Collabora and Nextcloud behind nginx reverse proxy

Aang23 · September 21, 2019, 7:45am

Nextcloud version (eg, 12.0.2): 16.0.4
Operating system and version (eg, Ubuntu 17.04): Debian Stretch
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.25 / Nginx 1.10.3 (Proxy)
PHP version (eg, 7.1): 7.3

The issue you are facing:
Recently wanted Collabora Online integration in my nextcloud instance, thus I installed a Collabora online VM (which is working just fine).
Since my Nextcloud instance is running of Apache through http & then https is handled by a Nginx reverse proxy setup, I did the same, made sure the Collabora domain internally pointed to the Nginx reverse proxy, and then set the URL in Nextcloud’s Collabora online plugin.
i was then granted with the following message :

Saved with error: Collabora Online should use the same protocol as the server installation.

Though both of them are exposed through https… But well ignored it since some other posts said it should still work… But as you probably guessed, it doesn’t.

Opening any document results in a white page. Is that because something in my reverse proxy setup is wrong? Maybe Nextcloud should be accessed using https directly?

Is this the first time you’ve seen this error? (Y/N): N

The output of your Nextcloud log in Admin > Logging:

Undefined index: wopi_url at /var/www/nextcloud/apps/richdocuments/lib/AppConfig.php#69

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'something',
  'passwordsalt' => 'something',
  'secret' => 'something',
  'trusted_domains' => 
  array (
    0 => 'cloud.example.com',
  ),
  'datadirectory' => '/var/www/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '16.0.4.1',
  'overwrite.cli.url' => 'https://cloud.example.com',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'nextcloud',
  'installed' => true,
  'overwritehost' => 'cloud.example.com',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'nextcloud',
  'mail_domain' => 'example.com',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtpport' => '587',
  'mail_smtphost' => 'mail.example.com',
  'mail_smtpname' => 'nextcloud@example.com',
  'mail_smtppassword' => 'password',
);

Nginx Nextcloud’s reverse proxy :

server {
        server_name cloud.example.com;
        location / {
            proxy_buffering  off;
            proxy_pass         http://nextcloud_internal_ip/;
            proxy_redirect     default;
	    client_max_body_size                4G;
	    proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = cloud.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name cloud.example.com;

    listen 80;
    return 404; # managed by Certbot
}

Nginx Collabora’s reverse proxy :

server {
        server_name office.example.com;
        location / {
            proxy_buffering  off;
            proxy_pass         http://collabora_internal_ip:9980/;
            proxy_redirect     default;
	    client_max_body_size                4G;
	    proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

    # static files
    location ^~ /loleaflet {
proxy_buffering  off;
        proxy_pass http://collabora_internal_ip:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
proxy_buffering  off;        
proxy_pass http://collabora_internal_ip:9980;
        proxy_set_header Host $http_host;
    }

    # Capabilities
    location ^~ /hosting/capabilities {
proxy_buffering  off;        
proxy_pass http://collabora_internal_ip:9980;
        proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/lool/(.*)/ws$ {
proxy_buffering  off;        
proxy_pass http://collabora_internal_ip:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/lool {
proxy_buffering  off;        
proxy_pass http://collabora_internal_ip:9980;
        proxy_set_header Host $http_host;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
proxy_buffering  off;        
proxy_pass http://collabora_internal_ip:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = office.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        server_name office.example.com;

    listen 80;
    return 404; # managed by Certbot
}

Thanks for your support!

KarlF12 · September 22, 2019, 5:05pm

Don’t disregard this error. If you see this, something isn’t right. What it means is that you are using HTTPS for Nextcloud and HTTP for Collabora, or vice versa. They should both be HTTPS.

As an overview, what you want is for Nextcloud and Collabora to both go to the reverse proxy when talking to each other (not just when clients connect). If they point to the reverse proxy FQDN, and both are running HTTPS on the proxy, and you have HTTPS in your Nextcloud Collabora app config, you shouldn’t see this message.

Aang23 · September 25, 2019, 7:45am

Both of them are communicating through the reverse proxy using https (while proxy <=> is http).

This is currently what’s done… Though I still get this message in both https & http.

KarlF12 · September 25, 2019, 11:50am

And in the Collabora app settings you have HTTPS?

I did this on my setup with Apache for the proxy. I run HTTPS from the proxy to Collabora and told Apache not to check the certificate. Try not disabling HTTPS on Collabora and see if that does it.

It could also be something having to do with nginx which I’m not very familiar with.

Aang23 · September 25, 2019, 12:14pm

Actually looking through /etc/loolwsd/loolwsd.xml I found an option
<termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>
This fixed my issue. Thanks!