Collabora and Nextcloud 11

Could do with your Apache logs because Apache is being used as a reverse proxy and connecting on 9980 and not NC there will be some good info there on any config error.

You have what is probably the most compatible setup for NC & Collabora, I made a few bad installs, but actually I clicked with the settings and could get Collabora to work, but couldn’t get collabora to open a document.
Ark74 kindly fixed that for me because Aufs isn’t part of the default kernel setup in Debian which I am presuming is in Ubuntu.

That is not your problem though as you seem to be getting the error I was getting where you don’t see Openoffice and just get an ‘access denied’ error.
That with me was just getting things a little mixed with domain names, dns and the apache.conf virtual domains.

I followed the excellent tutorials by xiao guoan on linuxbabe he has three from lamp install with php7.0, Nextcloud and finally Nextcloud and collabora.
You have to update with the slight changes on https://nextcloud.com/collaboraonline/ as there have been a few little tweaks to the .conf scripts.

Apols but maybe start back a scratch with collabora and certs with NC with those tutorials and see how things go and post what it says in both the virtualhost error log and other_vhosts (if it is missing SNI as they will end up there)

You self hosting or cloud/vps?

Okay, I checked everthing (with the settings from linuxbabe.com) now and here the different ways and the results:
And yes, I’m self hosting nextcloud

NC-App:
https://my-example.net -> access denied
https://my-example.net:51111 -> Unauthorized WOPI host

Docker:

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=my-example\\.net:51111' --restart always --cap-add MKNOD collabora/code

But the docker reverse proxy is working

tcp        0      0 127.0.0.1:9980          0.0.0.0:*               LISTEN      24023/docker-proxy

EDIT: The docker logs

$ docker logs a9d839d49179
Generating RSA private key, 2048 bit long modulus
.....+++
...........+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
..+++
...........+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.1 - 2.0.1
wsd-00026-0027 0:00:22.625848 [ client_req_hdl ] WRN  WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:255
wsd-00026-0028 0:00:23.353490 [ client_ws_0002 ] WRN  getNewChild: No available child. Sending spawn request to forkit and failing.| wsd/LOOLWSD.cpp:411
wsd-00026-0028 0:00:28.355706 [ client_ws_0002 ] WRN  getNewChild: No available child. Sending spawn request to forkit and failing.| wsd/LOOLWSD.cpp:411
wsd-00026-0028 0:00:31.648620 [ client_ws_0002 ] ERR  Error in client request handler: No acceptable WOPI hosts found matching the target host [my-example.net] in config.| wsd/LOOLWSD.cpp:1012
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.1", "ProductExtension": ".10.15", "BuildId": "345fa14e85e6e36ad0280f4e549c70f6b9af1a18" }

@Ark74 if i wont fix it by myself, youre the guy who likes a few beers right? :wink:

:joy:
Hahaha! Sure who doesn’t.

I’ll suggest to hang around at the IRC channel (nextcloud at freenode) is a great way to get help in what is the closest to real time, there you’ll meet some really smart guys.
Or drop me a line, and we’ll check what’s your specif issue.
Cheers

@nobody1407 do you have support for aufs?

Please confirm with,
grep aufs /proc/filesystems

hmm… I dont think so…

root@debian:/# grep aufs /proc/filesystems
root@debian:/# 

:confused:

there you have your issue :grin:

Fix it before trying any other configuration.

I found this for us Debian users, but it was @Ark74 who showed and told me what the problem is.

Didn’t bother with the backport kernel-image but the docker info and logging tips are pretty handy.
Looks like we could have a prob with Aufs as the Overlay storage driver comes into the mainline kernel.

So dunno, as didn’t realize there was problems with Aufs, but on the scale I use no bother.

root@portal:~# docker info
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 0
Server Version: 1.12.6
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 0
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: overlay bridge null host
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options:
Kernel Version: 3.16.0-4-amd64
Operating System: Debian GNU/Linux 8 (jessie)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.871 GiB
Name: portal
ID: M74U:S6KG:KF5Y:WXLO:4R7G:USZK:ALOC:KN5J:FXUQ:OEHL:776D:JC43
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No kernel memory limit support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
Insecure Registries:
 127.0.0.0/8
root@portal:~# grep aufs /proc/filesystems
nodev   aufs

So I guess with docker its going to be confusing until Aufs vs Overlay is settled.
If you add the docker repo to /etc/apt/sources.list and then install it brings in aufs and aufs-tools for you.

Thank you for your tips, but I already added the docker repo to /etc/apt/sources.list

Containers: 9
 Running: 1
 Paused: 0
 Stopped: 8
Images: 2
Server Version: 1.12.6
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 20
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options:
Kernel Version: 3.16.0-4-amd64
Operating System: Debian GNU/Linux 8 (jessie)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.816 GiB
Name: debian
ID: J7QW:NZLF:EXQU:MZ6U:LWBH:RYXX:YR7G:OHB6:D4EJ:7G35:YIME:UADU
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No oom kill disable support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
Insecure Registries:
 127.0.0.0/8

