Collabora - Built in Code - Reverse Proxy / "ssl.enable" and "ssl.termination"

Hi,
I recently reinstalled nc from scratch because of a serverchange. Now it installs the Collabora - Built in Code Server by default, what’s pretty cool i think.
My Problem:
I sadly i can’t use it because in the Nextcloud Office configuration it says:


translation:
Saved with failure: Collabora Online should use the same Protocol as the serverinsallation. Please take a look at the “ssl.enable” and “ssl.termination” settings of your Collabora Online Server.
And now the weird thing:
if i activate the cloudflare proxy it works just fine and there is no Error message anymore, even after disabling it again… after clearing my browsers cache it doesn’t work and the Error message is back… So it has to be my reverseproxy. Im using apache2 with these settings i got from Proxy settings — SDK https://sdk.collaboraonline.com/ documentation
(i can only post 4 urls so i had to adjust it a bit to be able to post it):

(MYDOMAIN)=my.cool.domain
(LIKE_DOCU)=127.0.0.1

<IfModule mod_ssl.c>
<VirtualHost *:443>
 ServerName (MYDOMAIN)
 ProxyPreserveHost On 
 DocumentRoot /var/www/html
 ProxyPass /.well-known !
 ProxyPass / http://(NEXTCLOUD_IP):80/ flushpackets=on
 ProxyPassReverse / http://(NEXTCLOUD_IP):80/
 LimitRequestBody 0
 
 ########################################
 # Reverse proxy for Collabora Online   #
 ########################################

 AllowEncodedSlashes NoDecode
 SSLProxyEngine On
 ProxyPreserveHost On

 # cert is issued for collaboraonline.example.com and we proxy to localhost
 SSLProxyVerify None
 SSLProxyCheckPeerCN Off
 SSLProxyCheckPeerName Off

 # static html, js, images, etc. served from coolwsd
 # browser is the client part of Collabora Online
 ProxyPass           /browser https://(LIKE_DOCU):9980/browser retry=0
 ProxyPassReverse    /browser https://(LIKE_DOCU):9980/browser

 # WOPI discovery URL
 ProxyPass           /hosting/discovery https://(LIKE_DOCU):9980/hosting/discovery retry=0
 ProxyPassReverse    /hosting/discovery https://(LIKE_DOCU):9980/hosting/discovery

 # Capabilities
 ProxyPass           /hosting/capabilities https://(LIKE_DOCU):9980/hosting/capabilities retry=0
 ProxyPassReverse    /hosting/capabilities https://(LIKE_DOCU):9980/hosting/capabilities

 # Main websocket
 ProxyPassMatch      "/cool/(.*)/ws$"      wss://(LIKE_DOCU):9980/cool/$1/ws nocanon

 # Admin Console websocket
 ProxyPass           /cool/adminws wss://(LIKE_DOCU):9980/cool/adminws

 # Download as, Fullscreen presentation and Image upload operations
 ProxyPass           /cool https://(LIKE_DOCU):9980/cool
 ProxyPassReverse    /cool https://(LIKE_DOCU):9980/cool
 # Compatibility with integrations that use the /lool/convert-to endpoint
 ProxyPass           /lool https://(LIKE_DOCU):9980/cool
 ProxyPassReverse    /lool https://(LIKE_DOCU):9980/cool

 <IfModule mod_headers.c>
   RewriteEngine On
   Header always set Strict-Transport-Security "max-age=15768000; preload"
   "some redirects"
 </IfModule>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/cool.domain-0003/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cool.domain-0003/privkey.pem
</VirtualHost>
</IfModule>

i know it’s of to think localhost passes do the right thing… that’s why i was confused that it worked (i discovered later that it was working because of the cache…)

thx for your help <3

hi @DerP4si welcome to the forum :handshake:

take a look at this thread

it looks like integrated CODE installation doesn’t take into account Nextcloud config.php overwrite* settings and heavily relies on proxy headers like proxy_set_header - unfortunately no solution has been documented there but definitely good progress and also good ways to troubleshoot.

