEnabled.12">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.openxmlformats-officedocument.wordprocessingml.template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.ms-word.template.macroEnabled.12">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- OOXML spreadsheet -->
        <app name="application/vnd.openxmlformats-officedocument.spreadsheetml.template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.ms-excel.template.macroEnabled.12">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.ms-excel.sheet.binary.macroEnabled.12">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.ms-excel.sheet.macroEnabled.12">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- OOXML presentation -->
        <app name="application/vnd.openxmlformats-officedocument.presentationml.presentation">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.ms-powerpoint.presentation.macroEnabled.12">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.openxmlformats-officedocument.presentationml.template">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.ms-powerpoint.template.macroEnabled.12">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- Others -->
        <app name="application/vnd.wordperfect">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-aportisdoc">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-hwp">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.ms-works">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-mswrite">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-dif-document">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="text/spreadsheet">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="text/csv">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-dbase">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.lotus-1-2-3">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/cgm">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/vnd.dxf">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/x-emf">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/x-wmf">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/coreldraw">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.visio2013">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.visio">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.ms-visio.drawing">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-mspublisher">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-sony-bbeb">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-gnumeric">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/macwriteii">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-iwork-numbers-sffnumbers">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.text-web">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-pagemaker">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="text/rtf">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="text/plain">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-fictionbook+xml">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/clarisworks">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/x-wpg">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-iwork-pages-sffpages">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.openxmlformats-officedocument.presentationml.slideshow">
            <action default="true" ext="" name="edit" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-iwork-keynote-sffkey">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-abiword">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/x-freehand">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/vnd.sun.xml.chart">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/x-t602">
            <action default="true" ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/bmp">
            <action ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/png">
            <action ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/gif">
            <action ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/tiff">
            <action ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/jpg">
            <action ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="image/jpeg">
            <action ext="" name="view" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>
        <app name="application/pdf">
            <action ext="" name="view_comment" urlsrc="https://cloud.mydomain.com/browser/ca2ed20/cool.html?"/>
        </app>

        <!-- End of legacy MIME-type actions -->

        <app name="Capabilities">
            <action ext="" name="getinfo" urlsrc="https://cloud.mydomain.com/hosting/capabilities"/>
        </app>
    </net-zone>
* Connection #0 to host cloud.mydomain.com left intact

I also want to add that I get this output when reviewing the logs for nextcloud-aio-collabora container (I just pasted the last rows in the log as these are the ones appearing when I try open a document and get the “Document loading failed” error):

$ sudo docker logs --follow  nextcloud-aio-collabora
...
frk-00013-00013 2024-08-02 10:44:33.035670 +0200 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:557
wsd-00007-05638 2024-08-02 10:46:41.375145 +0200 [ docbroker_005 ] ERR  Doc [https%3A%2F%2Fcloud.mydomain.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F46_och7vp40ue62] is taking too long to load. Will kill process [5497]. per_document.limit_load_secs set to 100 secs.| wsd/DocumentBroker.cpp:397
wsd-00007-05638 2024-08-02 10:46:41.397307 +0200 [ docbroker_005 ] ERR  #42: Read failed, have 0 buffered bytes (ECONNRESET: Connection reset by peer)| net/Socket.hpp:1149
wsd-00007-05638 2024-08-02 10:46:41.397523 +0200 [ docbroker_005 ] WRN  #42: Unassociated Kit (5497) disconnected unexpectedly| wsd/COOLWSD.cpp:3701
wsd-00007-05638 2024-08-02 10:46:41.397557 +0200 [ docbroker_005 ] WRN  #42: Unknown Kit process closed with pid -1| wsd/COOLWSD.cpp:3708

Futher info about my setup

I am running two Ubuntu 22.04 servers, one for the AIO docker containers and one for Apache2 reverse proxy (no docker setup), I have setup Nextcloud AIO and reverse proxy using the GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance. and all-in-one/reverse-proxy.md at main · nextcloud/all-in-one · GitHub guides.

Post installation I have setup daily backup and automatic updates, fail2ban and Talk (3478 port forwarding).

Currently running “Nextcloud AIO v9.3.0”.

