Collabora (docker) and NextCloud (snap) problem behind proxy on same machine

mobi1 · December 10, 2019, 1:03pm

Hi all,
I decided to post about my situation after many days of troubleshooting. I recently installed NextCloud as snap on Ubuntu 18.04 and everything worked fine. I did the port forwarding and used Let’s Encrypt (from snap commands) to create the certificates for NC.
Then I decided to install Collabora server on the same machine to use the office functionality. I used the official Collaboration guides for installation mentioned here. However, in this guide, it is assumed that NC is installed manually (not snap). According to guides, I had to install Apache (or any other proxy/web server) to proxy the traffic to whether NC or Collabora.
I think there is a problem with my proxy configuration or something wrong with SSL certificates. When both Apache and snap are running, I can get to Apache page and Collabora should be running, but cannot get to NC page.

I can go to (port 443) link below and get to the page (meaning Collabora is responding?)

https://collabora.domain.com/loleaflet/dist/admin/admin.html

But when accessing the NC domain, the browser says “Did Not Connect: Potential Security Issue” and complain that the certificates are not for that NC domain I am trying to connect but the certificate is for Collabora domain. If I stop the Apache and let Snap running, I can access the NC domain with no issues (except I need to set the ports to 443 and 80 again! Is this problematic)
My Apache proxy config file (located under /etc/apache2/sites-available/) is as follows:

<VirtualHost *:444>

ServerName nextcloud.domain.com:444
ProxyPreserveHost On
ProxyPass        / https://192.168.1.50/
ProxyPassReverse / https://192.168.1.50/

SSLProxyEngine on
SSLCertificateFile /etc/letsencrypt/live/nextcloud.domain.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/nextcloud.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.domain.com/privkey.pem

</VirtualHost>

<VirtualHost *:443>
ServerName collabora.domain.com:443

# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/collabora.domain.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/collabora.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/collabora.domain.com/privkey.pem
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-$
SSLHonorCipherOrder     on

# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery$
ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool https://127.0.0.1:9980/lool
ProxyPassReverse    /lool https://127.0.0.1:9980/lool

# Endpoint with information about availability of various features
ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
</VirtualHost>

To be honest, this is first time I am setting up proxy server that do not know how it works. Most of my config file is copied and think that is the issue If someone can have a look at it and guide me to the right direction, that would save me lots of headache and time.

iomartin · December 29, 2019, 10:29pm

Hi there,

I was wondering if you managed to fix this. I am also trying to install Collabora on a snap-installed NextCloud.

Cheers

KarlF12 · December 30, 2019, 3:18am

The first thing you need to do is sort out your port issue. You have two Apache instances running, one installed directly and one in the Nextcloud snap. They can’t both listen on the same ports.

You might want to consider proxy information both through the non-snap Apache and letting it handle let’s encrypt for both because if you change the port for Collabora and try to set up certbot for it, the next problem you’ll run into is they both need port 80 to get certs.

mobi1 · January 19, 2020, 1:43pm

The problem is solved and the proxy configuration above is generally correct. Please check these notes for troubleshooting:

• Added the ports 81 and 444 to port forwarding (router)
• The firewall was blocking posts above, so should have been allowed (router)
• The NC is now set to run on port 444 from the snap settings
• The apache config file has NC on port 444 and Collabora on port 443

Please let me know if the you checked the above items and still have issues.

mobi1 · February 16, 2020, 12:35pm

Ok, I got to issues again for updating the certs. Now I understand you had something in mind which could possibly help with the certs as well. Can you explain a bit more or point out what to search in order to set up the proxy (non-snap apache) to listen to all the requests and do the redirection as well as taking care of the certs?

KarlF12 · February 16, 2020, 8:15pm

Specifically?

You already had Apache installed (presumably via apt). So you would install certbot and have it handle certificates for what it proxies. Instructions:
Certbot
Reverse proxy

This Apache will listen on ports 80 and 443. You will need to change the Nextcloud snap ports to something else, e.g. 8080 and 8443.

mobi1 · February 17, 2020, 8:15pm

Thanks for the hints. Yes, I have the Apache installed which acts as the reverse proxy. I also have Certbot and registered both my NC and Collabora domains with it. Apache can handle the SSL using the certs provided by Certbot only for Collabora.

For now, I am manually copying the NC certs provided by Certbot to the NC snap Apache. I use the “custom” method and copy the certs to /var/snap/nextcloud/revNumber/certs/custom directory.

What is the best practice from here on? Should I configure the reverse proxy to handle the certs for the snap and disable the https on the snap? Or it is fine what I have already and could automate the copying of certs? Or option third?

I still need to properly check the second link you sent (about Reverse proxy).

KarlF12 · February 17, 2020, 9:19pm

This is unnecessary if you have a secure network between the reverse proxy and Nextcloud. What you can do is just not use HTTPS at all on the NC snap. Do your HTTPS on the reverse proxy where clients will access it, and where certbot will run, and then let it proxy back to NC via HTTP.

When a client accessed it via the proxy, the endpoint of their HTTPS connection is the proxy, not NC, so this is where you need your cert. and then you will access NC via the proxy even when you’re local.