/etc/systemd/system/docker.service.d/execWithDeviceMapper.conf

[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// --storage-driver=aufs --icc=false --iptables=true

systemctl daemon-reload && systemctl restart docker

docker logs c31b5eaae46b
Generating RSA private key, 2048 bit long modulus
.................................................................................................................................................................................................................+++
.............................................................................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
............+++
..................+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolwsd version details: 1.9.8 - 1.9.8
loolforkit version details: 1.9.8 - 1.9.8
frk-00033-0033 0:00:00.001453 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00033-0033 0:00:00.001910 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00033-0033 0:00:00.002416 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
wsd-00025-0034 0:00:05.034458 [ loolwsd ] WRN  Trying to find memory of invalid/dead PID 33
loolforkit version details: 1.9.8 - 1.9.8
frk-00038-0038 0:00:00.006030 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00038-0038 0:00:00.006380 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00038-0038 0:00:00.006757 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
loolforkit version details: 1.9.8 - 1.9.8
frk-00042-0042 0:00:00.003218 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00042-0042 0:00:00.003536 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00042-0042 0:00:00.003840 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
loolforkit version details: 1.9.8 - 1.9.8
frk-00047-0047 0:00:00.004811 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00047-0047 0:00:00.005327 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00047-0047 0:00:00.005730 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
loolforkit version details: 1.9.8 - 1.9.8
frk-00052-0052 0:00:00.002768 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00052-0052 0:00:00.003023 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00052-0052 0:00:00.003323 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
wsd-00025-0026 0:00:22.435853 [ client_req_hdl ] ERR  File [/usr/share/loolwsd//loleaflet/2.0.1/loleaflet.html] does not exist.
loolforkit version details: 1.9.8 - 1.9.8
frk-00057-0057 0:00:00.003230 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00057-0057 0:00:00.003570 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00057-0057 0:00:00.003885 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
loolforkit version details: 1.9.8 - 1.9.8
frk-00062-0062 0:00:00.002006 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00062-0062 0:00:00.002149 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00062-0062 0:00:00.002336 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
loolforkit version details: 1.9.8 - 1.9.8
frk-00067-0067 0:00:00.002110 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00067-0067 0:00:00.002617 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00067-0067 0:00:00.002882 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.
loolforkit version details: 1.9.8 - 1.9.8
frk-00072-0072 0:00:00.003121 [ loolforkit ] FTL  Capability cap_sys_chroot is not set for the loolforkit program.
frk-00072-0072 0:00:00.003581 [ loolforkit ] FTL  Capability cap_mknod is not set for the loolforkit program.
frk-00072-0072 0:00:00.003990 [ loolforkit ] FTL  Capability cap_fowner is not set for the loolforkit program.

Apols @nobody1407 , dunno to be honest.

https://my-example.net -> access denied, when I was getting ‘access denied’ was actually my config errors.

https://my-example.net:51111 -> Unauthorized WOPI host I never tried a direct connection to the Collabora container and it may not accept connections on non standard ports, but completely blind on that.

I really can not understand why you don’t set up two subdomains nextcloud & office on my-example.

If you are self hosting you don’t even need a registered domain to do this but just edit the server hosts file to have the current IP allocated against those server subdomains.
Also edit the access clients hosts file so it is the same?

letsencypt will be a pain without a public domain IP and again wondering why not just add a A record and subdomain also, just so you are replicating the tutorials exactly and then work backwards from there?

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=my-example\\.net:51111' --restart always --cap-add MKNOD collabora/code looks correct as long as domain=my-example\.net:51111 is the nextcloud subdomain and port and not the office subdomain and port.

I had a couple of days off and I will run up a copy here at home and I will see if I can replicate your problems. But scratching my head as after the kind intervention from @Ark74 its working great for me.

I just posted the Docker stuff as been getting to grips with it myself and the Admin manual seems a tad shy of some tips that could make things a little easier to get info and logs from what is almost a blind install of a docker container.

Oh, I tried this ways, too. But it was the same result. The Collabora subdomain was collabora.my-example.net (A Record subdomain)

Yes, my-example.net:51111 is the nextcloud domain.

Maybe you need more informations about my Server…

  • Linux debian 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1 (2016-12-30) x86_64 GNU/Linux
  • PHP7.0
  • nginx version: nginx/1.10.2
  • running as virtual machine (phpvirtualbox)

EDIT: The result of grep aufs /proc/filesystems:

grep aufs /proc/filesystems
nodev	aufs

Is it a good point?

Yeah you have Aufs on your system and now we need to get Docker to use Aufs.

I was exactly the same with Debian 8.6 where after I managed to fix my configuration errors which gave me ‘Access Denied’ I was still left with a strange error where I could see the OpenOffice container but no document and an error apologizing for an embarrassing error.

@Ark74 fixed it for me and I haven’t done much since, I will run a virtual machine up with Debian but also the Aufs problem is also prevalent on Ubuntu.

Also now Aufs is enabled we might want to reinstall docker as Auf-tools and settings should now work and it should configure itself without us, having to.

I will have a go my end as to be honest I installed Nextcloud for a community center as a freebie and did quite a bit of work for them. Generally I need to be dragged kicking and screaming to work with computers, but I must admit I have got a bit of a Nextcloud bug so will do something today after a couple of days of being lazy.

