Collabora with Apache2 backend and Nginx Reverse Proxy?

ā„¹ļø Support šŸ“„ Collabora
21

These parameters are needed for the admin console of CODE and they are optional. So it will not help at all, if you cannot connect to CODE.

To say something positive, we have discovered a potential problem with URL encoding and decoding, which in certain circumstances lead to connection error. Next version of CODE will contain the fix for this, and probably we will have to update integration instructions. If it wonā€™t help @enoch85. then we need to investigate further by setting up Apache2 backend and Nginx Reverse Proxy ourselves, in a test environment.

p.s.: I work for Collabora

2 Likes
22

@timar Thank you for your attention on this! At my work I sell Nextcloud and package it with Collabora, and this is very annoying as many people really like to have Collabora.

Please investigate this as soon as possible, then tell me where I should donate the money when this is solved.

23

@enoch85

run docker with -p 192.168.4.111:9980:9980
and in nginx add:

location ^~ /loleaflet {
proxy_pass https://192.168.4.111:9980;
proxy_set_header Host $http_host;
}
location ^~ /hosting/discovery {
proxy_pass https://192.168.4.111:9980;
proxy_set_header Host $http_host;
}
location ^~ /lool {
proxy_pass https ://192.168.4.111:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ā€œupgradeā€;
proxy_set_header Host $http_host;
}

I do not know if itā€™s safe solution, but I think it should work.

24

@SirNolaan

Thanks! Progress! As I removed the location / and replaced it with your code. Now I get Nginx testpage instead:

DeepinScreenshot20161122182957.png1144Ɨ428 28.6 KB

Though next issue: Collabora Online unknown error: cURL error 35: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Please contact the "https://office.techandme.se" administrator. when using the Collabora Online App:

DeepinScreenshot20161122183130.png1077Ɨ425 31.2 KB

Could this be because I run a Letā€™s Encrypt cert on https://cloud.techandme.se and a wildcard cert on https://office.techandme.se?

25

If I add this back again

location / {
            proxy_pass_header Authorization;
            proxy_pass http://$upstream;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_buffering off;
            proxy_request_buffering off;
            client_max_body_size 0;
            proxy_read_timeout  36000s;
            proxy_redirect off;
            proxy_ssl_session_reuse off;
    }

to Nginx it redirects to my Nextcloud.

26

Ok current setup:

Docker ps

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                          NAMES
c8d9b0627296        collabora/code      "/bin/sh -c 'bash sta"   43 minutes ago      Up 43 minutes       192.168.4.111:9980->9980/tcp   amazing_darwin

Nginx

server {
    # Cloudflare IP that is masked by mod_real_ip

error_page 404 500 502 503 504 /office-error.html;
    location = /office-error.html {
            root /usr/share/nginx/html;
            internal;
    }
 	set_real_ip_from 103.21.244.0/22;
 	set_real_ip_from 103.22.200.0/22;
 	set_real_ip_from 103.31.4.0/22;
 	set_real_ip_from 104.16.0.0/12;
 	set_real_ip_from 108.162.192.0/18;
 	set_real_ip_from 131.0.72.0/22;
 	set_real_ip_from 141.101.64.0/18;
 	set_real_ip_from 162.158.0.0/15;
 	set_real_ip_from 172.64.0.0/13;
 	set_real_ip_from 173.245.48.0/20;
 	set_real_ip_from 188.114.96.0/20;
 	set_real_ip_from 190.93.240.0/20;
 	set_real_ip_from 197.234.240.0/22;
 	set_real_ip_from 198.41.128.0/17;
 	set_real_ip_from 199.27.128.0/21;

real_ip_header     X-Forwarded-For;
    real_ip_recursive  on;

    listen 192.168.4.201:443 ssl http2;

    ssl on;
    ssl_certificate /etc/nginx/ssl/techandme/techandme_wild.pem;
    ssl_certificate_key /etc/nginx/ssl/techandme/techandme_wild.key;
ssl_dhparam /etc/nginx/sites-available/cloudflare_ip/office.techandme/office-dhparams.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Only use safe chiphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

