Collabora - ssl / reverse proxy setup when on different domain and server than NC

Hello all,

I tried searching the forums, but didn’t find a (solved) issue that matches mine exactly.

Generally, there seems to be a lot of confusion about getting collabora to work, and from what I understand, it’s mostly due to some ssl-certificate complications. My setup is:

  • Nexcloud on a hosted storage - no access to the underlying machine (no ssh login or console), but fairly vanilla nextcloud (24.0.5). Hosting company (hetzner) manages update of NC as well.
  • My own domain name for NC, hosting company takes care of SSL.
  • Collabora running in docker (configured with docker-compose) on a separate rented virtual machine (same hosting company), full access to everything on that machine.
  • In front of collabora, an nginx reverse proxy with letsencrypt ssl cert.
  • ssl confirmed working - tried switching out collabora docker for a trivial web-api, I can call it over https using my domain name without problems.
  • Calling https:///hosting/discovery yields an xml file revealing the guts of the collabora install

I have tried a lot of different settings for nginx.conf and collabora docker without success, getting different errors in the logs (mostly ssl related). I think what is confusing me is that collabora apparently takes care of ssl on its own somehow, without needing the ssl-functionality of nginx - I don’t fully understand how that works.

Since the problem is sitting in front of the keyboard, I’m not going to post my nginx configs - that might just be embarassing.

Instead, I would like to ask if there is a standard configuration for this setting - collabora in a docker on domain A, NextCloud “somewhere else” on domain B communicating over https with each other and the user? I have found the Collabora documentation to be quite tight-lipped on the details, I ask here since I suspect there are more people here that have actually gotten their hands dirty with some real working setups.

I have seen some configurations of collabora using traefik instead of nginx, with some quite elaborate ssl-configuration commands. Is this somehow better supported - should I maybe switch to traefik?

Greetings,
IndriĂ°i

please review this troubleshooting guide and take a look at this thread and follow references provided:

Thank you for your reply.
As usual, while writing my problems down in the original post, things became a bit clearer (“talking to the rubber duck…”).

Thing is, I had tried out several different nginx.conf settings. Searching the web for this problem results in 2 or 3 slightly different such configs, which is a bit suspicious in itself, each setting resulting in “almost-working-but-yet-not-quite” with different things broken for each setting (only constantly broken thing over all of them was my self-esteem…).

So I ditched nginx, and tried out treafik instead, which seems to make do with even less verbose config. This thread has excellent write-up of this. The thread describes NC and collabora running on dockers side-by-side, but using just the traefik and collabora bits works perfectly for the case when the nextcloud server runs somewhere else.

So apparently, my original problem was a wrong configuration of routes in the nginx config file. But since the traefik-based setup works, I’m not going to try to find out what I messed up…

For reference, this is the docker-compose setup that ended up working for me :

version: "3.9"

services:

  traefik:
    image: traefik:v2.8.5
    container_name: traefik
    hostname: traefik
    restart: always
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /var/log:/var/log
      - /data/traefik:/data/traefik
    command:
      - --log.level=DEBUG
      - --accesslog=true
      - --accesslog.filepath=/var/log/traefik-access.log
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false
      - --entryPoints.web.address=:80
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entryPoint.scheme=https
      - --entryPoints.websecure.address=:443
      - --entryPoints.traefik.address=:8080
      - --certificatesresolvers.myresolver.acme.email=my.email@somehost.org
      - --certificatesresolvers.myresolver.acme.storage=/data/traefik/acme.json
      - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.dashboard.entryPoints=traefik'
      - 'traefik.http.routers.dashboard.rule=PathPrefix(`/api`) || PathPrefix(`/dashboard`) || PathPrefix(`/debug`)'
      - 'traefik.http.routers.dashboard.service=api@internal'
      - 'traefik.http.routers.dashboard.middlewares=auth'
      - 'traefik.http.middlewares.auth.basicauth.users=<someusername>:<somepassword>'

  collabora:
    image: collabora/code
    container_name: collabora
    ports: 
      - 9980:9980
    cap_add:
      - MKNOD 
    environment:
      - aliasgroup1=https://nextcloudsubdomain.mydomain.com
      - username=<someusername>
      - password=<somepassword>
      - "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.collabora.tls=true'
      - 'traefik.http.routers.collabora.tls.certresolver=myresolver'
      - 'traefik.http.routers.collabora.entrypoints=websecure'
      - 'traefik.http.routers.collabora.rule=Host(`collaborasubdomain.mydomain.com`)'
      - 'traefik.http.routers.collabora.middlewares=collabora-header'
      - 'traefik.http.services.collabora.loadbalancer.server.port=9980'
      - 'traefik.http.middlewares.collabora-header.headers.referrerPolicy=no-referrer'
      - 'traefik.http.middlewares.collabora-header.headers.stsSeconds=15552000'
      - 'traefik.http.middlewares.collabora-header.headers.forceSTSHeader=true'
      - 'traefik.http.middlewares.collabora-header.headers.stsPreload=true'
      - 'traefik.http.middlewares.collabora-header.headers.stsIncludeSubdomains=true'
      - 'traefik.http.middlewares.collabora-header.headers.browserXssFilter=true'
      - 'traefik.http.middlewares.collabora-header.headers.customRequestHeaders.X-Forwarded-Proto=https'