Collabora nextcloud docker linking problems

droidhackzor · January 10, 2020, 12:39am

i don’t want to necro other closed or unanswered topics so i am making a new topic that seems to combine a few different problems i have seen on here. and i will provide as much information as i can to see if this combination of problems can be solved.
and i do realize that the problem MAY not be nextcloud itself.

first, i have opened ports on my router to support all installs
a dedicated docker network was created for internal dns crosstalk called proxynetEDIT
All docker containers are in the proxynet docker network
router%20port%20forwarding
i am running unraid 6.7.2 with latest docker, i am running all of the appliances needed as docker form.
docker-letsencrypt - linuxserver/letsencrypt repo = functional
letsencrypt%20ports
http validation is selected
Certificate exists; parameters unchanged; starting nginx
Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please manually download/update the GeoIP2 db and save as /config/geoip2db/GeoLite2-City.mmdb
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing…
[custom-init] no custom files found exiting…
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready
docker-nextcloud - linuxserver/nextcloud repo = functional
*nextcloud’s setting for collabora is set.
nextcloud%20collabora
docker-collabora - collabora/code repo = functional-port9980

now, everything being installed, running and mostly functional, i look at the docker of nextcloud logs, here’s the end:
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing…
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing…
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 40-config: executing…
[cont-init.d] 40-config: exited 0.
[cont-init.d] 50-install: executing…
[cont-init.d] 50-install: exited 0.
[cont-init.d] 60-memcache: executing…
[cont-init.d] 60-memcache: exited 0.
[cont-init.d] 99-custom-files: executing…
[custom-init] no custom files found exiting…
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
no errors, though there is a warning about a diferent version of luajit.

now a look at collabora’s logs:
wsd-00029-00029 2020-01-09 23:55:12.686029 [ loolwsd ] INF WSD initialization complete: setting log-level to [warning] as configured.| wsd/LOOLWSD.cpp:3435

wsd-00029-00035 2020-01-09 23:57:05.384006 [ websrv_poll ] ERR Socket #21 SSL BIO error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (0: Success)| ./net/SslSocket.hpp:291

clearly there is an issue communicating, this part of the log happens when there is an attempt to edit/create a file.
and then nextcloud spits out this error after the attempt:

The webpage at https://collabora.redacted.co:9980/loleaflet/3d7bdc4/loleaflet.html?WOPISrc=https%3A%2F%2F192.168.1.5%3A444%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F14_oc1iblwmjpn6&title=About.odt&lang=en-en&closebutton=1&revisionhistory=1 might be temporarily down or it may have moved permanently to a new web address.
the plus side is that nextcloud doesn’t give a notification that it couldn’t start collabora.

as for any config files, i can provide them as needed since this post is already long enough but any help would be appreciated.

thank you in advance

Reiner_Nippes · January 10, 2020, 7:27am

you don’t need to expose port 9980 to the world.

only expose port 80/443 and use your nextcloud web server as a reverse proxy to the collabora container via the internal docker network.

example below:

github.com

ReinerNippes/nextcloud_on_docker/blob/f7a88d8099ade0e6f4699f6a2eb9e41d875ba309/roles/docker_container/templates/nginx.conf.j2#L86


        root /var/www/html;


        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }
{% if (online_office == 'collabora') and (ansible_architecture == 'x86_64') %}


        location ^~ /loleaflet {
            proxy_pass https://collabora_online:9980;
             proxy_set_header Host $http_host;
        }
        
        location ^~ /hosting/discovery {
            proxy_pass https://collabora_online:9980;
            proxy_set_header Host $http_host;
        }
         
        location ^~ /lool {
            proxy_pass https://collabora_online:9980;

even if you run collabora without docker (native on OS) you proxy pass to localhost:99800

github.com

ReinerNippes/nextcloud/blob/44afb5e0f47567c57ed140a6eb3ca70bf28b4088/roles/webserver/templates/nginx/nextcloud.conf.j2#L37




