Built-in Collabora w/ HTTPs on k8s

power46 · October 8, 2025, 4:55pm

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 32.0.0
Operating system and version (e.g., Ubuntu 24.04):
- Kubernetes
Web server and version (e.g, Apache 2.4.25):
- Container
Reverse proxy and version _(e.g. nginx 1.27.2)
- Cilium
PHP version (e.g, 8.3):
- Container
Is this the first time you’ve seen this error? (Yes / No):
- Yes
When did this problem seem to first start?
- Click on ods file
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- Helm
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- No

Summary of the issue you are facing:

Hi,

I have installed nextcloud via helm using the values.yaml:

  nextcloud:
    host: <domain>
    username: <user>
    password: <password>
  ingress:
    enabled: true
    className: cilium
    annotations:
      kubernetes.io/tls-acme: "true"
    tls:
      - secretName: nextcloud-tls
        hosts:
          - <domain>
  persistence:
    enabled: true
    storageClass: nextcloud
    existingClaim: nextcloud

After installation I can access WebUI, upload files, …

Inside the container I run:

php occ app:enable richdocuments
php occ app:install richdocumentscode
php occ config:app:set richdocuments wopi_url --value https://<domain>/custom_apps/richdocumentscode/proxy.php?req=
php occ richdocuments:activate-config

Under Administration settings > Nextcloud Office there is a green banner:

Collabora Online server is reachable.
Collabora Online Development Edition 25.04.5.4 be0b3cc3ef
URL used by the browser: https://<domain>
Nextcloud URL used by Collabora: https://<domain> (Determined from the browser URL)

But If I upload an ods file an open it in the UI, it hangs on Loading file.ods.

If I open the browser console, I see:

Error

XHRPOST
https://<domain>/custom_apps/richdocumentscode/proxy.php?req=/cool/https://<domain>/index.php/apps/richdocuments/wopi/files/203_ociw9mnoit93?access_token=Z3DydGd0Nfo2h5d1igH94z1gJIVLMleW&access_token_ttl=0&no_auth_header=/ws?WOPISrc=https://<domain>/index.php/apps/richdocuments/wopi/files/203_ociw9mnoit93&compat=/ws/open/open/1
[HTTP/1.1 400 Bad Request 40063ms]

	
POST
	https://<domain>/custom_apps/richdocumentscode/proxy.php?req=/cool/https://<domain>/index.php/apps/richdocuments/wopi/files/203_ociw9mnoit93?access_token=Z3DydGd0Nfo2h5d1igH94z1gJIVLMleW&access_token_ttl=0&no_auth_header=/ws?WOPISrc=https://<domain>/index.php/apps/richdocuments/wopi/files/203_ociw9mnoit93&compat=/ws/open/open/1
Status
400
Bad Request
VersionHTTP/1.1
Transferred501 B (130 B size)
Referrer Policyno-referrer
DNS ResolutionSystem

    	
    content-length
    	130
    content-type
    	text/html; charset=UTF-8
    date
    	Wed, 08 Oct 2025 15:10:35 GMT
    referrer-policy
    	no-referrer
    server
    	envoy
    x-content-type-options
    	nosniff
    x-envoy-upstream-service-time
    	40056
    x-frame-options
    	SAMEORIGIN
    x-permitted-cross-domain-policies
    	none
    x-powered-by
    	PHP/8.3.26
    x-robots-tag
    	noindex, nofollow
    	
    Accept
    	*/*
    Accept-Encoding
    	gzip, deflate, br, zstd
    Accept-Language
    	en-US,en;q=0.5
    Connection
    	keep-alive
    Content-Length
    	0
    Content-Type
    	text/plain;charset=UTF-8
    Cookie
    	nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; ociw9mnoit93=e1082366e16e579b01aa4049c9cd2d08; oc_sessionPassphrase=jERRwddMrmrQpEjj9fwHvIYcdv9SqatMHcK9JtYlBJIutpPT8e9IdT35fLoCX3%2FPG1piv%2FCupgga69OPMes%2FedREIISNR12t4kJ5%2FXTvLTDNtlrChO5o09BboJw4lZfz; nc_username=foo; nc_token=XBilrw9CSWWgQ1kc495L4DrVZygFlpRu; nc_session_id=e1082366e16e579b01aa4049c9cd2d08
    Host
    	<domain>
    Origin
    	https://<domain>
    Sec-Fetch-Dest
    	empty
    Sec-Fetch-Mode
    	cors
    Sec-Fetch-Site
    	same-origin
    Sec-GPC
    	1
    User-Agent
    	Mozilla/5.0 (X11; Linux x86_64; rv:143.0) Gecko/20100101 Firefox/143.0

From insider the container:

