Cannot connect to Collabora server

PopeRigby · March 26, 2020, 5:51pm

Not really

Pretty much everything is running through Docker Compose. I can’t think of anything that isn’t. Here’s my docker-compose.yml:

---
version: "3.6"
services:
  nextcloud:
    image: linuxserver/nextcloud
    container_name: nextcloud
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Country/City
    volumes:
      - /opt/docker/config/nextcloud:/config
      - /opt/docker/data/nextcloud:/data
    restart: unless-stopped
  mariadb:
    image: linuxserver/mariadb
    container_name: mariadb
    environment:
      - PUID=1001
      - PGID=1001
      - MYSQL_ROOT_PASSWORD=super_secret_password
      - MYSQL_PASSWORD=nextcloud
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - TZ=Country/City
    volumes:
      - /opt/docker/config/mariadb:/config
    ports:
      - 3306:3306
    restart: unless-stopped
  ddclient:
    image: linuxserver/ddclient
    container_name: ddclient
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Country/City
    volumes:
      - /opt/docker/config/ddclient:/config
    restart: unless-stopped
  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: letsencrypt
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Country/City
      - URL=mydomain.com
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=cloudflare
    volumes:
      - /opt/docker/config/letsencrypt:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped
  postfix:
    hostname: "mail"
    image: "boky/postfix"
    container_name: postfix
    restart: always
    healthcheck:
      test: [ "CMD", "sh", "-c", "netstat -an | fgrep 587 | fgrep -q LISTEN" ]
      interval: 10s
      timeout: 5s
      start_period: 10s
      retries: 2
    ports:
      - 1587:587
    volumes:
      - /opt/docker/config/postfix:/etc/opendkim/keys
    environment:
      - ALLOWED_SENDER_DOMAINS=mydomain.com
      - INBOUND_DEBUGGING=1
      - MASQUERADED_DOMAINS=mydomain.com
  clamav:
    image: mkodockx/docker-clamav:alpine
    container_name: clamav
    restart: unless-stopped
  jellyfin:
    image: linuxserver/jellyfin
    container_name: jellyfin
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Country/City
    volumes:
      - /opt/docker/config/jellyfin:/config
      - /opt/media/tvshows:/data/tvshows
      - /opt/media/movies:/data/movies
    ports:
      - 8096:8096
restart: unless-stopped
  collabora:
    image: collabora/code
    container_name: collabora
    hostname: office.mydomain.com
    ports:  
      - 9980:9980
    cap_add:    
      - MKNOD    
    environment: 
      - domain=<cloud\\.mydomain\\.com>
      - VIRTUAL_HOST=<office.mydomain.com>
      - VIRTUAL_PORT=9980  
      - VIRTUAL_PROTO=https
      - LETSENCRYPT_HOST=<office.mydomain.com>
      - LETSENCRYPT_EMAIL=<me@email.com>
    restart: unless-stopped

cloud.mydomain.com = Nextcloud
office.mydomain.com = Collabora

The Let’s Encrypt container also contains the nginx reverse proxy.

kevdog · March 26, 2020, 6:10pm

Ok awesome

Thats a lot of Docker Containers
So where is the Collabora Docker image? I don’t see that in the docker-compose file? Is that on a different VM?

Reiner_Nippes · March 26, 2020, 6:19pm

sudo docker exec -it <container_name> /bin/sh with the container_name from your compose file.

just start with ping collabora

kevdog · March 26, 2020, 6:47pm

@PopeRigby

My setup is a little bit different than yours. I have my reverse proxy running natively on FreeBSD. Nextcloud also is installed on same machine as the the reverse proxy. Because I wanted originally to use Collabora, I needed a linux machine in the mix which I could either do a direct installation or go the docker route. I chose the docker method, so I have an Ubuntu Virtualized Installation with a docker collabora. Nextcloud has its own domain as well as Collabora similar to your setup.

It sounds like you’ve done things correct up to this point, but just make sure the router on your network can resolved the domain names to the internal LAN addresses. I usually have to create DNS Host Overrides at the router level to help me with this. An alternative would be to modify the /etc/hosts file on each VM/Machine/etc where you would add the domain name and associate it with an internal LAN address.