	location = /.well-known/carddav {
		return 301 $scheme://$host:{{ nextcloud_ssl_port }}/remote.php/dav;
	}
	location = /.well-known/caldav {
		return 301 $scheme://$host:{{ nextcloud_ssl_port }}/remote.php/dav;
	}
{% if install_collabora %}


	location ^~ /loleaflet {
		proxy_pass https://localhost:9980;
		proxy_set_header Host $http_host;
	}
	
	location ^~ /hosting/discovery {
		proxy_pass https://localhost:9980;
		proxy_set_header Host $http_host;
	}
	 
	location ^~ /lool {
		proxy_pass https://localhost:9980;

and you don’t need a fqdn for your collabora service. unless it’s running on a different machine.

KarlF12 · January 10, 2020, 1:15pm

Avoid using localhost or 127.0.0.1 when using Docker. It’s better to use the real IP instead of loop back because sometimes it can confuse the Docker engine on the container side.

Based on your error I wonder if it’s rejecting the certificate. On my setup I do use FQDNs for all of it and the proxy gets a Let’s Encrypt cert for both. When NC and Collabora access each other through the proxy they both present a valid cert that way.

droidhackzor · January 10, 2020, 4:30pm

thank you all, Reiner: i only opened the 9980 on the router to see if it would help, obviously it didn’t so i removed it.
as for avoiding the localhost and 127, they docker network is an unraid determined 172.18.0.x for each of the docker containers in loopback even though all of the containers also get a 192. address for external use.
as for the config for nginx,
this is the conf, this was provided by a tutorial, however, modifying the .sample and renaming it gives the same result.

# make sure that your dns has a cname set for collabora. If you setup Collabora to use the custom docker network (for reverse proxy)
# then this config file will work as is. However the container name is expected to be "Collabora" as it is by default in chvb's container.  
# If you are not using the custom docker network for this container then change the line "server Collabora:9980;" to "server [YOUR_SERVER_IP]:9980;"


resolver 127.0.0.11 valid=30s;
upstream collabora {
    server Collabora:9980;
}

server {
    listen       443 ssl;
    server_name collabora.*;
    include /config/nginx/ssl.conf;
	
   # static files
    location ^~ /loleaflet {
        proxy_pass https://collabora;
        proxy_set_header Host $host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://collabora;
        proxy_set_header Host $host;
    }
	
    # Capabilities
    location ^~ /hosting/capabilities {
        proxy_pass https://collabora;
        proxy_set_header Host $http_host;
    }

	# main websocket
	    location ~ ^/lool/(.*)/ws$ {
	        proxy_pass https://collabora;
	        proxy_set_header Upgrade $http_upgrade;
	        proxy_set_header Connection "Upgrade";
	        proxy_set_header Host $http_host;
	        proxy_read_timeout 36000s;
	    }
		
    # Admin Console websocket
    location ^~ /lool/adminws {
	proxy_buffering off;
        proxy_pass https://collabora;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
       location ~ ^/lool {
           proxy_pass https://collabora;
           proxy_set_header Host $http_host;
       }
}

and the nextcloud:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oc1iblwmjpn6',
  'passwordsalt' => 'X8I20w8lyQoyGDGmjCUuZZ4ciQIKQu',
  'secret' => 't444A9UIGxyQrGQjgsMuQoU+2sKEY4oHGp5LmyzY0QT6qTaL',
  'trusted_domains' => 
  array (
    0 => '192.168.1.5:444',
    1 => 'nextcloud.redacted.co:444',
  ),
  'dbtype' => 'mysql',
  'version' => '17.0.2.1',
  'overwrite.cli.url' => 'https://nextcloud.redacted.co:444',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.5:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'redacted',
  'installed' => true,
  'maintenance' => false,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'accounts',
  'mail_domain' => 'redacted.co',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'smtp.gmail.com',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'accounts@redacted.co',
  'mail_smtppassword' => 'redacted',
);

and than thank you all for helping.

