I’m trying to setup Callabora on my webservers that are sat behind pfSense and HAProxy. I can access nextcloud perfectly, but when I attempt to open a document using callabora either get “Access Denied” if I’m not terming the SSL certificates on HAProxy, or I get a timeout if I terminate the certificate on the load balancer.
e.g. docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=nextcloud\\.*domain*\\.co\\.uk' --restart always --cap-add MKNOD collabora/code
I’m using Apache2 on the webservers and my conf file in sites-enabled is:
<VirtualHost *:80>
ServerName office.*domain*.co.uk
Redirect permanent / https://office.*domain*.co.uk/
RewriteEngine on
RewriteCond %{SERVER_NAME} =office.*domain*.co.uk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName office.*domain*.co.uk:443
# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/office.*domain*.co.uk/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/office.*domain*.co.uk/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/office.*domain*.co.uk/chain.pem
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-$
SSLHonorCipherOrder on
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool
</VirtualHost>
I have a feeling the issue is either with my HAProxy settings, or Callabora isn’t currently compatible with it. Any help or pointers would be hugely appreciated.
edit
After re-checking the load balancer settings, I am now able to see the collabora container and get a “Well, this is embarrassing, we cannot connect to your document. Please try again.” error.
So you have CODE in another machine as a standalone?
(Stand alone means it was it’s own apache with reverse proxy.)
And try to link it to a nextcloud server behind HAProxy?
I don’t think it has something to do on the proxy, since all the traffic happens on port 443 (Apache routes 9980 to 443 with the reverse proxy) so you can use it on any https connection.
Both domains are hosted on the same webserver at the moment. If they need splitting out I can spin up another VM.
Currently there are 2 sites in my Apache sites-enabled folder nextcloud.domain.co.uk.conf and office.domain.co.uk.conf
HAProxy is sat on my pfSense firewall and that is just forwarding all the connections to the single webserver at the moment.
I can successfully get to the admin pages at https://office.domain.co.uk/loleaflet/dist/admin/admin.html
If I wait long enough after the This is embarrassing message, I get an error that javascript needs to be enabled. It is enabled. Once here, I have full editing capabilities and the file even saves successfully. Unfortunately, even if I edit and save the file, if I open it again I am greeted with the same error and javascript message (The javascript message replaces all content in the document).
This application requires JavaScript for correct operation. Please enable JavaScript and reload the page.
Nextcloud
Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.
Nextcloud – a safe home for all your data
I thought you might be right about my browser configuration, but I’ve tried on a number of browsers, some not locked down at all and it seems the Javascript error is a red herring. Once I see this error, I have full control of the application, it just doesn’t have the data inside the document any more!
The only real thing I can see is in the developer console, after the embarrassing error. Please see the link below for examples.
Encryption is not supported at the time on CODE/Collabora.
Apart from that, i was thinking.
You have
||------------ localhost /127.0.0.1-------|| ---------------NAT ------------|| Internet ||
||CODE(SSL) ==> Apache2.4 (SSL)|| ==> HAProxy (Valid SSL?) ==> Internet
Could it be that your browser is not loading some “insecure elements” so you don’t get the full javascript suite?
Examples could be some like this:
Face palm
I’ve just checked and you are correct. I could have sworn I didn’t enable it during the rebuild.
That’ll teach me not to check the basics before spending weeks banging my head against the wall.
Time for a rebuild of nextcloud!
Thank you so much for your time and help!
Edit I didn’t see the second part of the message, sorry. I have checked and I have fully trusted certificates on HAProxy and in Apache.
You were bang on with the encryption. I removed the encryption and Collabora started working, albeit with some issues.My guess is probably in my config somewhere along the line, or residual issues from the encryption.
The first time I open a document after the web server spins up it will open perfectly. After that I get the This is embarrassing error message. This will persist indefinitely, however I can close remove the message and get the document to show by clicking one of the buttons in the ribbon at the top. Not ideal, but certainly not terrible!
Try with a private session (to avoid cached content) on your browser and create a new file.
Hopefully that will let you know if new files would be affected (… they shouln’t).