You need to make sure that each VM/Machine/Container/etc can see the other VM’s/Containers/etc. You can do this by doing the ping statement from each VM/Machine/Container to the other. You want to ping by domain name although you could check by IP address as well. It’s important to make sure you can ping by domain name since the domain name is attached to your SSL certficate. During the SSL handshake the domain names need to be resolved, so hence its important computers in your LAN be able to resolved each other by domain name. Docker has its own internal DNS resolver but I think if it doesn’t find the domain name within the its Docker LAN it uses the resources of the host machine.

You seem like you know what you’re doing with the Docker Images.
I’m not trying to dissuade you from what you’re trying to accomplish. I recently had the Docker Collabora setup and functioning within my Ubuntu VM/Docker setup. On a whim I wanted to compare Collabora to OnlyOffice and I installed OnlyOffice Docker last night on the same machine as Collabora. In terms of speed and overall features, OnlyOffice (OO) was a clear winner. I’m not trying to dissuade you from Collabora since setting up the OO Docker container was nearly the exact same steps as Collabora – so basically if you get one working you can get the other working as well. Honestly however I’d be hard pressed to recommend Collabora over OO based on features and just execution speed.

PopeRigby · March 26, 2020, 9:43pm

I was hesitant to use OO, because of this whole debacle: https://github.com/ONLYOFFICE/DocumentServer/issues/805

kevdog · March 27, 2020, 1:12am

IDK, I never tried with the mobile app. But I did just try it now. You are correct in that the documents can not be edited but only viewed at least on my iphone. My only issue with Collabora was the connection seemed so slow it was barely usuable. It could my internet connection, but OO does some client side processing whereas with CB its all server side processing.

Either way the setup is nearly the same. The setup is virtually identical

PopeRigby · March 28, 2020, 7:21am

I think I want to try and stick with Collabora. Do you know what the problem might be?

Reiner_Nippes · March 28, 2020, 10:23am

maybe this helps:

kevdog · March 28, 2020, 4:24pm

I’d be happy to help.

Ok a couple of things.

Follow the advice of Reiner_Nippes about the domain setting within the docker-configuration.yml file.

For example (this is a snippet) (Assuming your nextcloud domain is called cloud.mydomain.com)

environment:
  - domain=cloud\\.mydomain\\.com

Couple of other things. You’ve done a great job with the nginx.conf file. However can you do one thing for me (since it will be a lot easier to make changes and debug).

Within each section you have the following:

    set $upstream_app collabora;
    set $upstream_port 9980;
    set $upstream_proto https;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

I want you to first include this block right below the include /config/nginx/ssl.conf; line (I’ll begin this block with include /config/nginx/ssl.conf)

include /config/nginx/ssl.conf;
set $upstream http://collabora:9980;

We are going to be first testing with http and then we’ll upgrade later to https. (https just adds another layer of confusion at first).

Then within each of your location blocks replace:

    set $upstream_app collabora;
    set $upstream_port 9980;
    set $upstream_proto https;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

with:

    proxy_pass $upstream

The variable proxy_pass defined within the server block will filter down and be inherited by all the location blocks. Makes it easy to flip flop back and forth between http and https

Ok awesome

Now lets just first try to work with collabora without any https. Also within your docker-configuration.yml file under the collabora section, I want you to add the following environment variables:

environment:
  - domain=cloud\\.mydomain\\.com
  - DONT_GEN_SSL_CERT="True"
  - server_name=office.mydomain.com
  - extra_params=--o:ssl.enable=false --o:ssl.termination=true

These commands are telling the collabora docker instance to not generate any SSL certs (since we are only testing with http at the moment). In terms of your other environment variables – VIRTUAL_HOST, VIRTUAL_PORT, VIRTUAL_PROTO, LETSENCRYPT_HOST, LETSENCRYPT_EMAIL – I’m not sure where you got these variables. Looking at the documentation for collabora docker I don’t see any of these variables being used within the container. Because the documentation doesn’t support use of these variables I’m assuming they are being ignored (big assumption).