Reiner_Nippes · January 10, 2020, 4:41pm

on a server with n container you’ll find n+1 times localhost resolving to 127.0.0.1. so if you try to reach 127.0.0.1:xxxx your process is always talking to it’s own container. if you want to reach a service in another container use the docker network. I mentioned in my post 127 only to show you that you don’t need to have an external ip address for your collabora container.

why do you think you need one?

droidhackzor · January 10, 2020, 4:50pm

Reiner:

i don’t, i just left it up to unraid to handle the networking based on the docker network and when the docker contianers are made they automatically get an external 192 address as shown here.

Reiner_Nippes · January 10, 2020, 5:03pm

somewhere is an “expose” statement in your system. nevertheless since it’s an 192.168. address it’s not that tragic.

may you try to put this in the nginx.conf of your nextcloud-nginx container:

        location ^~ /loleaflet {
            proxy_pass https://collabora:9980;
             proxy_set_header Host $http_host;
        }
        
        location ^~ /hosting/discovery {
            proxy_pass https://collabora:9980;
            proxy_set_header Host $http_host;
        }
         
        location ^~ /lool {
            proxy_pass https://collabora:9980;
            proxy_set_header Host $http_host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }

in the server { listen 80; .... block.
https://collabora:9980 should be the name of your collabora container.

you wopi_url (in the nextcloud app config web page) would be

https://nextcloud-fqdn:443/

droidhackzor · January 10, 2020, 5:25pm

i have two nextcloud-nginx conf’s, the /nextcloud/nginx.conf and the /nextcloud/site-confs/default.conf , witch i believe is the one being used as it has the server{ section. so i am unsure where you are telling me to place these but im guessing the default.conf?

default.conf here:

upstream php-handler {
    server 127.0.0.1:9000;
}
server {
    listen 80;
    listen [::]:80;
    server_name _;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;
    ssl_certificate /config/keys/cert.crt;
    ssl_certificate_key /config/keys/cert.key;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;
    fastcgi_hide_header X-Powered-By;
    root /config/www/nextcloud/;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;

here is the normal nginx.conf

## Version 2018/08/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx.conf

user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	client_max_body_size 0;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	access_log /config/log/nginx/access.log;
	error_log /config/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# nginx-naxsi config
	##
	# Uncomment it if you installed nginx-naxsi
	##

	#include /etc/nginx/naxsi_core.rules;

	##
	# nginx-passenger config
	##
	# Uncomment it if you installed nginx-passenger
	##

	#passenger_root /usr;
	#passenger_ruby /usr/bin/ruby;

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	include /config/nginx/site-confs/*;
  
}

Reiner_Nippes · January 10, 2020, 5:31pm

it should look like this:

https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html#nextcloud-in-the-webroot-of-nginx

with lines like this:

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;

charles.martin · January 10, 2020, 6:33pm

I shouldn’t ask this but could someone help with my problem here : Nextcloud in docker behind nginx as reverse proxy
It has been there for a long time and no one looked at it.
It is a very similar issue with docker and nginx reverse proxy.
Thank you

droidhackzor · January 10, 2020, 6:37pm

that’s pretty much the same as this post charles. this one just combines a bunch of the issues with running both nextcloud, collabora and nginx-rp

droidhackzor · January 10, 2020, 6:44pm

What kind of system are you using for hosting of the appliances? The only reason I ask is that if it’s unraid, then you can create a new docker network and without changing the containers too much move them over to the new network and they all should be able to talk to eachother

droidhackzor · January 10, 2020, 6:54pm

reiner:

at this point, i’m concidering moving to a different container, i am wondering if some of the problems are steming from the build of the container linuxserver/nextcloud repo from linuxserver.io though i have no proof. i will try the container strait from dockerhub instead of the one from the unraid list.