Collabora extansion not connecting

ℹ️ Support 📄 Collabora
1

I have a secure setup running on Dynamic IP behind a firewall. Before we go down the rabbit hole of it being a security misconfiguration at the exterior, let me prefix everything by saying I can get external access to both the NextCloud and Collabora servers (Next cloud is serving the documents and Collabora is serving the /hosting/discovery and Admin pages)

So here’s the setup. (I’ve changed the domain address from the real addresses to domain.tld but everything else is as configured.)

The network configuration is as follows.

network
network.jpg990×506 47.3 KB

The certificate for both these sites, as well as the Nextcloud site, served through NGINX, are valid (letsencrypt cert is served)

The Nginx reverse proxy configuration is as follows:

For the Nextcloud service.

server {

server_name cloud.domain.tld;
*add_header Strict-Transport-Security “max-age=15552000; includeSubDomains” always; *
client_max_body_size 10M;
location / {
proxy_pass http://172.25.238.3/;
proxy_buffering off;
proxy_read_timeout 60;
proxy_set_header X-Real-IP $remote_addr;
}

  • listen 443 ssl; # managed by Certbot*
  • ssl_certificate /etc/letsencrypt/live/cloud.domain.tld/fullchain.pem; # managed by Certbot*
  • ssl_certificate_key /etc/letsencrypt/live/cloud.domain.tld/privkey.pem; # managed by Certbot*
  • include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot*
  • ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot*

}
server {

  • if ($host = cloud.domain.tld) {*
  •    return 301 https://$host$request_uri;*
  • } # managed by Certbot*

server_name cloud.domain.tld;

  • listen 80;*
  • return 404; # managed by Certbot*

}

For the Collabora service

server {

  • listen 443 ssl;*

  • server_name office.domain.tld;*

  • ssl_certificate /etc/letsencrypt/live/office.domain.tld/fullchain.pem; # managed by Certbot*

  • ssl_certificate_key /etc/letsencrypt/live/office.domain.tld/privkey.pem; # managed by Certbot*

  • include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot*

  • ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot*

  • static files*

  • location ^~ /loleaflet {*

  •    proxy_set_header Upgrade $http_upgrade;*

  •    proxy_set_header Connection "Upgrade";*

  •    proxy_set_header Host $http_host;*

  •    proxy_pass https://172.25.238.4:9980;*

  • }*

  • WOPI discovery URL*

  • location ^~ /hosting/discovery {*

  •    proxy_set_header Upgrade $http_upgrade;*

  •    proxy_set_header Connection "Upgrade";*

  •    proxy_set_header Host $http_host;*

  •    proxy_pass https://172.25.238.4:9980;*

  • }*

  • Capabilities*

  • location ^~ /hosting/capabilities {*

  •    proxy_set_header Upgrade $http_upgrade;*

  •    proxy_set_header Connection "Upgrade";*

  •    proxy_set_header Host $http_host;*

  •    proxy_pass https://172.25.238.4:9980;*

  • }*

  • main websocket*

  • location ~ ^/lool/(.)/ws$ {

  •    proxy_set_header Upgrade $http_upgrade;*

  •    proxy_set_header Connection "Upgrade";*

  •    proxy_set_header Host $http_host;*

  •    proxy_read_timeout 36000s;*

  •    proxy_pass https://172.25.238.4:9980;*

  • }*

  • download, presentation and image upload*

  • location ~ ^/lool {*

  •    proxy_set_header Upgrade $http_upgrade;*

  •    proxy_set_header Connection "Upgrade";*

  •    proxy_set_header Host $http_host;*

  •    proxy_pass https://172.25.238.4:9980;*

  • }*

  • Admin Console websocket*

  • location ^~ /lool/adminws {*

  •    proxy_set_header Upgrade $http_upgrade;*

  •    proxy_set_header Connection "Upgrade";*

  •    proxy_set_header Host $http_host;*

  •    proxy_read_timeout 36000s;*

  •    proxy_pass https://172.25.238.4:9980;*

  • }*
    }

server {

  • if ($host = office.domain.tld) {*
  •    return 301 https://$host$request_uri;*
  • } # managed by Certbot*

listen 80;
listen [::]:80;

server_name office.domain.tld;

  • return 404; # managed by Certbot*
    }

The docker services are built using a docker-compose.yml file.