Here is my Docker Info from a working Debian 8.6 Collabora install.

 docker info
Containers: 1
 Running: 1
 Paused: 0
 Stopped: 0
Images: 1
Server Version: 1.12.6
Storage Driver: devicemapper
 Pool Name: docker-9:3-33292969-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: ext4
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 2.327 GB
 Data Space Total: 107.4 GB
 Data Space Available: 105 GB
 Metadata Space Used: 1.901 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.146 GB
 Thin Pool Minimum Free Space: 10.74 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use.                                                                 Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.90 (2014-09-01)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge null host overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options:
Kernel Version: 3.16.0-4-amd64
Operating System: Debian GNU/Linux 8 (jessie)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.861 GiB
Name: nextcloud
ID: 255C:JGTQ:WGXQ:AFR6:T2VX:WC7V:3GJC:LH5W:FKAZ:U7VB:NHLM:JNBF
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No oom kill disable support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
Insecure Registries:
 127.0.0.0/8

Thats so crazy :disappointed:

Ok, I reinstalled docker-engine and the recommended extra packages

sudo apt-get install curl \
linux-image-extra-$(uname -r) \
linux-image-extra-virtual

But the last packages are not found :confused: But the other things looks good

grep aufs /proc/filesystems
nodev	aufs

docker info
Containers: 2
 Running: 1
 Paused: 0
 Stopped: 1
Images: 1
Server Version: 1.13.0
Storage Driver: devicemapper
 Pool Name: docker-8:1-5899233-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: ext4
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 2.265 GB
 Data Space Total: 107.4 GB
 Data Space Available: 48.41 GB
 Metadata Space Used: 1.851 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.146 GB
 Thin Pool Minimum Free Space: 10.74 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.90 (2014-09-01)
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 03e5862ec0d8d3b3f750e19fca3ee367e13c090e
runc version: 2f7393a47307a16f8cee44a37b262e8b81021e3e
init version: 949e6fa
Kernel Version: 3.16.0-4-amd64
Operating System: Debian GNU/Linux 8 (jessie)
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.816 GiB
Name: debian
ID: J7QW:NZLF:EXQU:MZ6U:LWBH:RYXX:YR7G:OHB6:D4EJ:7G35:YIME:UADU
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No kernel memory limit support
WARNING: No oom kill disable support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

I’ve still the same error:

docker logs 307aaa2aec6b
Generating RSA private key, 2048 bit long modulus
...........................................................................+++
............................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
..........................................................................................................................................................................................................+++
.........+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.1 - 2.0.1
wsd-00025-0026 0:00:18.336687 [ client_ws_0001 ] ERR  ClientRequestHandler::handleClientRequest: BadRequestException: Invalid or unknown request.| wsd/LOOLWSD.cpp:1221
wsd-00025-0026 0:00:18.357992 [ client_ws_0002 ] ERR  ClientRequestHandler::handleClientRequest: BadRequestException: Invalid or unknown request.| wsd/LOOLWSD.cpp:1221
wsd-00025-0027 0:00:26.094506 [ client_req_hdl ] WRN  WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:255
wsd-00025-0026 0:00:26.583299 [ client_ws_0003 ] ERR  ClientRequestHandler::handleClientRequest: BadRequestException: Invalid or unknown request.| wsd/LOOLWSD.cpp:1221
wsd-00025-0027 0:00:26.781016 [ client_ws_0004 ] ERR  ClientRequestHandler::handleClientRequest: BadRequestException: Invalid or unknown request.| wsd/LOOLWSD.cpp:1221
wsd-00025-0026 0:00:34.957640 [ client_ws_0005 ] ERR  ClientRequestHandler::handleClientRequest: BadRequestException: Invalid or unknown request.| wsd/LOOLWSD.cpp:1221
wsd-00025-0027 0:00:34.977283 [ client_ws_0006 ] ERR  ClientRequestHandler::handleClientRequest: BadRequestException: Invalid or unknown request.| wsd/LOOLWSD.cpp:1221
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.1", "ProductExtension": ".10.15", "BuildId": "345fa14e85e6e36ad0280f4e549c70f6b9af1a18" }
wsd-00025-0027 0:06:17.465034 [ client_req_hdl ] WRN  WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:255
wsd-00025-0026 0:06:17.957101 [ client_ws_0008 ] ERR  Error in client request handler: No acceptable WOPI hosts found matching the target host [my-example] in config.| wsd/LOOLWSD.cpp:1012

@nobody1407 I think I have been leading you down the garden path, maybe guided slightly myself :slight_smile:

Being a Nextcloud noob and generally dodge IT nowadays its taking me a while to get to grips.

Best setup I have found is on linux babe

Xiao Guoan has done a series of great tutorials all the way from server setup to Collabora.

After a lot of messing because I am self hosting the docker container because of my talktalk router and port forwarding was hitting the router because it is the public IP and not actually the next cloud server.

I am just running through the setup now and will have a go with Ubuntu as well even though I am favoring Debian at the moment.

I have forgot you self hosting or some VPS space somewhere?

I have set up dnsmasq and turned off dhcp &will run the internal DNS myself without having to edit a single host file this time. Editing host files is no problem really but I forgot about the important one of the docker container!

Its my weekend project to relay noob simple setups and maybe create a tutorial or 2 (debian / ubuntu)

Collabora is working fine and I am thinking all that bumf about Aufs might of been a bum steer but its a cinch to swap to devicemapper if it is a prob.
Its all working fine and dandy for me, on installs of my own and if this dumbnumpty can do it I rekon it should be no probs for all.

Docker has been a bit of a learning curve for me as have been out of the loop for a while but actually, you know I think I like it now :slight_smile:

Gee man!
You are really having a hard time getting this together.

Think this separately.
You have you nextcloud instance up and running, right?
Then you only need to get the docker image right, and you’ll be good to go.