# Add secure headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;

    server_name office.techandme.se;
    set $upstream 192.168.4.111;

    location ^~ /loleaflet {
            proxy_pass https://$upstream:9980;
            proxy_set_header Host $http_host;
    }
    
location ^~ /hosting/discovery {
            proxy_pass https://$upstream:9980;
            proxy_set_header Host $http_host;
    }
    
location ^~ /lool {
            proxy_pass https://$upstream:9980;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $http_host;
    }

}

server {
  listen 192.168.4.201:80;
  server_name office.techandme.se;
  return 301 https://office.techandme.se$request_uri;
}

Apache2

<VirtualHost 192.168.4.111:443>
 ServerName office.techandme.se

 # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
   SSLEngine on
   SSLCertificateFile /etc/ssl/techandme/techandme_wild.pem
   SSLCertificateKeyFile /etc/ssl/techandme/techandme_wild.key

   SSLProtocol             all
   SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  SSLHonorCipherOrder     on

   # Encoded slashes need to be allowed
   AllowEncodedSlashes On

  # Container uses a unique non-signed certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

  # keep the host
  ProxyPreserveHost On

  # static html, js, images, etc. served from loolwsd
  # loleaflet is the client part of LibreOffice Online
  ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
  ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

  # WOPI discovery URL
  ProxyPass           /hosting/discovery https://192.168.4.111:9980/hosting/discovery retry=0
  ProxyPassReverse    /hosting/discovery https://192.168.4.111:9980/hosting/discovery

  # Main websocket
   ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.4.111:9980/lool/$1/ws

  # Admin Console websocket
  ProxyPass   /lool/adminws wss://192.168.4.111:9980/lool/adminws

  # Download as, Fullscreen presentation and Image upload operations
  ProxyPass           /lool https://192.168.4.111:9980/lool
  ProxyPassReverse    /lool https://192.168.4.111:9980/lool
 </VirtualHost>

Regarding the SSL error

root@cloud:/etc/apache2/sites-available# openssl s_client -debug -connect office.techandme.se:443
CONNECTED(00000003)
write to 0x1ee0f40 [0x1ee1c90] (305 bytes => 305 (0x131))
0000 - 16 03 01 01 2c 01 00 01-28 03 03 92 ae a6 f3 2e   ....,...(.......
0010 - 31 10 e8 6b 86 e7 a2 d0-d9 10 c1 ed ff f8 87 70   1..k...........p
0020 - a6 c2 73 64 f2 54 0e 5d-71 ac 41 00 00 aa c0 30   ..sd.T.]q.A....0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1   .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a   .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f   .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0   .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43   .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c   .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-c0 11 c0 07 c0 0c c0 02   .<./...A........
00c0 - 00 05 00 04 c0 12 c0 08-00 16 00 13 00 10 00 0d   ................
00d0 - c0 0d c0 03 00 0a 00 ff-01 00 00 55 00 0b 00 04   ...........U....
00e0 - 03 00 01 02 00 0a 00 1c-00 1a 00 17 00 19 00 1c   ................
00f0 - 00 1b 00 18 00 1a 00 16-00 0e 00 0d 00 0b 00 0c   ................
0100 - 00 09 00 0a 00 23 00 00-00 0d 00 20 00 1e 06 01   .....#..... ....
0110 - 06 02 06 03 05 01 05 02-05 03 04 01 04 02 04 03   ................
0120 - 03 01 03 02 03 03 02 01-02 02 02 03 00 0f 00 01   ................
0130 - 01                                                .
read from 0x1ee0f40 [0x1ee71f0] (7 bytes => 7 (0x7))
0000 - 48 54 54 50 2f 31 2e                              HTTP/1.
140317450442392:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1479838563
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
root@cloud:/etc/apache2/sites-available#
27

This is my configuration:

NGINX PROXY ( Ubuntu 16.04.1 LTS x86_64)

server {
        listen         80;
        server_name    cloud.example.com;
        return         301 https://$server_name$request_uri;
         access_log  /var/log/nginx/access.log;
}
server {
         listen  443;
        server_name  cloud.example.com;
 
# letsencrypt
location ~ /.well-known {
         allow all;
         root /var/www/html;
}
location ^~ /loleaflet {
         proxy_pass https://10.200.10.20:9980;
         proxy_set_header Host $http_host;
     }
location ^~ /hosting/discovery {
         proxy_pass https://10.200.10.20:9980;
         proxy_set_header Host $http_host;
     }
location ^~ /lool {
         proxy_pass https://10.200.10.200:9980;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         proxy_set_header Host $http_host;
     }
location / {
         proxy_pass      https ://10.200.10.200/;
         proxy_pass_header Authorization;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP  $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_http_version 1.1;
         proxy_set_header Connection "";
         proxy_buffering off;
         proxy_request_buffering off;
         client_max_body_size 0;
         proxy_read_timeout  36000s;
         proxy_redirect off;
         proxy_ssl_session_reuse off;
         }
}

Apache2 ( Ubuntu 16.04.1 LTS x86_64)

<VirtualHost *:443>
  ServerName cloud.example.com:443
  ServerAlias 10.200.10.200
  DocumentRoot "/var/www/html/nextcloud"

# self-signed certificate
# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
# SSLProtocol             all -SSLv2 -SSLv3
#  SSLHonorCipherOrder     on

   # Encoded slashes need to be allowed
   AllowEncodedSlashes On

   # Container uses a unique non-signed certificate
   SSLProxyEngine On
   SSLProxyVerify None
   SSLProxyCheckPeerCN Off
   SSLProxyCheckPeerName Off

   # keep the host
   ProxyPreserveHost On

   # static html, js, images, etc. served from loolwsd
   # loleaflet is the client part of LibreOffice Online
   ProxyPass           /loleaflet https://10.200.10.200:9980/loleaflet retry=0
   ProxyPassReverse    /loleaflet https://10.200.10.200:9980/loleaflet

   # WOPI discovery URL
   ProxyPass           /hosting/discovery https://10.200.10.200:9980/hosting/discovery retry=0
   ProxyPassReverse    /hosting/discovery https://10.200.10.200:9980/hosting/discovery

   # Main websocket
  ProxyPassMatch "/lool/(.*)/ws$" wss://10.200.10.200:9980/lool/$1/ws
   # Admin Console websocket
  ProxyPass   /lool/adminws wss://10.200.10.200:9980/lool/adminws
   # Download as, Fullscreen presentation and Image upload operations
   ProxyPass           /lool https://10.200.10.200:9980/lool
   ProxyPassReverse    /lool https://10.200.10.200:9980/lool
 </VirtualHost>
28

@SirNolaan

Thanks for posting! So you donā€™t use a subdomain, you run everything on the same domain as your cloud? Or is this a separate vhost?

Also, is https://_10.200.10.200:9980 on purpose?

29

I am a new user and can not post links and not yet learned how to properly format messages.
ā€¦
Now it should be OK

30

@SirNolaan

Thanks again. But you didnā€™t answer the questions. :slight_smile:

So you donā€™t use a subdomain, you run everything on the same domain as your cloud? Or is this a separate vhost?

31

Yes, everything works on the same domain.

32

@enoch85

And in nextcloud settings ā†’ Additional settings i have:

Pasted image760Ɨ122 8.8 KB

33

Thanks @SirNolaan

This is my current config, still same issue with SSLā€¦ http://pastebin.com/6Y8pxAFG

Here are my SSL cert tested with A+: https://www.ssllabs.com/ssltest/analyze.html?d=cloud.techandme.se&s=109.124.182.67

Everything else works as before (Nextcloud and Spreed Me). Any ideas?

34

@enoch85
Did you copy SSL certs from nginx to Apache?