THANKS!! That was the poke in the right direction i needed! It works now with this config:

<IfModule mod_ssl.c>
<VirtualHost *:443>
 ServerName www.(MYDOMAIN)
 ProxyPreserveHost On 
 DocumentRoot /var/www/html
 ProxyPass /.well-known !
 ProxyPass / http://(NC-SERVER-IP):80/ flushpackets=on
 ProxyPassReverse / http://(NC-SERVER-IP):80/
 LimitRequestBody 0

 RequestHeader set X-Forwarded-SSL "1"
 RequestHeader set X-Forwarded-Proto "https" env=HTTPS
 
 ########################################
 # Reverse proxy for Collabora Online   #
 ########################################

 AllowEncodedSlashes NoDecode
 SSLProxyEngine On

 # cert is issued for collaboraonline.example.com and we proxy to localhost
 SSLProxyVerify None
 SSLProxyCheckPeerCN Off
 SSLProxyCheckPeerName Off

 # static html, js, images, etc. served from coolwsd
 # browser is the client part of Collabora Online
 ProxyPass           /browser https://(NC-SERVER-IP):9980/browser retry=0
 ProxyPassReverse    /browser https://(NC-SERVER-IP):9980/browser

 # WOPI discovery URL
 ProxyPass           /hosting/discovery https://(NC-SERVER-IP):9980/hosting/discovery retry=0
 ProxyPassReverse    /hosting/discovery https://(NC-SERVER-IP):9980/hosting/discovery

 # Capabilities
 ProxyPass           /hosting/capabilities https://(NC-SERVER-IP):9980/hosting/capabilities retry=0
 ProxyPassReverse    /hosting/capabilities https://(NC-SERVER-IP):9980/hosting/capabilities

 # Main websocket
 ProxyPassMatch      "/cool/(.*)/ws$"      wss://(NC-SERVER-IP):9980/cool/$1/ws nocanon

 # Admin Console websocket
 ProxyPass           /cool/adminws wss://(NC-SERVER-IP):9980/cool/adminws

 # Download as, Fullscreen presentation and Image upload operations
 ProxyPass           /cool https://(NC-SERVER-IP):9980/cool
 ProxyPassReverse    /cool https://(NC-SERVER-IP):9980/cool
 # Compatibility with integrations that use the /lool/convert-to endpoint
 ProxyPass           /lool https://(NC-SERVER-IP):9980/cool
 ProxyPassReverse    /lool https://(NC-SERVER-IP):9980/cool

 <IfModule mod_headers.c>
   RewriteEngine On
   Header always set Strict-Transport-Security "max-age=15768000; preload"
   Redirect 301 /.well-known/carddav https://www.(MYDOMAIN)/remote.php/dav
   Redirect 301 /.well-known/caldav https://www.(MYDOMAIN)/remote.php/dav
   Redirect 301 /.well-known/webfinger https://www.(MYDOMAIN)/index.php/.well-known/webfinger
   Redirect 301 /.well-known/nodeinfo https://www.(MYDOMAIN)/index.php/.well-known/nodeinfo
 </IfModule>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/(MYDOMAIN)-0003/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/(MYDOMAIN)-0003/privkey.pem
</VirtualHost>
</IfModule>

Thanks a lot again! I hope this helps others too and that the documentation gets updated soon ^^
Have a nice day :smile:

1 Like

I’m glad you managed to fix it. I’m struggling with 2 configs in your post

  • isn’t built-in CODE running on /custom_apps/richdocumentscode/proxy.php
  • why do you ProxyPassReverse CODE things to https://(NC-SERVER-IP):9980 did you assign certificate to your CODE instance?

would be great you can comment so we can rely on this example of working reverse proxy config for built-in CODE… can you post the output of /hosting/discovery endpoint as well?

Nevermind… i just tested:

<IfModule mod_ssl.c>
<VirtualHost *:443>
 ServerName www.(MYDOMAIN)
 ProxyPreserveHost On 
 DocumentRoot /var/www/html
 ProxyPass /.well-known !
 ProxyPass / http://192.168.2.31:80/ flushpackets=on
 ProxyPassReverse / http://192.168.2.31:80/
 LimitRequestBody 0

 RequestHeader set X-Forwarded-SSL "1"
 RequestHeader set X-Forwarded-Proto "https" env=HTTPS

 <IfModule mod_headers.c>
   RewriteEngine On
   Header always set Strict-Transport-Security "max-age=15768000; preload"
   Redirect 301 /.well-known/carddav https://www.(MYDOMAIN)/remote.php/dav
   Redirect 301 /.well-known/caldav https://www.(MYDOMAIN)/remote.php/dav
   Redirect 301 /.well-known/webfinger https://www.(MYDOMAIN)/index.php/.well-known/webfinger
   Redirect 301 /.well-known/nodeinfo https://www.(MYDOMAIN)/index.php/.well-known/nodeinfo
 </IfModule>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/(MYDOMAIN)-0003/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/(MYDOMAIN)-0003/privkey.pem
</VirtualHost>
</IfModule>

this is working too… I was wondering before but just accepted it as “works - don’t touch it”… So it was just the headers i needed…

2 Likes