This is the docker run command used:

sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--env NEXTCLOUD_DATADIR="/mnt/storage/nextcloud" \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
nextcloud/all-in-one:latest

This is the Apache2 reverse proxy config:

$ cat /etc/apache2/sites-available/nextcloud.conf 
<VirtualHost *:80>
    ServerName cloud.mydomain.com

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    RewriteCond %{SERVER_NAME} =cloud.mydomain.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
    ServerName cloud.mydomain.com

    # Reverse proxy based on https://httpd.apache.org/docs/current/mod/mod_proxy_wstunnel.html
    RewriteEngine On
    ProxyPreserveHost On
    AllowEncodedSlashes NoDecode
    
    ProxyPass / http://my.internal.nextcloud.ip:11000/ nocanon
    ProxyPassReverse / http://my.internal.nextcloud.ip:11000/
    
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteCond %{THE_REQUEST} "^[a-zA-Z]+ /(.*) HTTP/\d+(\.\d+)?$"
    RewriteRule .? "ws://my.internal.nextcloud.ip:11000/%1" [P,L]

    # Enable h2, h2c and http1.1
    Protocols h2 h2c http/1.1
    
    # Solves slow upload speeds caused by http2
    H2WindowSize 5242880

    # TLS
    SSLEngine               on
    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    SSLCertificateFile /etc/letsencrypt/live/cloud.mydomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/cloud.mydomain.com/privkey.pem

    # Disable HTTP TRACE method.
    TraceEnable off
    <Files ".ht*">
        Require all denied
    </Files>

    # Support big file uploads
    LimitRequestBody 0
    Timeout 86400
    ProxyTimeout 86400
</VirtualHost>

I would be very thankful if anyone can see the problem here and have a solution, please let me know if I need to provide more info!

2 Likes

I seem to have come upon the same issue. Collabora stopped working after a recent updates of AIO, but a Debian upgrade from Buster to Bullseye has taken place as well.

same for me

I seem to have found the issue and a workaround (seems to be a vulnerability, though).

Apache error log contained:

AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

My apache reverse proxy has a line for the websocket. I added the flag UnsafeAllow3F.

<VirtualHost *:443>
    ServerName my.server.name

    # Reverse proxy based on https://httpd.apache.org/docs/current/mod/mod_proxy_wstunnel.html
    RewriteEngine On
    ProxyPreserveHost On
    AllowEncodedSlashes NoDecode
 
    ProxyPass / http://localhost:11000/ nocanon
    ProxyPassReverse / http://localhost:11000/
    
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteCond %{THE_REQUEST} "^[a-zA-Z]+ /(.*) HTTP/\d+(\.\d+)?$"
    RewriteRule .? "ws://localhost:11000/%1" [P,L,UnsafeAllow3F]
    
    # Enable h2, h2c and http1.1
    Protocols h2 h2c http/1.1
    
    # Solves slow upload speeds caused by http2
    H2WindowSize 5242880

    # SSL
    SSLEngine on
  
    SSLCertificateFile my.file
    SSLCertificateKeyFile my.key.file

    # Disable HTTP TRACE method.
    TraceEnable off
    <Files ".ht*">
        Require all denied
    </Files>

    # Support big file uploads
    LimitRequestBody 0
</VirtualHost>

Documents can be edited again. But this flag is disapproved as it seems to open up a vulnerability. I need to figure out a proper solution.

My reverse proxy config works differently from that on Proxy settings — SDK https://sdk.collaboraonline.com/ documentation.

The ws line there is very short:

# Main websocket

 ProxyPassMatch      "/cool/(.*)/ws$"      ws://127.0.0.1:9980/cool/$1/ws nocanon

It does not include a .?. Maybe that would work.

Source: https://stackoverflow.com/questions/78729429/403-forbidden-when-url-contains-get-with-encoded-question-mark-unsafeallow3f

1 Like

Thank you for your response and commitment! I apologize for the late reply, but I have been away for a few weeks and unable to follow up on this issue. I can confirm that the addition of the UnsafeAllow3F flag “solves the problem”. But as you mention and based on the discussion in your stackoverflow reference, it is not recommended.

The problem seems to be rather that the latest Apache2 version is not available to install via the Ubuntu repository.

I solved the problem by installing the latest version via ppa:ondrej/apache2, but a better solution is probably to switch to another type of reverse proxy or wait until Ubuntu maintainers releases the 2.4.6x version.