*version: ‘3’ *

services:

  • db:*

  • image: mariadb*

  • container_name: nextcloud-mariadb*

  • networks:*

  •  nextcloud_network:*

  •   ipv4_address:  172.25.238.2*

  • volumes:*

  •  - /docker/nextcloud/mysql:/var/lib/mysql*

  •  - /etc/localtime:/etc/localtime:ro*

  • environment:*

  •  - MYSQL_ROOT_PASSWORD=<ROOT-PASSWORD>*

  •  - MYSQL_PASSWORD=<MYSQL-PASSWORD>*

  •  - MYSQL_DATABASE=nextcloud_db*

  •  - MYSQL_USER=nextcloud_dba*

  • restart: unless-stopped*

  • app:*

  • image: nextcloud:latest*

  • container_name: nextcloud-app*

  • networks:*

  •  nextcloud_network:*

  •   ipv4_address:  172.25.238.3*

  • depends_on:*

  •  - db*

  • volumes:*

  •  - /docker/nextcloud/html:/var/www/html*

  •  - ./app/config:/var/www/html/config*

  •  - ./app/custom_apps:/var/www/html/custom_apps*

  •  - ./app/data:/var/www/html/data*

  •  - ./app/themes:/var/www/html/themes*

  •  - /etc/localtime:/etc/localtime:ro*

  • restart: unless-stopped*

  • collab:*

  • image: collabora/code*

  • container_name: nextcloud-collab*

  • networks:*

  •  nextcloud_network:*

  •   ipv4_address:  172.25.238.4*

  • .capp_add:*

  • - MKNOD*

  • ports:*

  •  - 127.0.0.1:9980:9980*

  • environment:*

  • This nees to be the same as what you set your app domain too (ex: cloud.domain.tld).*

  •  - domain=cloud\\.domain\\.tld*

  •  - server_name=office\\.domain\\.tld*

  •  - cert_domain=office\\.domain\\.tld*

  •  - dictionaries=en*

  •  - username=<COLLABORA-ADMIN>*

  •  - password=<COLLABORA-ADMIN-PASSWORD>*

  • restart: unless-stopped*

volumes:

  • nextcloud:*
  • db:*

networks:

  • nextcloud_network:*
  • ipam:*
  • driver: default*
  • config:*
  • - subnet: "172.25.238.0/24"*

The Collabora extension is set up to point to the office server (Collabora) not the NextCloud server.

I’ve checked the docker logs.

On the Office server (NextCloud), just before the error message is displayed, I get the following.

172.25.238.1 - - [26/Sep/2019:11:14:34 -0400] “GET /apps/richdocuments/index?fileId=191835&requesttoken=hO0u7Emqkm%2FD7iZT5PT3bY9ANAGj1U1bf%2B26EYuJdmE%3D%3Aw4weiC7t4CyRp35mk5DYJLx0By77gitvOonOc9rFExI%3D HTTP/1.0” 200 4868 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - - [26/Sep/2019:11:14:35 -0400] “GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.0” 200 718 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - - [26/Sep/2019:11:14:35 -0400] “GET /cron.php HTTP/1.0” 200 894 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - - [26/Sep/2019:11:14:35 -0400] “GET /ocs/v2.php/apps/activity/api/v2/activity/filter?format=json&object_type=files&object_id=191835 HTTP/1.0” 200 1433 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - - [26/Sep/2019:11:14:35 -0400] “PROPFIND /remote.php/dav/systemtags-relations/files/191835 HTTP/1.0” 207 1161 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - admin [26/Sep/2019:11:14:36 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 1099 “-” “Mozilla/5.0 (Windows) mirall/2.5.3daily-Win64 (build 20190725) (Nextcloud)”
172.25.238.1 - admin [26/Sep/2019:11:14:41 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 1099 “-” “Mozilla/5.0 (Windows) mirall/2.5.3daily-Win64 (build 20190725) (Nextcloud)”
172.25.238.1 - - [26/Sep/2019:11:14:42 -0400] “GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.0” 200 718 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”

However, on the Collabora server I get this.

2019-09-26T15:03:29.494015987Z wsd-00029-00038 2019-09-26 15:03:29.493303 [ websrv_poll ] WRN client - server version mismatch, disabling browser cache.| wsd/FileServer.cpp:279

This is from when the server started, not from when the request to open the documnet was made.

The screen error that is returned is as follows:

blocked

I’ve installed ping on both the Collabora and Cloud servers and both can ping each other.

I installed nmap on both servers to check open ports.

