Collabora and HAProxy - Access Denied or Timeout

I’m trying to setup Callabora on my webservers that are sat behind pfSense and HAProxy. I can access nextcloud perfectly, but when I attempt to open a document using callabora either get “Access Denied” if I’m not terming the SSL certificates on HAProxy, or I get a timeout if I terminate the certificate on the load balancer.

I installed Callabora following the install guide at

docker run -t -d -p -e 'domain=nextcloud\\.*domain*\\.co\\.uk' --restart always --cap-add MKNOD collabora/code

I’m using Apache2 on the webservers and my conf file in sites-enabled is:

<VirtualHost *:80>
        ServerName office.*domain*
        Redirect permanent / https://office.*domain*
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =office.*domain*
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

<VirtualHost *:443>
   ServerName office.*domain*

   # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
   SSLEngine on
   SSLCertificateFile /etc/letsencrypt/live/office.*domain*
   SSLCertificateKeyFile /etc/letsencrypt/live/office.*domain*
   SSLCertificateChainFile /etc/letsencrypt/live/office.*domain*
   SSLProtocol             all -SSLv2 -SSLv3
   SSLHonorCipherOrder     on

   # Encoded slashes need to be allowed
   AllowEncodedSlashes NoDecode

   # Container uses a unique non-signed certificate
   SSLProxyEngine On
   SSLProxyVerify None
   SSLProxyCheckPeerCN Off
   SSLProxyCheckPeerName Off

   # keep the host
   ProxyPreserveHost On

   # static html, js, images, etc. served from loolwsd
   # loleaflet is the client part of LibreOffice Online
   ProxyPass           /loleaflet retry=0
   ProxyPassReverse    /loleaflet

   # WOPI discovery URL
   ProxyPass           /hosting/discovery retry=0
   ProxyPassReverse    /hosting/discovery

   # Main websocket
   ProxyPassMatch "/lool/(.*)/ws$" wss://$1/ws nocanon

   # Admin Console websocket
   ProxyPass   /lool/adminws wss://

   # Download as, Fullscreen presentation and Image upload operations
   ProxyPass           /lool
   ProxyPassReverse    /lool

I have a feeling the issue is either with my HAProxy settings, or Callabora isn’t currently compatible with it. Any help or pointers would be hugely appreciated.

After re-checking the load balancer settings, I am now able to see the collabora container and get a “Well, this is embarrassing, we cannot connect to your document. Please try again.” error.

So you have CODE in another machine as a standalone?
(Stand alone means it was it’s own apache with reverse proxy.)
And try to link it to a nextcloud server behind HAProxy?

I don’t think it has something to do on the proxy, since all the traffic happens on port 443 (Apache routes 9980 to 443 with the reverse proxy) so you can use it on any https connection.

Both domains are hosted on the same webserver at the moment. If they need splitting out I can spin up another VM.

Currently there are 2 sites in my Apache sites-enabled folder and

HAProxy is sat on my pfSense firewall and that is just forwarding all the connections to the single webserver at the moment.

I can successfully get to the admin pages at

If I wait long enough after the This is embarrassing message, I get an error that javascript needs to be enabled. It is enabled. Once here, I have full editing capabilities and the file even saves successfully. Unfortunately, even if I edit and save the file, if I open it again I am greeted with the same error and javascript message (The javascript message replaces all content in the document).

This application requires JavaScript for correct operation. Please enable JavaScript and reload the page. 

Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.
Nextcloud – a safe home for all your data

That’s fine!

Could it be that you have a hardcore secure configuration on your browser?

This is the first time, i hear somebody has issues with code/collabora and javascript

I thought you might be right about my browser configuration, but I’ve tried on a number of browsers, some not locked down at all and it seems the Javascript error is a red herring. Once I see this error, I have full control of the application, it just doesn’t have the data inside the document any more!

The only real thing I can see is in the developer console, after the embarrassing error. Please see the link below for examples.

Do you have encryption enabled?

Encryption is not supported at the time on CODE/Collabora.

Apart from that, i was thinking.

You have
||------------ localhost /|| ---------------NAT ------------|| Internet ||
||CODE(SSL) ==> Apache2.4 (SSL)|| ==> HAProxy (Valid SSL?) ==> Internet

Could it be that your browser is not loading some “insecure elements” so you don’t get the full javascript suite?
Examples could be some like this:

Face palm
I’ve just checked and you are correct. I could have sworn I didn’t enable it during the rebuild.
That’ll teach me not to check the basics before spending weeks banging my head against the wall.

Time for a rebuild of nextcloud!

Thank you so much for your time and help!

Edit I didn’t see the second part of the message, sorry. I have checked and I have fully trusted certificates on HAProxy and in Apache.

1 Like

Glad to know! :slight_smile:

Small update.

You were bang on with the encryption. I removed the encryption and Collabora started working, albeit with some issues.My guess is probably in my config somewhere along the line, or residual issues from the encryption.

The first time I open a document after the web server spins up it will open perfectly. After that I get the This is embarrassing error message. This will persist indefinitely, however I can close remove the message and get the document to show by clicking one of the buttons in the ribbon at the top. Not ideal, but certainly not terrible!

Fingers crossed it’s just a bug in the release.


Well yeah, that could be the case.

Try with a private session (to avoid cached content) on your browser and create a new file.
Hopefully that will let you know if new files would be affected (… they shouln’t).