Collabora ubuntu // nextcloud centos // Access forbidden

i receive an Access forbidden error when opening e.x. ods file at the nextcoudserver.

the nextcloudserver is a centos7 nextcloud 11
the collabora docker is running at a Ubuntu 16.04.1 LTS x86_64

i can not find the error, maybe you can help me…

https://office.xxxxxx.com shows the index file from /usr/share/nginx/office;
but i can not connect: a https://office.xxxxx.com:9980/
or https://office.xxxxxx:9980/loleaflet/dist/admin/adminSettings.html


root@office ~ # docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
collabora/code latest 53e165693650 3 weeks ago 1.61 GB


root@office ~ # docker info
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 1
Server Version: 1.12.3
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 10
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: overlay host bridge null
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-47-generic
Operating System: Ubuntu 16.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.953 GiB
Name: office.XXXXXXXX.com
ID: 55AE:MGLM:UYIH:HKYB:SG36:5UWC:PAXJ:MEFF:MKL7:SPD7:6MIT:AJZN
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8

root@office ~ # grep aufs /proc/filesystems
nodev aufs


root@office ~ # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1184/nginx -g daemo
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1169/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1184/nginx -g daemo
tcp 0 0 127.0.0.1:9980 0.0.0.0:* LISTEN 1369/docker-proxy
tcp6 0 0 :::80 :::* LISTEN 1184/nginx -g daemo
tcp6 0 0 :::22 :::* LISTEN 1169/sshd
udp 0 0 0.0.0.0:68 0.0.0.0:* 865/dhclient

… the docker is listening on localhost… may this is the issue?
the docker should listen at the external IP or?


ngix config:

server {
listen 443 ssl;
server_name office.xxxxx.com;
root /usr/share/nginx/office;

ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/office.xxxxx.com.crt;
ssl_certificate_key /etc/nginx/ssl/office.xxxxx.com.key;

static files

location ^~ /loleaflet {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
}

WOPI discovery URL

location ^~ /hosting/discovery {
proxy_pass https://localhost:9980;
proxy_set_header Host $http_host;
}

websockets, download, presentation and image upload

location ^~ /lool {
proxy_pass https://localhost:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_set_header Host $http_host;
}
}

nginx error log says nothing, only that a favicon is missing…

so it looks like you have a reverse proxy set up via nginx. have you tried to just use https://office.xxxx.xxx and leave off port 9980. it should be listening on the localhost as your proxy server will pass the traffic.

also what did you use to start the docker image?

Turn off SELinux for a minute and see if it works. setenforce 0

If it works, then you just have a permission issue to work out.

The port is not a known port, so it should be blocked from communicating.

Possibly semanage port -a -t http_port_t -p tcp 9980 would fix it if that was the case.

Do not forget to turn SELinux back on. setenforce 1

1 Like

Thank you!
But SELinux is not the problem!
Same error with or without SELinux actice or not…

https://office.xxxxxx.com shows the index file from /usr/share/nginx/office

i’ve installed the docker with following line at the server office.xxxxxxx:
(nc\.cloudxxserver\.com is my nextcloud server)

docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=nc\.cloudxxserver\.com’ --restart always --cap-add MKNOD collabora/code

Any chance you would change nginx for apache to do the docker proxy?

I’ve heard some rumors saying that nginx is not working properly even with the correct config.
Can’t really confirm since i’ve been running apache all time.

Cheers!