I see you have aufs support then

  • change the storage driver to use AUFS.
  • configure the proxy/code configuration and set the SSL certs for both of your domains
    (you seem to be running nginx so) set the configuration as seen here.
  • fix your ports from 433 and 9980 to wherever you use.
  • Run the docker container scaping all points and colons (. : )
    my\\.nc-server\\.com\\:1234
  • finally on your nextcloud instance set your docs domain on the administrative interface: https://docs.nc-server.com:5678

You can use a different domain for the docker proxy, as long as it has a valid SSL cert.

https://docs.thisisanotherdomain.com:5678

Cheer up you’re close.

Debian Jessie Apache MyriaDB Php7.0 Nextcloud 11 Collabora start to finish with a few extras

Being a recent Nextcloud noob ran me into a few teething problems that with hindsight shouldn’t of been a problem at all.
So here is a current tutorial, the one I should of found, before wasting a few days, due to my lack of knowledge.

I am going to presume no Linux knowledge and just provide a copy&paste step by step guide on how to get things operational. Also this is a self hosting guide, but actually a VPS/Cloud is practically the same in fact slightly easier as no local DNS to worry about.

1… Lets get Debian Jessie http://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-8.7.1-amd64-netinst.iso download the net install cd of Jessie as grabbing from the net is instantly up to date.
Because of the use of Docker on AMD/Intel platforms you will have to use the 64bit install.

2… Burn your Debian ISO to disk DVD/CD or USB stick, you can do this via windows or CdburnerXP which is my preference for disks. https://cdburnerxp.se/downloadsetup.exe
Or we can create a USB install with Unetbootin https://unetbootin.github.io/
Burning an ISO image to disk or USB is relatively simple and a quick google will quickly get you up to speed on that.

3… This guide is for a clean install and will wipe the target computer clean, equipment wise you can have very modest hardware and an old PC with a network card, harddrive and USB is really all you need, 2GB Ram and 40GB hardrive is more than enough for the system at least and a monitor you can use for the install, also a network connection.

4… All computer Bios are different but power on the machine and press del, F10 or hit what ever key you need to select the boot order. Depending on if you burned a disk or USB select that correct media to boot from.

Hopefully you managed the above and hit enter to start the install.
You will get a prompt to choose your language and country keymap and hit enter until you get to the hostname.
I am going to use the hostname Nextcloud on the domain Vote4u.org.uk for the purpose of this tutorial, you can use Nextcloud or whatever hostname you wish. You may have a registered domain or may even use your surname as in Naylor.lan if this is just a local install.

So for the hostname change from debian to Nextcloud (all lower case) hit enter, for the domain vote4u.org.uk and hit enter again.
Then its a matter of the password for the root account (Admin) pick a good password alphanumeric with a mixture of case and maybe the odd special character such as * or £.
14Me24Get! Is probably highly apt in my case and confirm it.
Then add the main user which will be the sudo admin stuart in my case, account name stuart and I am going to use the same password, pick quite strong ones as apart from the install, touch wood you will not need them often.

Partitioning method two choices here either Guided-use entire disk and setup LVM or Guided use entire disk and setup encrypted LVM. We are just going to use the guided install as its super easy, encryption means the system is relatively forensics proof, but most installs just go for just LVM.
I will at the end of the tutorial show you how to swap the encryption passphrase to a keyfile on a usb stick, that if the machine is powered down it not coming back to life unless that usb stick is plugged in the machine. It only needs the keyfile to boot and all can be made super secure by just pulling the plug.
But anyway normal install, select guided-entire disk LVM and hit enter.
With a one disk system select that disk and hit enter.
All files in one partition (hit enter)
Select (Yes) and hit enter.
It will chose the correct partition scheme for you, so just hit enter on finish partitioning and write changes to disk.
It asks once more as those disks are going to be wiped clean and a new OS is going to be installed, so select (Yes) and hit enter.
The installer will install a minimum default packages and then ask you to pick the nearest net repository of debian to install from. Hit enter twice as they are prob the best options.

Presuming you are not connected to a proxy server hit enter once more.
Its up to you if you participate in the usage survey and hit enter.

Now we are just going to install a server, with normal tools and SSH access,

So press the spacebar to deselect the desktop and print server, if needed they can be done later.
Spacebar to select SSH server and we should just have a * against SSH Server and standard system utilities. Tab to select continue and hit enter.

Yes to install grub to the master boot record, select your single drive /dev/sda and once more hit enter.
Debian Jessie on a last enter will now reboot and finally we get to setting things up.

We are going to logon as root with the root password.

First we are going to set up a sudo for the user account we created.

apt-get install sudo
nano /etc/sudoers this config file often seems to cause shrill panic, just make sure you enter everything exactly as I say.
If you make a mistake or are not sure press ctrl+x and press n (no) to save and you will exit and you can start again.

Under the below line enter the user you entered on install and copy the exact case.
Use the down arrow to scroll down to the line directly below:- root ALL=(ALL:ALL) ALL
so its your username mine is stuart (press tab) ALL=(ALL:ALL) (press space) ALL (press enter once) so its looks exactly like the above line part from it has your user name rather than root.
crtl+x (press once at same time) (press y once) (hit enter) and the changes are saved.

usermod -a -G sudo stuart (substitute your user name for stuart)

Yes you can us SU to switch to root but sudo is a common method and that basically sets sudo up and that user as sudo account with full root permissions, that can be locked down later.

ifconfig (press enter)

This will display your current network connections and it all went well by ETH0 it will state the current IP address so we can connect via SSH and no longer need a monitor.