I want you to post the result of the following command to verify the listening ports of docker containers. Run this command on the linux host where docker is installed:

lsof -i -P -n | grep LISTEN

I also want to verify that the nextcloud container is able to resolve collabora (it probably does but lets just check). You’ll first need to enter the nextcloud container. So from the docker host:

docker exec -it nextcloud /bin/bash

This should give you a shell within the nextcloud container. Try to ping the collabora container

ping collabora

Now its possible the nextcloud container doesn’t have the ping function installed. Looking at the docker hub nextcloud page, it looks like nextcloud is built on top of alpine-linux. I’m not totally familiar with alpine linux at all. It looks like alpine either uses apt or apk as its package manager. So you might have to do (use apt or apk) not both.

apt (or apk) update
apt (or apk) install iputils

Then try pinging the collabora container. Also while you are on the command line try installing wget

apt (or apk) install wget

Now lets just try to get a page from the collabora container on the command line:

wget http://collabora:9980

You should just get a page response that says “OK”

In terms of nextcloud - within the CODE settings (if you want to try and gotten this far and things seem to be working, change the settings the http://collabora:9980)

I’ll stop here just to verify http is working. Once I can confirm basic http is working, we can add back in the https and SSL stuff

PopeRigby · March 28, 2020, 9:06pm

kevdog:

Follow the advice of Reiner_Nippes about the domain setting within the docker-configuration.yml file.

For example (this is a snippet) (Assuming your nextcloud domain is called cloud.mydomain.com)
environment:
  - domain=cloud\\.mydomain\\.com

From the looks of that, it seems liked Reiner_Nippes wanted me to do do domain=office.mydomain\\.com|cloud.mydomain\\.com. Am I just supposed to do cloud\\.mydomain\\.com?

So, should it look like this?

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name office.*;

    include /config/nginx/ssl.conf;
    set $upstream http://collabora:9980;

    # static files
    location ^~ /loleaflet {
        resolver 127.0.0.11 valid=30s;
        proxy_pass $upstream

        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        resolver 127.0.0.11 valid=30s;
        proxy_pass $upstream

        proxy_set_header Host $http_host;
    }

    # Capabilities
    location ^~ /hosting/capabilities {
        resolver 127.0.0.11 valid=30s;
        proxy_pass $upstream

        proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/lool/(.*)/ws$ {
        resolver 127.0.0.11 valid=30s;
        proxy_pass $upstream

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/lool {
        resolver 127.0.0.11 valid=30s;
        proxy_pass $upstream

        proxy_set_header Host $http_host;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        resolver 127.0.0.11 valid=30s;
        proxy_pass $upstream

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }
}

Got it. Now my collabora block in my docker-compose.yml looks like this:

collabora:
    image: collabora/code
    container_name: collabora
    hostname: office.mydomain.com
    ports:  
      - 9980:9980
    cap_add:    
      - MKNOD    
    environment: 
      - domain=cloud\\.mydomain\\.com  
      - DONT_GEN_SSL_CERT="True"   
      - server_name=office.mydomain.com
      - extra_params=--o:ssl.enable=false --o:ssl.termination=true

    restart: unless-stopped

kevdog:

I want you to post the result of the following command to verify the listening ports of docker containers. Run this command on the linux host where docker is installed:
lsof -i -P -n | grep LISTEN

That gives me:

sshd        503    root    3u  IPv4    15106      0t0  TCP *:22 (LISTEN)
sshd        503    root    4u  IPv6    15108      0t0  TCP *:22 (LISTEN)
docker-pr 21836    root    4u  IPv6 26789537      0t0  TCP *:9980 (LISTEN)
docker-pr 22738    root    4u  IPv6 24139201      0t0  TCP *:8096 (LISTEN)
docker-pr 22835    root    4u  IPv6 24139369      0t0  TCP *:443 (LISTEN)
docker-pr 22848    root    4u  IPv6 24137545      0t0  TCP *:80 (LISTEN)
docker-pr 22922    root    4u  IPv6 24137670      0t0  TCP *:3306 (LISTEN)
docker-pr 23146    root    4u  IPv6 24138752      0t0  TCP *:1587 (LISTEN)

Ok. I’m able to ping it from the collabora container:

PING collabora (172.18.0.4): 56 data bytes
64 bytes from 172.18.0.4: seq=0 ttl=64 time=0.169 ms
64 bytes from 172.18.0.4: seq=1 ttl=64 time=0.165 ms
64 bytes from 172.18.0.4: seq=2 ttl=64 time=0.155 ms
^C
--- collabora ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.155/0.163/0.169 ms

Ok, this is strange. After doing all that, I’m getting a “Problem loading page” when going to cloud.mydomain.com