$ ps aux | grep cool
www-data     223  0.4  0.0   4640  3592 ?        S    15:07   0:04 /var/www/html/custom_apps/richdocumentscode/collabora/Collabora_Online.AppImage --appimage-extract-and-run --o:net.proto=IPv4 --o:net.lok_allow.host[14]=<domain> --pidfile=/tmp/coolwsd.pid
www-data     228  0.0  0.0   4644  3452 ?        S    15:07   0:00 /bin/bash /tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/AppRun --o:net.proto=IPv4 --o:net.lok_allow.host[14]=<domain> --pidfile=/tmp/coolwsd.pid
www-data     314  0.3  0.1 659244 65932 ?        Sl   15:07   0:03 coolwsd --config-file=/tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/etc/coolwsd/coolwsd.xml --disable-cool-user-checking --port=9983 --lo-template-path=/tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/opt/collaboraoffice --o:sys_template_path=/tmp/coolwsd.rvUv7z28uN/systemplate/ --o:security.capabilities=false --o:security.seccomp=false --o:child_root_path=/tmp/coolwsd.rvUv7z28uN/jails --o:file_server_root_path=/tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/usr/share/coolwsd --o:ssl.enable=false --o:net.proxy_prefix=true --o:memproportion=25 --o:logging.file[@enable]=true --o:logging.file.property[0][@name]=path --o:logging.file.property[0]=/tmp/coolwsd.rvUv7z28uN/coolwsd.log --o:welcome.enable=true --o:user_interface.mode=default --o:allowed_languages=de_DE el en_GB en_US es_ES fr_FR hu it nl pt_BR pt_PT ru --o:fetch_update_check=0 --o:allow_update_popup=false --o:net.proto=IPv4 --o:net.lok_allow.host[14]=<domain> --pidfile=/tmp/coolwsd.pid
www-data     329  0.3  0.7 769304 506200 ?       S    15:07   0:03 /tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/usr/bin/coolforkit-ns --systemplate=/tmp/coolwsd.rvUv7z28uN/systemplate/ --lotemplate=/tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/opt/collaboraoffice --childroot=/tmp/coolwsd.rvUv7z28uN/jails/314-d936ca9d/ --clientport=9983 --masterport=coolwsd-KrGR9oVM --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version --nocaps --noseccomp --ui=default --disable-cool-user-checking
www-data     369  0.0  0.5 769464 365816 ?       S    15:08   0:00 /tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/usr/bin/coolforkit-ns --systemplate=/tmp/coolwsd.rvUv7z28uN/systemplate/ --lotemplate=/tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/opt/collaboraoffice --childroot=/tmp/coolwsd.rvUv7z28uN/jails/314-d936ca9d/ --clientport=9983 --masterport=coolwsd-KrGR9oVM --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version --nocaps --noseccomp --ui=default --disable-cool-user-checking
www-data     371  0.0  0.5 769464 365816 ?       S    15:08   0:00 /tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/usr/bin/coolforkit-ns --systemplate=/tmp/coolwsd.rvUv7z28uN/systemplate/ --lotemplate=/tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/opt/collaboraoffice --childroot=/tmp/coolwsd.rvUv7z28uN/jails/314-d936ca9d/ --clientport=9983 --masterport=coolwsd-KrGR9oVM --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version --nocaps --noseccomp --ui=default --disable-cool-user-checking
www-data     372  0.0  0.5 769464 365816 ?       S    15:08   0:00 /tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/usr/bin/coolforkit-ns --systemplate=/tmp/coolwsd.rvUv7z28uN/systemplate/ --lotemplate=/tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/opt/collaboraoffice --childroot=/tmp/coolwsd.rvUv7z28uN/jails/314-d936ca9d/ --clientport=9983 --masterport=coolwsd-KrGR9oVM --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version --nocaps --noseccomp --ui=default --disable-cool-user-checking
www-data     380  0.0  0.5 769464 365816 ?       S    15:08   0:00 /tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/usr/bin/coolforkit-ns --systemplate=/tmp/coolwsd.rvUv7z28uN/systemplate/ --lotemplate=/tmp/appimage_extracted_7121c1a1c522bf874036f46de772de58/opt/collaboraoffice --childroot=/tmp/coolwsd.rvUv7z28uN/jails/314-d936ca9d/ --clientport=9983 --masterport=coolwsd-KrGR9oVM --rlimits=limit_virt_mem_mb:0;limit_stack_mem_kb:8000;limit_file_size_mb:0;limit_num_open_files:0 --version --nocaps --noseccomp --ui=default --disable-cool-user-checking
root         443  0.0  0.0   3516  1804 pts/0    S+   15:22   0:00 grep cool

$ tail -f /tmp/coolwsd.rvUv7z28uN/coolwsd.log
wsd-00314-00337 2025-10-08 15:20:24.987323 +0000 [ websrv_poll ] ERR  Failed to get settings json from [http://<domain>/index.php/apps/richdocuments/wopi/settings?type=systemconfig&access_token=j8DWsi9hhta2ygCh6soYPuWcVP5OmjNY&fileId=-1] with status[Moved Permanently]| wsd/DocumentBroker.cpp:1927
wsd-00314-00337 2025-10-08 15:20:24.987359 +0000 [ websrv_poll ] ERR  #-1: Failed to install config [shared-http_<domain>/index.php/apps/richdocuments/wopi/settings-68e67e5da14c668e67e23b8f44]| wsd/RequestVettingStation.cpp:195

So it tries to use http.

If I do not set https (from the beginning, just http) everything works.

If I set:

php occ config:app:set richdocuments wopi_url --value http://<domain>/custom_apps/richdocumentscode/proxy.php?req=
php occ config:app:set richdocuments public_wopi_url --value http://<domain>
php occ richdocuments:activate-config

It keeps setting https:

Collabora public URL (used in the browser to open Collabora):
  https://<domain>

I tried to enable the collabora chart:

...
  collabora:
    enabled: true

but the collabora pod keeps crashing on startup.

Any suggestions?

Thanks

power46 · October 12, 2025, 2:47pm

Solved by running php occ config:system:set overwriteprotocol --value="https"

wwe · October 13, 2025, 3:18pm

Hello @power46, welcome to the Nextcloud community!
great to hear you solved the issue already. In general I would recommend you run CODE a separate container - it is far easier to deploy and maintain.

system · October 21, 2025, 3:18pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.