Collabora/CODE not working with NC 24.0.3 in Docker

I am running Nextcloud 24.0.3 and the Collabora/CODE separate containers in Docker & connecting them using an internal docker network. Using the Nextcloud Office app, I can successfully connect them together (I get the green check in the admin settings page), However whenever I attempt to open a .odt file it says: “Document loading failed. Failed to load Nextcloud Office - please try again later”

Here is my docker-compose stack:

version: "3"

services:
  nextcloudapp:
    image: nextcloud:apache
    restart: unless-stopped
    container_name: nextcloudapp
    hostname: nextcloudapp
    volumes:
      - data:/var/www/html
    environment:
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=********
      - MYSQL_HOST=nextclouddb
      - REDISHOST=nextcloudredis
      - APACHE_DISABLE_REWRITE_IP=1
    depends_on: 
      - nextclouddb
      - nextcloudoffice
      - nextcloudredis
    networks:
      - frontend
      - backend
      
  nextcloudoffice:
    image: collabora/code
    container_name: nextcloudoffice
    hostname: nextcloudoffice
    restart: unless-stopped
    cap_add:
      - MKNOD
    environment:
      domain: "files.example.com"
    networks:
      - backend

  nextclouddb:
    image: mariadb
    container_name: nextclouddb
    hostname: nextclouddb
    restart: unless-stopped
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=********
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=**********
      - MYSQL_DATABASE=nextcloud
    volumes:
      - db:/var/lib/mysql
    networks:
      - backend
      
  nextcloudredis:
    image: redis:alpine
    container_name: nextcloudredis
    hostname: nextcloudredis
    restart: unless-stopped
    networks:
      - backend
      
  nextcloudcron:
    image: nextcloud:apache
    container_name: nextcloudcron
    restart: unless-stopped
    volumes:
      - data:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - nextclouddb
      - nextcloudredis
    networks:
      - backend

volumes:
   data:
   db:

networks:
  frontend:
    external:
      name: proxy-apps
  backend:

(The proxy-apps external network contains my nginx-proxy-manager container that I am using as a reverse proxy & generating SSL certificates for nextcloudapp)

Currently I am just trying to connect the two containers internally (which seems more secure), however some tutorials (e.g: https://www.youtube.com/watch?v=BAc15RHfwEA) have suggested to also put the Collabora/CODE container available externally on it’s own domain with an SSL certificate. Is this necessary/the solution to my problem? (As I said this seems less secure so would rather not do it, as only my internal NC instance needs access to this container)

TL;DR How to make Collabora/CODE container work for NC 24, even though it successfully connects.


This is the successful connection to the Collabora/CODE container

You find detailed example here:

the referenced “green mark” in Nextcloud Office settings only shows the connection form Nextcloud to Collabora works, it doesn’t show reverse connection neither client to Collabora… see this post

As I see you point your Nextcloud to https://nextcloudoffice:9980 - which is almost never reachable from the client… I would recommend you to use real public domain name and setup valid TLS certificates for both Nextcloud and Collabora… and point Nextcloud to the public DNS of Collabora (details of WOPI protocoll referenced here)

good basic test is

  • check https://collabora.xyz/hosting/discovery from the client
  • run curl https://nextcloud.xyz/login inside Collabora container and
  • run curl https://collabora.xyz/hosting/discovery inside Nextcloud container

so you can verify both systems can connect and setup TLS connection to each other and client reaches both servers as well… (see long way here)

3 Likes

Thanks for your response! In simple terms are you stating that it is definitely necessary to expose the Collabora/CODE container to the internet through my reverse proxy. If possible I would rather not do this as it weakens my security. Do you know of anyway of solving my issue without exposing the container to the wider internet?

The statement Collabora weakens you security is really theoretical - this container does not permanently store any data (yes some attack vectors remain e.g. drop miner or DDOS drone bots) - but exposing Nextcloud with your data is more dangerous.

And yes you must allow access to both Nextcloud and Collabora instance from every location the client could reside. If you follow the references I provided and understand how WOPI protocol works you will se why…

2 Likes

Cheers for your help, but I have run into another issue: Nextcloud seems unable to communicate with the Collabora/CODE container via the reverse-proxy.

What works:

  • Visiting https://office.files.example.xyz/hosting/discovery from the client browser
  • Running curl https://files.example.xyz/login inside the Collabora/CODE container
  • Running curl http://nextcloudoffice:9980 inside the NC container
  • Running curl http://172.20.0.6:9980 inside the NC container
  • I also get the green checkmark :white_check_mark: on the admin settings page when using http://nextcloudoffice:9980 as the server name, however still cannot open a document (error described previously)

What Doesn’t work:

  • Running curl https://office.files.example.xyz from within the NC container (returns: curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure)
  • Using https://office.files.example.xyz/https://office.files.example.xyz:443 as the server name on the admin settings page

I have my reverse proxy configured to provide the SSL certificates (am using nginx-proxy-manager), so have turned off SSL & set the mode to termination (using this explanation: CollaboraOnline - Wki - SSL Configuration)

Do you know what I need to do to correct the SSL issues returned by the curl tool?

You are already close to the solution.

Nobody can say why your containers doesn’t reach each other through reverse proxy. I remember when I had similar issue there was an issue with DNS (for some reason only manifesting inside container) but your problem might be different. follow systematic approach - review DNS records, network connection and verify you hit the right system and it presents right TLS cert at the end (curl -v or -vv switches might be useful)

1 Like

Thank @wwe , I think I have this problem … I don’t know wath does it mean “Inside Collabora container or inside Nexcloud container”.
When I run curl, both give files.
Can you explain fine ?

@DomBcm to avoid cluttering and mix of different issues please start you own thread and provide information required by support form.

running software in Docker (or other virtualization technology) might result in a fact DNS resolution and networking might be different from the hosting system. You must ensure you run this tests from the point of view of Nextcloud/Collabora system.