In apache i have self-signed certificate

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

And i was SSL error in collabora:
ā€œcURL error 60: SSL certificate problem: self signed certificate in certificate chainā€.

But I found another solution :slight_smile:
cp /etc/apache2/ssl/apache.crt /usr/share/ca-certificates/apache.crt

update-ca-certificates --fresh

In the meantime, Iā€™ve done something like this:

inside docker container
( how to enter? docker exec -i -t $CONTAINER_ID /bin/bash )
cat /etc/loolwsd/ca-chain.cert.pem

and copy cert to ā€œ/var/www/html/nextcloud/resources/config/ca-bundle.crtā€

But I do not know if it was needed.

In Apache (without nginx) nextcloud with collabora works OK?

echo "192.168.4.111 office.techandme.se" /etc/hosts
if you are on the same network

(Look at nginx logs to see if something did not go through the proxy.)

35

@SirNolaan

As per your recomendation I run everything on the same host (as you can see in my new host files pasted on pastebin) and I use the same cert all over (the wilcard cert for techandme.se) but it still fails.

https://cloud.techandme.se/hosting/discovery works in the same way as it did before (with collabora on a subdomain) and itā€™s reachable, I get A+ on the SSL certs and it works everywhere else except with Collabora. I tried to google the issue with SSL but didnā€™t find any good soulution.

And yes, Iā€™ve added the internal IP to the /etc/hosts file

CC @timar Please check my config so that everything seems correct. It seems like setting it up behind a Nginx Reverse Proxy on a different host is close to impossible. :confused:

36

@enoch85

This is my step by step guide for you.

The structure of the network:

network.png924Ɨ393 3.63 KB

nginx-proxy

apt-get install letsencrypt nginx

gen cert:
letsencrypt --standalone certonly -d cloud.viop.pl

new file: /etc/nginx/sites-available/cloud.viop.pl

server  {
        listen          80;
        server_name     cloud.viop.pl;
        return          301 https://$server_name$request_uri;
        access_log      /var/log/nginx/access.log;
        }

server  {
        listen          443;
        server_name     cloud.viop.pl;

        # LetsEncrypt
        location ~ /.well-known {
                allow all;
                root /var/www/html;
                }
        # NextCloud
        location / {
                proxy_pass      https://192.168.122.236/;
                include         /etc/nginx/proxy_params;
                }
        location ^~ /loleaflet {
                proxy_pass      https://192.168.122.236:9980;
                proxy_set_header Host $http_host;
                }
        location ^~ /hosting/discovery {
                proxy_pass https://192.168.122.236:9980;
                proxy_set_header Host $http_host;
                }
        location ^~ /lool {
                proxy_pass https://192.168.122.236:9980;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $http_host;
                }
        }

a small change in the config

--- a/etc/nginx/sites-available/default
+++ b/etc/nginx/sites-available/default
@@ -19,7 +19,9 @@ server {

        # SSL configuration
        #
-       # listen 443 ssl default_server;
+       listen 443 ssl default_server;
+       ssl_certificate /etc/letsencrypt/live/cloud.viop.pl/fullchain.pem;
+       ssl_certificate_key /etc/letsencrypt/live/cloud.viop.pl/privkey.pem;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.

apache-nextcloud

install some shits
apt-get install apache2 mariadb-server libapache2-mod-php php-gd php-json php-mysql php-curl php-intl php-mcrypt php-imagick php-mbstring php-xml php-zip

Install nextcloud + collabora

cd /tmp/
wget https://download.nextcloud.com/server/releases/nextcloud-10.0.1.tar.bz2
tar -jxvf nextcloud-10.0.1.tar.bz2 -C /var/www/
wget https://apps.owncloud.com/CONTENT/content-files/174727-richdocuments.zip
unzip 174727-richdocuments.zip -d /var/www/nextcloud/apps/
chown -R www-data:www-data /var/www/nextcloud/