We now have to think about how we are going to connect and interact with clients as this is a server.
If you are setting up a VPS/Cloud install you can skip all this as you don’t have any clients part from the docker container and with a VPS/Cloud its highly likely the ETH0 IP address is also the public domain address so the DNS entry in the registered domain settings is all you need.

If you are self hosting at home or even in a business its highly likely you will be on a private subnet such as 192.168.0/24.
With my ISP and router when I did an ifconfig the IP address was 192.168.1.7 and the default gateway was 192.168.1.1 because here we are on the 192.168.1/24 subnet and of 255 possible IPs from 192.168.1.1 to 192.168.1.255 and they are private ‘non’ rotatable addressses that can not be used as public domain IP addresses.
Which is no problem as the router from the ISP has your public IP address, but the problem is the IP addresses and DNS is different externally for remote connections than it is for local internal devices.

Each device has a hosts file which is a list of IP addresses and DNS names that takes priority over any DNS system. So the easiest way is just to configure each client hosts files so it has the right IP to DNS names and for a couple of computers is manageable. If you have a few computers and devices connecting it can be a pain having to configure the hosts file each time so a device can connect.

So you have a choice of providing a local DNS server or hosts file editing on every machine and either way will work and I will explain both.

Currently your ISP’s router is using DHCP to make your clients all get the right IP and point to the gateway (router ip) and (dns server router also).
What I am going to do is show two methods, one using dnsamsq as super easy and powerful way to provide DHCP & DNS and turn that function off in the ISP router and secondly just using the ISP router and hosts file edits.

So if you have have more than just a couple of computers and want to allow ad hoc connections with configuration needs and set up a typical office local subnet or busy home, then dnsmasq is the way to go, otherwise skip past this section and just manually configure each clients hosts files.

DNSMasq Setup.

Firstly being the DHCP, DNS and nextcloud server we are going to change the network settings to give us a static IP address.
My router address is 192.168.1.1 and I can see that in the network settings of my clients or ipconfig/ifconfig windows/linux.
Could be any IP in the 192.168.1/24 subnet but I am going to pick 192.168.1.2 so its the next IP up from the gateway (router ip)

sudo nano /etc/network/interfaces which should look currently something like this.

This file describes the network interfaces available on your system

and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

The loopback network interface

auto lo
iface lo inet loopback

The primary network interface

allow-hotplug eth0
iface eth0 inet dhcp

This is an autoconfigured IPv6 interface

iface eth0 inet6 auto

Its they highlighted section that needs to be deleted and replaced with.

The primary network interface

allow-hotplug eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

ctrl+x (press both at the same time once) (Yes) (press y to save) (press enter)

That is a static IP address setup.

sudo apt-get install dnsmasq
sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.old
sudo nano /etc/dnsmasq.conf

domain-needed
bogus-priv
no-resolv
no-poll
server=yourrouterip
server=8.8.8.8
server=208.67.220.220
local=/vote4u.org.uk/
expand-hosts
domain=vote4u.org.uk
dhcp-range=192.168.1.16,192.168.1.244,72h

#dhcp-host=nextcloud,192.168.1.200,36h
dhcp-option=option:router,192.168.1.1
dhcp-option=option:ntp-server,192.168.1.1

Thats is for setting up the basics of our DNS/DHCP server and basically it will replicate whatever is in this servers hosts file to all connected clients and save us the hassle of having to do so.

dhcp-host=nextcloud,192.168.1.200,36h is an example of DHCP handing a static IP to a computer that connects with the hostname nextcloud.
dhcp-range=192.168.1.16,192.168.1.244,72h sets a DHCP range of 16-244 with a lease time of 72 hours.
The first 15 IPs like the router and this server 192.168.1 (1 & 2) are static and there is space for 13 more.

So if you have a different subnet such as 192.168.0/24 or 10.0.0/24 just change the above to suit.

This current method is just a easy single network card server but it is also very simple to act as the whole subnet firewall and router so that we have a reverse and forward network connection with two network cards and enhanced security like many security devices such as pfsense or smoothwall.

All we need to do is declare any static DNS entries in this servers /etc/hosts file as dynamic dhcp leases will be done dynamically and transparently.

sudo nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 ns1.vote4u.org.uk ns1
192.168.1.2 ns1.vote4u.org.uk ns1
192.168.1.200 nextcloud.vote4u.org.uk nextcloud office.vote4u.org.uk office

The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
The above is an example of a stand-alone name server that replicates its hosts file for local DNS.

127.0.0.1 localhost
192.168.1.2 nextcloud.vote4u.org.uk nextcloud office.vote4u.org.uk office

The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

If we are also going to run nextcloud on this server then all we need is the above in /etc/hosts and DNSMasq will do the rest and nextcloud.vote4u.org will be DNS/DHCP & application server.
Thats it really and you can override any public DNS or create new entries by adding them to this single hosts file.

Last thing with DNSMasq is to edit /etc/resolv.conf so it also uses the local DNS server
nano /etc/resolv.conf
Have only this
nameserver 127.0.0.1

Without DNSMasq every local device on the local subnet will need the line…
192.168.1.2 nextcloud.vote4u.org.uk nextcloud office.vote4u.org.uk office
Added to each hostfile and also any other declared local DNS entries.
This also includes the docker container for Collabora.
Also you may also wish to synchronise time from this server.
NTP Server
sudo apt-get install ntp
sudo nano /etc/ntp.conf
uncomment the broadcast line and change to your subnet end with 255 (broadcast ip)

If you want to provide time to your local subnet, change the next line.