From collabora server to nextcloud server ports 80 and 44 are visible the IP address was the docker address (172.25.238.3)
From nextcloud server to collabora server ports 80, 443 and 9980 are visible. The IP address was the external address for office.domain.tld (The Dynamic IP address)

If I put an entry into the hosts file on the collabora server to point the office.domain.tld to the docker server internal address (172.25.238.4) and check NMAP is still seing the ports. I receive a different error from the browser.

I get the “waiting screen” followed by a failed to load popup message at the top of the browser screen.

In this case I still get no logs on the Collabora server, but on the Nextcloud docker server I get a slightly different list.

172.25.238.1 - admin [26/Sep/2019:11:47:01 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 1119 “-” “Mozilla/5.0 (Windows) mirall/2.5.3daily-Win64 (build 20190725) (Nextcloud)”
172.25.238.1 - - [26/Sep/2019:11:47:01 -0400] “GET /core/preview?fileId=191837&c=618e2bb38dc8ccde51cbcc5f6da0f1ba&x=250&y=250&forceIcon=0 HTTP/1.0” 404 1111 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - admin [26/Sep/2019:11:47:01 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 1099 “-” “Mozilla/5.0 (Windows) mirall/2.5.3daily-Win64 (build 20190725) (Nextcloud)”
172.25.238.1 - - [26/Sep/2019:11:47:03 -0400] “GET /apps/richdocuments/index?fileId=191835&requesttoken=W%2FoKObnFEwQl80Dc34XHKvtapRoTb%2FNo40zHHJNlugA%3D%3AHJs6Xd6CYUd3uhjpqOHoY8huljVLOJVcpiizfsIp33M%3D HTTP/1.0” 200 4960 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - - [26/Sep/2019:11:47:03 -0400] “GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.0” 200 1202 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - - [26/Sep/2019:11:47:03 -0400] “GET /cron.php HTTP/1.0” 200 894 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - admin [26/Sep/2019:11:47:06 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 1099 “-” “Mozilla/5.0 (Windows) mirall/2.5.3daily-Win64 (build 20190725) (Nextcloud)”
172.25.238.1 - admin [26/Sep/2019:11:47:11 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 1099 “-” “Mozilla/5.0 (Windows) mirall/2.5.3daily-Win64 (build 20190725) (Nextcloud)”
172.25.238.1 - admin [26/Sep/2019:11:47:16 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 1099 “-” “Mozilla/5.0 (Windows) mirall/2.5.3daily-Win64 (build 20190725) (Nextcloud)”
172.25.238.1 - - [26/Sep/2019:11:47:18 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 35853 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - - [26/Sep/2019:11:47:18 -0400] “GET /index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.0” 200 1320 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - admin [26/Sep/2019:11:47:21 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 1099 “-” “Mozilla/5.0 (Windows) mirall/2.5.3daily-Win64 (build 20190725) (Nextcloud)”
172.25.238.1 - admin [26/Sep/2019:11:47:26 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 1099 “-” “Mozilla/5.0 (Windows) mirall/2.5.3daily-Win64 (build 20190725) (Nextcloud)”
172.25.238.1 - - [26/Sep/2019:11:47:29 -0400] “GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.0” 200 1202 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36”
172.25.238.1 - admin [26/Sep/2019:11:47:31 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 1099 “-” “Mozilla/5.0 (Windows) mirall/2.5.3daily-Win64 (build 20190725) (Nextcloud)”
172.25.238.1 - admin [26/Sep/2019:11:47:32 -0400] “PROPFIND /remote.php/dav/files/admin/ HTTP/1.0” 207 1119 “-” “Mozilla/5.0 (Windows) mirall/2.5.3daily-Win64 (build 20190725) (Nextcloud)”

The NGINX logs (error and access) provide no further help.

For the record, on the Host I’m running Centos 7-7.1908, docker version 19.03.2, nginx 1.12.2, and on the docker containers, Nextcloud 16.05 (latest stable), Collabora Community 4.0.6.

I am running SeLinux on the host in permisive mode with the firewall configure to all traffic between the host and docker containers for the open ports (hence the NMap discovery)

The docker containers have neither SELinux not firewalls installed.

I’m now stuck at what I can look at next. Any help is greatly appreciated.

2

to make your post more readable you may use ``` at the beginning and end of the config and log files. otherwise is rendered with markdown.

3

It might help to look at your browsers console to see what is being blocked and why.

I had the same ‘sad face’ caused by a Content-Security-Policy error.