Collabora (docker) and NextCloud (snap) problem behind proxy on same machine

Hi all,
I decided to post about my situation after many days of troubleshooting. I recently installed NextCloud as snap on Ubuntu 18.04 and everything worked fine. I did the port forwarding and used Let’s Encrypt (from snap commands) to create the certificates for NC.
Then I decided to install Collabora server on the same machine to use the office functionality. I used the official Collaboration guides for installation mentioned here. However, in this guide, it is assumed that NC is installed manually (not snap). According to guides, I had to install Apache (or any other proxy/web server) to proxy the traffic to whether NC or Collabora.
I think there is a problem with my proxy configuration or something wrong with SSL certificates. When both Apache and snap are running, I can get to Apache page and Collabora should be running, but cannot get to NC page.

I can go to (port 443) link below and get to the page (meaning Collabora is responding?)

https://collabora.domain.com/loleaflet/dist/admin/admin.html

But when accessing the NC domain, the browser says “Did Not Connect: Potential Security Issue” and complain that the certificates are not for that NC domain I am trying to connect but the certificate is for Collabora domain. If I stop the Apache and let Snap running, I can access the NC domain with no issues (except I need to set the ports to 443 and 80 again! Is this problematic)
My Apache proxy config file (located under /etc/apache2/sites-available/) is as follows:

<VirtualHost *:444>

ServerName nextcloud.domain.com:444
ProxyPreserveHost On
ProxyPass        / https://192.168.1.50/
ProxyPassReverse / https://192.168.1.50/

SSLProxyEngine on
SSLCertificateFile /etc/letsencrypt/live/nextcloud.domain.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/nextcloud.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.domain.com/privkey.pem

</VirtualHost>

<VirtualHost *:443>
ServerName collabora.domain.com:443

# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/collabora.domain.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/collabora.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/collabora.domain.com/privkey.pem
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-$
SSLHonorCipherOrder     on

# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery$
ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool https://127.0.0.1:9980/lool
ProxyPassReverse    /lool https://127.0.0.1:9980/lool

# Endpoint with information about availability of various features
ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
</VirtualHost>

To be honest, this is first time I am setting up proxy server that do not know how it works. Most of my config file is copied and think that is the issue :slight_smile: If someone can have a look at it and guide me to the right direction, that would save me lots of headache and time.

Hi there,

I was wondering if you managed to fix this. I am also trying to install Collabora on a snap-installed NextCloud.

Cheers

The first thing you need to do is sort out your port issue. You have two Apache instances running, one installed directly and one in the Nextcloud snap. They can’t both listen on the same ports.

You might want to consider proxy information both through the non-snap Apache and letting it handle let’s encrypt for both because if you change the port for Collabora and try to set up certbot for it, the next problem you’ll run into is they both need port 80 to get certs.

The problem is solved and the proxy configuration above is generally correct. Please check these notes for troubleshooting:

• Added the ports 81 and 444 to port forwarding (router)
• The firewall was blocking posts above, so should have been allowed (router)
• The NC is now set to run on port 444 from the snap settings
• The apache config file has NC on port 444 and Collabora on port 443

Please let me know if the you checked the above items and still have issues.