Collabora - unauthorised WOPI-Host

ℹ️ Support 📄 Collabora
1

I upgraded my Nextcloud Server to v11 and make any step of the Collabora install manual: Collabora online - Nextcloud

… I install the the Collabora-App, then it say that isn’t the latest version (I tested to install Collabora at Nextcloud v10 without success), then I update the App. But then, the Icon in the left side disappeared. And when I click at an doc or xls it shows me this message:

collabora_error.PNG1083×391 18.6 KB

I don’t know whats a ‘WOPI-Host’?

The other strange and dangerous thing is, when I open my office-Domain ‘http://office.DOMAIN.com’ it shows my normal homepage ‘DOMAIN.com’. But when I open the SSL URL ‘https://office.DOMAIN.com’ it shwos me the “/var/www/” folder, and I can download every file (but can’t open a sub folder).

What’s wrong?

2

Apache config
(I’m sure)
:wink:

3

And what? My /etc/apache2/apache2.conf:

Mutex file:${APACHE_LOCK_DIR} default

PidFile ${APACHE_PID_FILE}

Timeout 300

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 5

User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

HostnameLookups Off

ErrorLog ${APACHE_LOG_DIR}/error.log

LogLevel warn

IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Include ports.conf


<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>

<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride All
	Require all granted
</Directory>

AccessFileName .htaccess

<FilesMatch "^\.ht">
	Require all denied
</FilesMatch>

LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

IncludeOptional conf-enabled/*.conf

IncludeOptional sites-enabled/*.conf
4

This one also needs an Apache config

5

yes … like it’s described at “2. Install the Apache reverse proxy” … and I wrote, that I make any step of this manual … any step, like the step “2. Install the Apache reverse proxy”. And now? What else should been configure?

6

Hi

Maybe Syntax:
docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=cloud\.nextcloud\.com’ --restart always --cap-add MKNOD collabora/code

this domain should be your nextcloud domain. In this case cloud.nextcloud.com

pls try to restart the docker image, and reload the page.

Did you add the domain office.DOMAIN.com to collaboration admin-page (from nextcloud)?

In my case, i used a new virtualhost.conf file and activated (for office.DOMAIN.com).

You can add an index.html file to reload (office.DOMAIN.com) to your nextcloud page
very simple:

Screen Shot 2017-01-04 at 21.25.34.png1094×250 24.4 KB

Or you can config apache for error 403:

Screen Shot 2017-01-04 at 21.31.43.png776×178 13.8 KB

7

@ham:
I saved the log of my instalation of Collabora and I type in the right domain.

I type in “https://office.DOMAIN.com:443” in the “Collabora Online Server” input form.

I added “DocumentRoot /var/www/nextcloud” to the “VirtualHost” of Collabora and now I just get redirected to nextcloud, if s.o. visits office.DOMAIN.com. Good idea, thx.

I also restart docker, but nothing happend. The Icon “Office” in the Menu is still missing and I get the same error message.

8

Hi

The DocumentRoot in the Collaboration VirtualHost File - i think it’s not a good idea.

My VirtualHost File → eg. office.DOMAIN.com.confg (/etc/apache2/site-available)
→ a2ensite office.DOMAIN.com.conf (to link in /etc/apache2/site-enabled)

office.DOMAIN.com.conf.png1986×1284 233 KB

I used Letsencrypt

Did you enabled:
a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl

and restarted the apache2 server?

sudo service apache2 restart
or
sudo systemctl restart apache2.service

additional:

WOPI_HOST.png1816×122 29.2 KB

Please post your string to start Docker. If you don’t find it → type “history” in your terminal and copie - thx

9

/etc/apache2/sites-available/default-ssl.conf:

<VirtualHost *:443>
	ServerName office.DOMAIN.com:443

	# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/office.DOMAIN.com/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/office.DOMAIN.com/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/office.DOMAIN.com/fullchain.pem
	SSLProtocol             all -SSLv2 -SSLv3
	SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
        #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
	SSLHonorCipherOrder     on

	# Encoded slashes need to be allowed
	AllowEncodedSlashes On

	# Container uses a unique non-signed certificate
	SSLProxyEngine On
	SSLProxyVerify None
	SSLProxyCheckPeerCN Off
	SSLProxyCheckPeerName Off

	# keep the host
	ProxyPreserveHost On

	# static html, js, images, etc. served from loolwsd
	# loleaflet is the client part of LibreOffice Online
	ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
	ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

	# WOPI discovery URL
	ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
	ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

	# Main websocket
	ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws

	# Admin Console websocket
	ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

	# Download as, Fullscreen presentation and Image upload operations
	ProxyPass           /lool https://127.0.0.1:9980/lool
	ProxyPassReverse    /lool https://127.0.0.1:9980/lool
</VirtualHost>

Docker starts with:

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=cloud\\.DOMAIN\\.com' --restart always --cap-add MKNOD collabora/code

And I enabled all a2enmod services and restarted apache2 often.

10

Hi

Thank you, for your answer. looks like the same.

I tried the config with the DocumentRoot /…/nextcloud/ - and it works too. But you have to add the domain office.DOMAIN.com to the docker start Syntax.

Reasen: I had reproduced your error :slight_smile:

WOPI-HOST.png1170×962 62.8 KB

Have you more than one domain for your Nextcloud installation? like nc.DOMAIN.com and cloud.DOMAIN.com?

I hope that can help

11

Hi

I found some other topic:

Link: Collabora Docker capabilities problem

Maybe that can help

12

Hi

Please try it again.

The tutorial has some differnt syntaxes like befor

13

I installed a new Ubuntu 16.04. LTS server. I try it again … and now I get: “permission denied”

14

Same here - I get a 403 when trying to open a file with the error “You don’t have permission to access /loleaflet/2.0.4/loleaflet.html on this server.”

Were you able to find a solution?

15

A

    <Location />
            Require all granted
    </Location>

in the Apache2 virtual host config file helped me. I also changed docker to utilize devicemapper as storage driver first, which did not help, but I also did not change it back.

16

How would the solution look for nginx? Thx!

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;

proxy_buffering off;

# static files
location ^~ /loleaflet {
	proxy_pass https://localhost:8110;
	proxy_set_header Host $http_host;
}

# WOPI discovery URL
location ^~ /hosting/discovery {
	proxy_pass https://localhost:8110;
	proxy_set_header Host $http_host;
}

# main websocket
location ~ ^/lool/(.*)/ws$ {
   proxy_pass https://localhost:8110;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
   proxy_set_header Host $http_host;
   proxy_read_timeout 36000s;
}

# download, presentation and image upload
location ~ ^/lool {
   proxy_pass https://localhost:8110;
   proxy_set_header Host $http_host;
}

# Admin Console websocket
location ^~ /lool/adminws {
   proxy_pass https://localhost:8110;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
   proxy_set_header Host $http_host;
   proxy_read_timeout 36000s;
}
17

is any one find the solution for this issue.

18

Just because this is the first unauthorized WOPI-Host hit:

My problem was a space in the domain name when creating the docker container:

‘domain=<space>your-storageshare\\.de’

This domain name ends up in the wopi host definitions in the loolwsd config (with the extra space).

I did not see it for hours on time and wondered, why all matches up perfectly and I still get an error.

1 Like
19

Thank you, this was the same by me.