(Again, the address is an example only.)

broadcast 192.168.1.255

sudo systemctl restart ntp
sudo systemctl enable ntp
sudo ntpq -p #show status

So here we can start with installing Webmin, MariaDB, Apache and PHP7.0

Starting with MariaDB
sudo apt-get install -y software-properties-common curl zip
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db
sudo add-apt-repository 'deb [arch=amd64,i386] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.1/debian jessie main’
sudo apt-get update;sudo apt-get install mariadb-server
sudo mysql_secure_installation
sudo nano /etc/mysql/my.cnf
Under these two lines add:- binlog_format = mixed
log-bin = /var/log/mysql/mariadb-bin
log-bin-index = /var/log/mysql/mariadb-bin.index

Apache
sudo apt-get install apache2 apache2-doc apache2-utils

PHP7
sudo nano /etc/apt/sources.list

Add these to at the bottom of the list
deb http://packages.dotdeb.org jessie all
deb-src http://packages.dotdeb.org jessie all
cd /tmp
wget https://www.dotdeb.org/dotdeb.gpg
sudo apt-key add dotdeb.gpg
sudo apt-get update
sudo apt-get install php7.0-common php7.0-gd php7.0-mysql php7.0-apcu php7.0-curl php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-redis php7.0-xml php7.0-zip libapache2-mod-php7.0
sudo a2enmod rewrite headers env dir mime setenvif ssl proxy proxy_wstunnel proxy_http

Webmin
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.831_all.deb
sudo dpkg --install webmin_1.831_all.deb

I have included webmin as for those of us who struggle with Linux have a graphical interface is really handy for those without encyclopedic knowledge and memory.
Access webmin on https://myserver-ip:10000 and at the end of this tutorial with the guide to install failtoban and openvpn I will give you some easy steps to reduce any security concerns at the end of this tutorial, as there is a lot of hot air on this topic.

So wow we almost get there and its time to install Next cloud.

https://nextcloud.com/install find the link to the latest and copy the url and in the following I am going to duplicate each step firstly using webmin, then the command line.
The choice is yours and each step only needs to be done once.

Webmin:
Right click on the latest nextcloud download link and copy the url.( https://download.nextcloud.com/server/releases/nextcloud-11.0.1.zip )

→ Others → File manager → navigate to /var/www/ → File → Download from remote url → paste the url and hit enter.
Right click on nextcloud-11.0.1.zip and select extract, if the extract command is missing it means unzip/zip is not installed.

In the left hand section margin of webmin, at the bottom you will see a >_ icon, click that and type apt-get -y install zip (press enter).
In file manger right click select refresh and right click again and you will now see the extract icon.
Select extract.
Right click on the extracted nextcloud folder → Properties → change ownership → www-data/www-data and check recursive and apply.
You can also delete the zip, right click and select delete.
→ File → Create Folder name it nextcloud-data → Create
Right click on the extracted nextcloud-data folder → Properties → change ownership → www-data/www-data and check recursive and apply.

CLI:
Copy the url https://download.nextcloud.com/server/releases/nextcloud-11.0.1.zip
wget
https://download.nextcloud.com/server/releases/nextcloud-11.0.1.zip
sudo unzip nextcloud-11.0.1.zip
sudo cp -r nextcloud /var/www/
sudo chown www-data:www-data /var/www/nextcloud/ -R
sudo mkdir /var/www/nextcloud-data/
sudo chown www-data:www-data /var/www/nextcloud-data -R
Now the database.

Webmin:

→ Servers → MySQL Database Server.
First time use you will need to enter the root password.

→ Create new database → name it nextcloud → create

→ User permissions → create new user permissions → set a username and a password and set to localhost → create → return to database list
→ Create database permissions → create new database permissions → databases select the nextcloud database, select a user ( nextcloud ), select and enter localhost, select all permissions apart from ‘grant permissions’.

CLI:
sudo mysql -u root -p
create database nextcloud;
create user nextcloud@localhost identified by ‘14Me24Get!’;
grant all privileges on nextcloud.* to nextcloud@localhost identified by ‘14Me24Get!’;
flush privileges;

exit;

Create an Apache Virtual Host File for Nextcloud

Webmin:

→ Servers → Apache web server → Create virtual host → Port select 80, Document root select /var/www/nextcloud
, servername nextcloud.your-domain.com → create now.
Double click that virtual domain → Edit directives.

Paste so it looks like so.
DocumentRoot "/var/www/nextcloud"
ServerName nextcloud.vote4u.org.uk
ServerAdmin stuartiannaylor@outlook.com

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All

Dav off

SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
Satisfy Any

→ Save & close → return to server list. Top right of page click the refresh/apply changes button.

CLI:
sudo nano /etc/apache2/sites-available/nextcloud.conf
Paste and edit the below.
<VirtualHost *:80>
DocumentRoot "/var/www/nextcloud"
ServerName nextcloud.vote4u.org.uk

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All

Dav off

SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
Satisfy Any

ctrl+x Y to save
sudo a2ensite nextcloud.conf
sudo systemctl restart apache2

Now DNS.

If you have a VPS/Cloud then all you need to do is create a cname or A record for nextcloud and office subdomains depending on how your domain registrar DNS system works.
Mine is like so.
nextcloud CNAME vote4u.org.uk.
office CNAME vote4u.org.uk.

