Correct nginx proxy pass config

cracker0dks · March 31, 2017, 9:51am

Hey,
I want to install the latest collabora for my Nextcloud 11.0.2 with nginx proxypass. And found two install guides both not working -.-

Link From Nextcloud: https://icewind.nl/entry/collabora-online/
And the latest from collabora: collaboraoffice.com/code/

The one from collabora seems to be promising and It all seems to be fine: https://office.domain.tld/hosting/discovery returns:

But Nextcloud returns:
Well, this is embarrassing, we cannot connect to your document. Please try again.

Collabrora Serverlog:
loolforkit version details: 2.0.4 - 2.0.4
office version details: { “ProductName”: “Collabora Office”, “ProductVersion”: “5.1”, “ProductExtension”: “.10.21”, “BuildId”: “e91d2c2d59b035e40bdefac5fe06fb210180ed86” }
wsd-00025-0028 09:26:54.835450 [ client_req_hdl ] WRN WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:255
wsd-00025-0026 09:26:55.144542 [ client_ws_0002 ] ERR ClientRequestHandler::handleClientRequest: BadRequestException: Invalid or unknown request.| wsd/LOOLWSD.cpp:1240

So it seems to be a nginx problem?! Is even someone running nginx/nextcloud at the latests versions without problems?

Thanks for help

rtznprmpftl · March 31, 2017, 11:02pm

I run NC and CODE in different VMS with an NGINX proxy on the Frontend (and CODE has a different domain):
so this config may be wrong for you but may give you a hint:

server {
    listen               443 ssl http2;
    server_name          office.xxx;
    ssl_certificate      /etc/letsencrypt/live/office.xxxx/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/office.xxx/privkey.pem;
    client_max_body_size 10G;
    proxy_set_header     X-Forwarded-Proto 'https';
    underscores_in_headers on;
    add_header           Strict-Transport-Security "max-age=31536000";

    location /.well-known/ {
        root   /var/lib/nginx/letsencrypt/;
        index  index.html index.htm;
    }

    # static files
    location ^~ /loleaflet {
        proxy_pass        https://1.2.3.4:9980;
        proxy_set_header Host $http_host;
        proxy_ssl_verify              off;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass        https://1.2.3.4:9980;
        proxy_set_header Host $http_host;
        proxy_ssl_verify              off;
        
        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    # Main websocket
    location ~ /lool/(.*)/ws$ {
        proxy_pass        https://1.2.3.4:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
        proxy_ssl_verify              off;
        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_pass        https://1.2.3.4:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
        proxy_ssl_verify              off;
        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }

    # download, presentation and image upload
    location ^~ /lool {
        proxy_pass        https://1.2.3.4:9980;
        proxy_set_header Host $http_host;
        proxy_ssl_verify              off;
        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }

    location / {
        proxy_pass        https://1.2.3.4:9980;
        proxy_set_header Host $http_host;
        proxy_ssl_verify              off;

        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

}

Also, just enter ‘https://office.domain’ in the NC Config, if you add a trailing ‘/’ it will break

cracker0dks · April 2, 2017, 5:58pm

thanks for you answer. I will try this. What do you mean by “Also, just enter ‘https://office.domain’ in the NC Config, if you add a trailing ‘/’ it will break” I didnt change the NC config for collabora at all. I only set the url at the NC App. Their is nothing at the tutorials. Did I miss something?

rtznprmpftl · April 2, 2017, 9:18pm

Thats what i meant

cracker0dks · April 4, 2017, 6:18pm

Ok thanks. I get no more errors at the logs and https://office.cloud13.de/hosting/discovery works also fine with your nginx config… but still:

Well, this is embarrassing, we cannot connect to your document. Please try again.

this msg when I try to open a document. Serverlogs are as follow:

Thanks for help

scryver · April 11, 2017, 1:58pm

Hey I had the same problem with nginx and nextcloud. I solved by changing
location ^~ /lool
into
location ~ /lool

I found that somewhere else here on the forums after scratching my head for several hours.
Still don’t know exactly what the problem was, but it had to do with the url links that nginx passes along.

cracker0dks · April 12, 2017, 12:45pm

Thanks for your answer. I tried this as well and removed the “^” but with no success. Nothing changed… Can you please post you nginx config. thanks

scryver · April 12, 2017, 6:18pm

Here it is. I think the upstream part is also important for letting nginx pass the uri unchanged (no url decode)

upstream collada-office {
    server 127.0.0.1:9980;
}

server {
    listen 443 ssl;
    server_name office.example.com;
 
    ssl_certificate /etc/letsencrypt/live/office.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/office.example.com/privkey.pem;

    # static files
    location ^~ /loleaflet {
        proxy_pass https://collada-office;
        proxy_set_header Host $host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://collada-office;
        proxy_set_header Host $host;
    }

    # Main websocket
    location ~ /lool/(.*)/ws$ {
        proxy_pass https://collada-office;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 36000s;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
	proxy_buffering off;
        proxy_pass https://collada-office;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ /lool {
        proxy_pass https://collada-office;
        proxy_set_header Host $host;
    }
}

cracker0dks · April 12, 2017, 9:06pm

Thanks for you help! But still not working for me

In my setup I have an nginx container and the office container… both on the same host and network. Could this be a reason? Im always changing the “127.0.0.1” to “containername” and I getting no errors and see the connections in the logs.

@rtznprmpftl Did you change some settings in the office container (or somewhere else than the nginx config) when you run it on 2 different servers?

cracker0dks · April 13, 2017, 12:53pm

Ok I found out that the config from @scryver is working. But I have encryption enabled… Thanks for your help guys! I will try onlyoffice next

husky · April 26, 2017, 5:20pm

Finally I got my CODE installation working, too, thanks to the config scryver provided.

Request to mods: Could we make this sticky please? I don’t know how many threads exist in order to get CODE working with Nginx…

dev0 · April 27, 2017, 8:04am

I recommend to check if several people get that working and then do a pull request on github for the homepage, add a nginx section.

krueuw · January 1, 2018, 12:47pm

My setup is the same as cracker0dks. Cloud and CODE in separate Containers on one docker-installation with only one domain and separat certs for each host-container. The nginxproxy ist jwilder/nginx-proxy with jrcs/letsencrypt-nginx-proxy-companion. All seems to be ok, but:

cURL error 7: Failed to connect to office.mydomain.de port 443: Connection refused

Where must I insert the solution in this nginx-config? In /etc/nginx/vhost.d? My changes in /etc/nginx/vhost.d will overwrite on next startup. Must I change the name “collada-office” to my container-names?

cracker0dks · January 1, 2018, 1:29pm

you dont have to name it “collada-office" but it must be consistent with your nginx config part.
“Connection refused” seems to be a nginx config problem.

I changed the default.conf on my nginx (nothing else). Dont forget to reload nginx to reload the changed config.

krueuw · January 1, 2018, 5:28pm

Thanks for the quick answer. In my case with jwilder/nginx-proxy will the configfile /etc/nginx/conf.d/default.conf rewrite with dynamic content in dependence of the started client-containers. The format of this file is equal to yours. The file /etc/nginx/vhost.d/default is static and can be editing persistent. Server-statements are not allowed.

Do you know which kinds of possibilitys I have?

tapedriveforever · December 13, 2019, 6:16pm

scryver, that config worked! I been trying to figure this out for months. Thank you!!