Install docker:

apt-get install docker.io
docker pull collabora/code
docker run -t -d -p 192.168.122.236:9980:9980 -e 'domain=cloud\\.viop\\.pl' --restart always --cap-add MKNOD collabora/code

Database

mysql -uroot

CREATE DATABASE nextcloud;
GRANT ALL PRIVILEGES ON nextcloud.* TO 'nxuser'@'localhost' IDENTIFIED BY 'nextcloud';

self-signed cert:

mkdir /etc/apache2/ssl/

openssl req -x509 -subj "/C=EU/ST=Internet/L=Intranet/O=ViOP/CN=cloud.viop.pl" -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

cp /etc/apache2/ssl/apache.crt /usr/share/ca-certificates/apache.crt

update-ca-certificates --fresh

new file: /etc/apache2/sites-available/cloud.viop.pl.conf

<VirtualHost 192.168.122.236:443>
  ServerName cloud.viop.pl:443
<IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

DocumentRoot "/var/www/nextcloud"
<Directory /var/www/nextcloud/>
  Options +FollowSymlinks
  AllowOverride All
   Order allow,deny
    Allow from all

 <IfModule mod_dav.c>
  Dav off
 </IfModule>

 SetEnv HOME /var/www/nextcloud
 SetEnv HTTP_HOME /var/www/nextcloud

</Directory>
# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
#  SSLCertificateChainFile /path/to/intermediate_certificate
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on

# Encoded slashes need to be allowed
AllowEncodedSlashes On

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet https://192.168.122.236:9980/loleaflet retry=0
ProxyPassReverse    /loleaflet https://192.168.122.236:9980/loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery https://192.168.122.236:9980/hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery https://192.168.122.236:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.122.236:9980/lool/$1/ws

# Admin Console websocket
ProxyPass   /lool/adminws wss://192.168.122.236:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool https://192.168.122.236:9980/lool
ProxyPassReverse    /lool https://192.168.122.236:9980/lool
</VirtualHost>

enable mods:

a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl
a2enmod headers
a2ensite cloud.viop.pl
service apache2 restart

Open https://cloud.viop.pl
go to admin ā†’ apps ā†’ not enabled
scroll down and enable Collabora Online

now go to admin ā†’ Additional setting
In Collabora Online server put https://cloud.viop.pl

It works for me :wink:

37

@SirNolaan Thanks again for the detailed instructions. Thatā€™s how I did, with the only difference that I use a real wildcard cert instead of a self signed as you may have seen in the pastebinā€¦? Also I donā€™t use the default vhosts for anything, actually they are deactivated as I want to control everything in separate vhosts.

My Nginx is on 192.168.4.201, and Nextcloud Apache backend is on 192.168.4.111. Now, do you run the Nginx Proxy in the same IP as the Apache or are they separated?

Again, I run more than 15 domains on about 10 separate VMs with the Nginx Reverse Proxy ā€”> Apache backends, but the Collabora stuff doesnā€™t work.

38

I have 2 virtual machines (KVM - Ubuntu 16.04.1)

  1. nginx-proxy
    eth0 - public IP
    eth1 - 192.168.122.168

  2. apache-nextcloud
    eth0 - 192.168.122.236

Iā€™m not sure I understand you correctly. My English is poor. :wink:
I also do not use the default virtual host in apache / nginx.
In nginx I edited the file ā€œ/etc/nginx/sites-available/defaultā€ only to enable SSL.
The rest of the configuration in separate files and only applies to the domain cloud.viop.pl

For test, try to generate ssl for apache.
Transmission between nginx-proxy and apache can use a self-signed certificate
Users see only the certificate installed on nginx.

mkdir /etc/apache2/ssl/
openssl req -x509 -subj "/C=EU/ST=Internet/L=Intranet/O=ViOP/CN=cloud.viop.pl" -nodes -days 3650 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

# This is important
cp /etc/apache2/ssl/apache.crt /usr/share/ca-certificates/apache.crt
update-ca-certificates --fresh
39

Why should I use a self signed cert when I have a wildcard cert?