I am self hosting so I need to work with the public IP of my router and for many this will require either the purchase of a static IP address (really winds me up as its a big con, really) or pay for a dynamic DNS service that you can set up in your router (which actually might be more than the cost of a static IP)
But until your public IP changes this will work.
With vote4u.org.uk being an A record to my public IP of my router.
@ A 92.2.183.195

That can be easily found by just a google for myip.
92.2.183.195
Your public IP address

If you have a VPS/Cloud then all clients access externally via the public IP and you are done except one client (The docker container of collabora is internal and may need a /etc/hosts entry to the private IP of the nextcloud virtualhost)

If you installed DNSMasq and edited this servers /etc/hosts so it looks like the below, you are already done for local DNS.

127.0.0.1 localhost
192.168.1.2 nextcloud.vote4u.org.uk nextcloud office.vote4u.org.uk office

The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

If you don’t have DNSMasq then in every client including the docker container you will need to add to /etc/hosts an entry as below.

192.168.1.2 nextcloud.vote4u.org.uk nextcloud office.vote4u.org.uk office

After that internally you can access nextcloud from http://nextcloud.vote4u.org.uk (or whatever domain you have employed.
Externally if you are self hosting you need to setup port forwarding for Http & Https to this server.
Each router is different but usually very easy to achieve.

So after all that we can navigate to http://nextcloud.vote4u.org.uk and its important to get the DNS right before you setup the site as the configuration will use the current entries rather than IP addresses for configuration.

You can check the nextcloud dns with the command nslookup nextcloud.vote4u.org.uk
So setup up your nextcloud and create an admin user change the data directory to /var/www/nextcloud-data
Enter the database credentials you created and we should see nextcloud.

We are going to jump ahead slightly and install the Collabora office subdomain and also get a free cert from letsencrypt reason why I am doing this now is so we can get the certs for the nextcloud and office subdomains at the same time.

So set up another virtual host for office.vote4u.org.uk

Webmin:

→Servers → Apache Webserver → Create virtual host → Port select 80, servername office.your-domain.com → create now.
Top right hand corner click refresh/apply changes

CLI:
sudo nano /etc/apache2/sites-available/office.your-domain.com.conf
Put the following text into the file.

<VirtualHost *:80>
ServerName office.vote4u.org.uk

sudo a2ensite office.your-domain.com.conf
sudo systemctl restart apache2

Now we can get the super easy certificates from letsencrypt.

cd ~
sudo wget https://dl.eff.org/certbot-auto && sudo chmod a+x certbot-auto

sudo ./certbot-auto --apache --agree-tos --email stuartiannaylor@outlook.com -d nextcloud.vote4u.org.uk -d office.vote4u.org.uk
Remind to add a cronjob! For cert renewal.
If it fails to find or verify the hosts then something is wrong with your external DNS or port forwarding and you need to recheck your settings.
If all goes well it will prompt you for an easy or secure install (options 1 or 2)
Select 2 secure as it is just as easy and it will autocreate a redirect so all none https traffic is redirected to https.

You can check this now by entering in a browser http://nextcloud.vote4u.org.uk and it will redirect automatically to https://nextcloud.vote4u.org.uk and your browser should be telling you that you have a valid authentic certificates.

Seen as we are already here we will kickstart the Nextcloud installer.
Pick and Admin name and password.
Use /var/www/nextcloud-data for the data folder
Enter the nextcloud database credentials and install.
As said its important to get your dns and SSL sorted first as the entry point to the Nextcloud installer is used in the configuration.
Just don’t run the install until you get things right.

Now we are going to install Docker before we enable Collabora.

sudo apt-get install apt-transport-https ca-certificates software-properties-common
curl -fsSL https://yum.dockerproject.org/gpg | sudo apt-key add -
sudo add-apt-repository
"deb https://apt.dockerproject.org/repo/
debian-$(lsb_release -cs)
main"
sudo apt-get update
sudo apt-get -y install docker-engine

Now for some of us with I-386 machines there may be a loud scream as you realise Docker does not support I-386 or have a I-386 repo.
For those of you with a 64bit machine, you are ok but for Intel/Amd platforms compiling and using a 32bit docker is beyond my capabilities.
Also there is a problem with Debian and Aufs support.
sudo docker info

You will see Storage Driver: aufs and it doesn’t work and we need to change to devicemapper
grep ExecStart /lib/systemd/system/docker.service
will return something like the below which we need to place in a system.d conf file
ExecStart=/usr/bin/dockerd -H fd://
mkdir /etc/systemd/system/docker.service.d
nano /etc/systemd/system/docker.service.d/execWithDeviceMapper.conf
Create like so:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --storage-driver=devicemapper -H fd://
crt+x y to save
systemctl daemon-reload
systemctl restart docker.service
sudo docker info will tell us that we are using devicemapper with some nags, but it will work and so far I have only ever got aufs to work once and I am damned if I can work out what I did.

