Collabora Documents not loaded behind HAPROXY

Christian_Schellschm · May 2, 2025, 4:55pm

Hi

I Try to configure HAproxy woth SSL termination. But Collabora Server dont load any document. Error Message "Socket-Verbindung konnte nicht hergestellt werden oder Socket-Verbindung wurde unerwartet geschlossen. Der Reverse-Proxy ist möglicherweise falsch konfiguriert. Bitte wenden Sie sich an den Administrator. Weitere Informationen zur Proxy-Konfiguration finden Sie unter Proxy settings — SDK https://sdk.collaboraonline.com/ documentation

Socket connection closed unexpectedly. The reverse proxy might be misconfigured, please contact the administrator. More information can be found in the reverse proxy documentation"

HA Proxy Config

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http



frontend stats
    mode http
    bind *:9980
    stats enable
    stats uri /stats
    stats refresh 10s
    stats admin if LOCALHOST

frontend Nextcloud
  bind *:443 ssl crt /etc/haproxy/********
  mode http

  acl ACL_coolwsd hdr(host) -i ********
  use_backend coolwsd if ACL_coolwsd

  default_backend nextcloud

backend coolwsd
  timeout tunnel 3600s
  mode http
  balance url_param WOPISrc check_post
  hash-type consistent
  server lnextpw002 lnextpw002:9980 # check
backend nextcloud
  mode http
  balance source
  option httpchk
  http-check send meth GET  uri /status.php
  stick-table type ip size 50k expire 30m
  stick on src
  http-reuse safe

Greetings Christian

wwe · May 2, 2025, 9:07pm

I don’t see any frontend for COOL only backend coolwsd how the requests are supposed to reach coolwsd?
I would also check if your CODE is aware of reverse proxy TLS termination and generates valid wss: URL (check f12 tools)
I don’t see any hints in the COOL reverseproxy docs but haproxy docs mention slightly different syntax for websockets

frontend fe_main
  bind :80
  default_backend websocket_servers

backend websocket_servers
  option http-server-close
  timeout tunnel 1h
  server s1 192.168.0.10:3000 check
  server s2 192.168.0.11:3000 check

at first glance I don’t see the both backend options are somehow related but give it a try - I think main websocker should be enough (from Nginx config ^/cool/(.*)/ws$)

Christian_Schellschm · May 3, 2025, 5:23am

Backend is reached with the ACL rule in Nextcloud frontend. This is working, i tested it with the discovery page.
Bevore i changed to the HA Proxy i used a Apache with SSL Termination, that worked very well. And the discovery page also give the correct urls.
I read the docs too. Haproxy doc write that there is no special syntax for wss. And in the Nextcloud.
My config ist from the collabora doc (Proxy settings — SDK https://sdk.collaboraonline.com/ documentation). There is no rewrite rules.

Christian_Schellschm · May 3, 2025, 5:35am

Its working now and i changed nothing. SO i think it was DNS Cache. Because i changed the url yesterday from the apache reverse proxy to the haproxy and disable the apache ssl configuration.

system · May 11, 2025, 5:36am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.