40

@timar

Hey, I just cheked the docker logs, seems there are some errors, but I donā€™t know what it means?

root@cloud:~# docker logs c8d9b0627296
Generating RSA private key, 2048 bit long modulus
................+++
...............................................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
....................+++
.......+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolwsd version details: 1.9.8 - 1.9.8
loolforkit version details: 1.9.8 - 1.9.8
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.1", "ProductExtension": ".10.12",         "BuildId": "653cc4c38dd2c05aecbee156aef460f5a361e579" }
Generating RSA private key, 2048 bit long modulus
......+++
..............+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
.......................................+++
.....................................................................+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolwsd version details: 1.9.8 - 1.9.8
loolforkit version details: 1.9.8 - 1.9.8
kit-00059-0059 0:00:20.475042 [ loolkit ] ERR  symlink("../lo","/opt/lool/child-roots/59/opt/collaboraoffice5.1") failed     (errno: File exists)
kit-00059-0059 0:00:20.475487 [ loolkit ] ERR  Poco Exception: Exception: symlink() failed| LOOLKit.cpp:1556
kit-00064-0064 0:00:26.166164 [ loolkit ] ERR  symlink("../lo","/opt/lool/child-roots/64/opt/collaboraoffice5.1") failed     (errno: File exists)
kit-00064-0064 0:00:26.166349 [ loolkit ] ERR  Poco Exception: Exception: symlink() failed| LOOLKit.cpp:1556
kit-00069-0069 0:00:31.294206 [ loolkit ] ERR  symlink("../lo","/opt/lool/child-roots/69/opt/collaboraoffice5.1") failed     (errno: File exists)
kit-00069-0069 0:00:31.294382 [ loolkit ] ERR  Poco Exception: Exception: symlink() failed| LOOLKit.cpp:1556
kit-00074-0074 0:00:35.721086 [ loolkit ] ERR  symlink("../lo","/opt/lool/child-roots/74/opt/collaboraoffice5.1") failed     (errno: File exists)
kit-00074-0074 0:00:35.721318 [ loolkit ] ERR  Poco Exception: Exception: symlink() failed| LOOLKit.cpp:1556
kit-00079-0079 0:00:40.479968 [ loolkit ] ERR  symlink("../lo","/opt/lool/child-roots/79/opt/collaboraoffice5.1") failed     (errno: File exists)
kit-00079-0079 0:00:40.480135 [ loolkit ] ERR  Poco Exception: Exception: symlink() failed| LOOLKit.cpp:1556
kit-00084-0084 0:00:49.143948 [ loolkit ] ERR  symlink("../lo","/opt/lool/child-roots/84/opt/collaboraoffice5.1") failed     (errno: File exists)
kit-00084-0084 0:00:49.144112 [ loolkit ] ERR  Poco Exception: Exception: symlink() failed| LOOLKit.cpp:1556
kit-00089-0089 0:00:53.144848 [ loolkit ] ERR  symlink("../lo","/opt/lool/child-roots/89/opt/collaboraoffice5.1") failed     (errno: File exists)
kit-00089-0089 0:00:53.144997 [ loolkit ] ERR  Poco Exception: Exception: symlink() failed| LOOLKit.cpp:1556
kit-00094-0094 0:00:56.620942 [ loolkit ] ERR  symlink("../lo","/opt/lool/child-roots/94/opt/collaboraoffice5.1") failed     (errno: File exists)
kit-00094-0094 0:00:56.621093 [ loolkit ] ERR  Poco Exception: Exception: symlink() failed| LOOLKit.cpp:1556
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.1", "ProductExtension": ".10.12",     "BuildId": "653cc4c38dd2c05aecbee156aef460f5a361e579" }
wsd-00026-0029 12:46:20.360341 [ client_ws_0003 ] ERR  Unknown resource: /hosting/discovery| LOOLWSD.cpp:1154
root@cloud:~#