This is my current docker-compose.yml:

version: "3.6"
services:
  nextcloud:
    image: linuxserver/nextcloud
    container_name: nextcloud
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Country/City
    volumes:
      - /opt/docker/config/nextcloud:/config
      - /opt/docker/data/nextcloud:/data
    restart: unless-stopped
  mariadb:
    image: linuxserver/mariadb
    container_name: mariadb
    environment:
      - PUID=1001
      - PGID=1001
      - MYSQL_ROOT_PASSWORD=super_secret_password
      - MYSQL_PASSWORD=nextcloud
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - TZ=Country/City
    volumes:
      - /opt/docker/config/mariadb:/config
    ports:
      - 3306:3306
    restart: unless-stopped
  ddclient:
    image: linuxserver/ddclient
    container_name: ddclient
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Country/City
    volumes:
      - /opt/docker/config/ddclient:/config
    restart: unless-stopped
  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: letsencrypt
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Country/City
      - URL=mydomain.com
      - SUBDOMAINS=wildcard
      - VALIDATION=dns
      - DNSPLUGIN=cloudflare
    volumes:
      - /opt/docker/config/letsencrypt:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped
  postfix:
    hostname: "mail"
    image: "boky/postfix"
    container_name: postfix
    restart: always
    healthcheck:
      test: [ "CMD", "sh", "-c", "netstat -an | fgrep 587 | fgrep -q LISTEN" ]
      interval: 10s
      timeout: 5s
      start_period: 10s
      retries: 2
    ports:
      - 1587:587
    volumes:
      - /opt/docker/config/postfix:/etc/opendkim/keys
    environment:
      - ALLOWED_SENDER_DOMAINS=mail.mydomain.com
      - INBOUND_DEBUGGING=1
      - MASQUERADED_DOMAINS=mydomain.com
  clamav:
    image: mkodockx/docker-clamav:alpine
    container_name: clamav
    restart: unless-stopped
  jellyfin:
    image: linuxserver/jellyfin
    container_name: jellyfin
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Country/City
    volumes:
      - /opt/docker/config/jellyfin:/config
      - /opt/media/tvshows:/data/tvshows
      - /opt/media/movies:/data/movies
    ports:
      - 8096:8096

kevdog · March 28, 2020, 9:30pm

Ok – its always two steps forward and one step backwards

All the changes we’ve made so far have been just with either collabora or your nginx config for your office.* site. Theoretically it would be possible to throw away the collabora section within the docker-compose file and you’d have everything still up and running without collabora.

If you could post some logs that would be great. For example since nginx is running within your letsencrypt container:

docker logs letsencrypt

Are you able to post your nginx conf files for nextcloud and office? I think you might have already posted office nginx conf already.

Also make you restart all your containers and clear your browser cache. In testing things I usually have windows opened up in Chrome and Firefox. Since I don’t use FF all that much, I make this the test browser where I can easily delete all the cached content.

PopeRigby · March 28, 2020, 9:57pm

This looks relevant. This is from the letsencrypt logs:

nginx: [emerg] invalid number of arguments in "proxy_pass" directive in /config/nginx/proxy-confs/collabora.subdomain.conf:17

Here’s that:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

My Jellyfin URL is working anymore either, for some reason.

kevdog · March 29, 2020, 12:25am

Ok

When you make a nginx change. always check with

nginx -t

since it will tell you about syntax errors.

Ok your error (which I should have noticed) is that you don’t have a semicolon after your proxy_pass $upstream statements within your collabora.conf file. It should be

proxy_pass $upstream;

Nothing is working since nginx didn’t start properly.

PopeRigby · March 29, 2020, 6:14pm

Alright. Adding those semicolons is now just giving me a white screen when I click on my test.odt. Progress!

kevdog · March 29, 2020, 9:08pm

So great??? or not?

What if you open another odt or doc file? Can you edit a file and save it?

PopeRigby · March 29, 2020, 10:47pm

It just gives me the white screen for any office file I open.

kevdog · March 30, 2020, 12:48am

Can you post maybe some logs from nextcloud or the collabora container?

From any computer on the same LAN, what do you get in the browser if you type:

http://<docker host IP>:9980

PopeRigby · March 30, 2020, 4:14am

It just gives me a blank screen that says “OK”. There is a LibreOffice favicon though.

kevdog · March 30, 2020, 4:26am

Ok is what you want. Great. It means the collabora server is visible on the network.

Any log files? I can’t imagine why you are getting a blank screen with every file.

thijssie85 · March 30, 2020, 4:28am

You get a wopi error because the domain is not alowt to edit. What is the line, that you start youre collabora docker?