Letsencrypt will of create a new ssl apache conf for you that we are going to tighten the security of.

sudo nano /etc/apache2/sites-available/nextcloud-le-ssl.conf

Paste the below:

Header always set Strict-Transport-Security “max-age=15768000; preload”

So it looks like the below

SSLCertificateFile /etc/letsencrypt/live/nextcloud.vote4u.org.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.vote4u.org.uk/privkey.pem

Header always set Strict-Transport-Security “max-age=15768000; preload”

Include /etc/letsencrypt/options-ssl-apache.conf

ctrl+x y to save
Then we will add the reverse proxy for Collabora.

sudo nano /etc/apache2/sites-enabled/office.your-domain.com-le-ssl.conf
and add the below

Encoded slashes need to be allowed

AllowEncodedSlashes NoDecode

Container uses a unique non-signed certificate

SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

keep the host

ProxyPreserveHost On

static html, js, images, etc. served from loolwsd

loleaflet is the client part of LibreOffice Online

ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet

WOPI discovery URL

ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery

Main websocket

ProxyPassMatch “/lool/(.*)/ws$” wss://127.0.0.1:9980/lool/$1/ws nocanon

Admin Console websocket

ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws

Download as, Fullscreen presentation and Image upload operations

ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool

so it looks like this

ServerName office.vote4u.org.uk SSLCertificateFile /etc/letsencrypt/live/nextcloud.vote4u.org.uk/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.vote4u.org.uk/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf

Encoded slashes need to be allowed

AllowEncodedSlashes NoDecode

Container uses a unique non-signed certificate

SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

keep the host

ProxyPreserveHost On

static html, js, images, etc. served from loolwsd

loleaflet is the client part of LibreOffice Online

ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet

WOPI discovery URL

ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discove$
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discove$

Main websocket

ProxyPassMatch “/lool/(.*)/ws$” wss://127.0.0.1:9980/lool/$1/ws nocanon

Admin Console websocket

ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws

Download as, Fullscreen presentation and Image upload operations

ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool

Ignore the truncation but place it just above

Now we will get the docker image.

sudo docker pull collabora/code (which actually the next line will do anyway)
Run that as a container.
with dnsmasq edit --dns=mydnsmasq-ip
docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=nextcloud\.vote4u\.org\.uk’ --dns=192.168.1.2 --restart always --cap-add MKNOD collabora/code
Otherwise it will just copy your resolv.conf or use the google open DNS servers
docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=nextcloud\.vote4u\.org\.uk’ --restart always --cap-add MKNOD collabora/code

Docker runs each instance in a container and to get a list we can use
sudo docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
aff963c67321 collabora/code “/bin/sh -c 'bash …” 12 minutes ago Up 2 minutes 127.0.0.1:9980->9980/tcp determined_booth
We can view the logs of that container by:
sudo docker logs [container-id] so
sudo docker logs aff963c67321

Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.1 - 2.0.1
office version details: { “ProductName”: “Collabora Office”, “ProductVersion”: “5.1”, “ProductExtension”: “.10.15”, “BuildId”: “345fa14e85e6e36ad0280f4e549c70f6b9af1a18” }
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.1 - 2.0.1
office version details: { “ProductName”: “Collabora Office”, “ProductVersion”: “5.1”, “ProductExtension”: “.10.15”, “BuildId”: “345fa14e85e6e36ad0280f4e549c70f6b9af1a18” }

Things are looking ok.
So we need to install the Collabora App in nextcloud.
Hit the plus sign in the apps menu when logged in as an admin.
Enable the Collabora Online App.
Go to the Admin menu and in the section for Collabora Online enter
https://office.vote4u.org.uk in the Collabora Online server box and click apply.

Time to check out if things work by going and viewing a document.

If you have problems you can enter the container via:
sudo exec -t -i aff963c67321 /bin/sh
exit to exit back to the host
sudo docker stop aff963c67321
Will stop a container and after that you can delete it with
sudo docker rm aff963c67321
nslookup nextcloud.vote4u.org.uk
To check the DNS entry.

nslookup office.vote4u.org.uk

1 Like

Hi

I have an latest ubuntu 16 instance with NC and a running docker instance with Collabora Online conntect with an internal IP. Both SW was installed according the manuals form Owncloud/Collabora Online.

On an other server with an public IP there is a nginx reverse proxy running with two domains:
https://nextcloud.mydomain.at points to Apache2 server
https://office.mydomain.at points to the docker instance
Certs created by let`s encrypt
NC is working fine
CO works fine - admin interface is available
But when I try to access an .odt file inside NC - (Zugriff verboten [german]/access forbidden. I double checked the installation - same problem as many people in this thread. But I found no solution.

1 Like

Ok

So you have two servers, only one with public IP. The connection between them is over local network.
Why not reach the office server with your own DNS instead of double proxy?

Sorry for my unclear imprecise decription. NC and Collabora Online are inside a private network.
https://nextcloud.mydomain.at ->nginx reverse proxy->Apache2 server
https://office.mydomain.at >nginx reverse proxy-> docker instance

Hey folks :slight_smile:

Collabora is running :smiley: :smiley: :smiley: :smiley: :smiley:
After a lot of days/months I tried this steps (https://nichteinschalten.de/de/collabora-mit-nextcloud-und-nginx) and have to add this line in the nginx-config file for collabora:

add_header X-XSS-Protection „1; mode=block“;

Here the complete config file (e.g. /etc/nginx/sites-available/collabora.conf)

server {
listen       443 ssl http2;
server_name  office.xy.de;
 
ssl_certificate /etc/letsencrypt/live/xy.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xy.de/privkey.pem;
add_header X-XSS-Protection „1; mode=block“;
 
# static files
location ^~ /loleaflet {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
}
 
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
}
 
# download, presentation and image upload
location ^~ /lool {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

Thanks for your support! It would be great if it help somebody :slight_smile:
That’s one small line for programmer, one giant leap for the users of my cloud :smiley:

3 Likes