ERR WOPI::GetFile [...] failed with Status Code: 403 (Forbidden)

foxcris · January 15, 2024, 7:34pm

hi,

i am running nextcloud and collabora with docker behind traefik. Nextcloud is running fine and also collabora seems to be uo an running (i get an ok from the collabora domain and the admin page is available). In nextcloud i installed the nextcloud office package and configured it.

When i try to open an document (e.g. word document) i get the following error “Error loading the document”. In the logs i see the following:

Collabora:

wsd-00001-00043 2024-01-15 19:18:55.789249 +0000 [ docbroker_002 ] ERR  WOPI::GetFile [https://nextcloud.DOMAIN.de//index.php/apps/richdocuments/wopi/files/1647060_oc0o1xnu8572/contents?access_token=&access_token_ttl=0&permission=edit] failed with Status Code: 403 (Forbidden)| wsd/Storage.cpp:1149
wsd-00001-00043 2024-01-15 19:18:55.789363 +0000 [ docbroker_002 ] ERR  Cannot download document from WOPI storage uri [https://nextcloud.DOMAIN.de//index.php/apps/richdocuments/wopi/files/1647060_oc0o1xnu8572/contents?access_token=&access_token_ttl=0&permission=edit]. Error: WOPI::GetFile [https://nextcloud.DOMAIN.de//index.php/apps/richdocuments/wopi/files/1647060_oc0o1xnu8572/contents?access_token=&access_token_ttl=0&permission=edit] failed: []| wsd/Storage.cpp:1090
wsd-00001-00043 2024-01-15 19:18:55.789403 +0000 [ docbroker_002 ] ERR  loading document exception: WOPI::GetFile [https://nextcloud.DOMAIN.de//index.php/apps/richdocuments/wopi/files/1647060_oc0o1xnu8572/contents?access_token=&access_token_ttl=0&permission=edit] failed: []| wsd/DocumentBroker.cpp:2679
wsd-00001-00043 2024-01-15 19:18:55.789417 +0000 [ docbroker_002 ] ERR  Failed to add session to [https%3A%2F%2Fnextcloud.DOMAIN.de%3A443%2F%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1647060_oc0o1xnu8572] with URI [https://nextcloud.DOMAIN.de//index.php/apps/richdocuments/wopi/files/1647060_oc0o1xnu8572?access_token=<TOKEN>&access_token_ttl=0&permission=edit]: WOPI::GetFile [https://nextcloud.DOMAIN.de//index.php/apps/richdocuments/wopi/files/1647060_oc0o1xnu8572/contents?access_token=&access_token_ttl=0&permission=edit] failed: []| wsd/DocumentBroker.cpp:2641
wsd-00001-00043 2024-01-15 19:18:55.789435 +0000 [ docbroker_002 ] ERR  Storage error while starting session on https%3A%2F%2Fnextcloud.DOMAIN.de%3A443%2F%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1647060_oc0o1xnu8572 for socket #26. Terminating connection. Error: WOPI::GetFile [https://nextcloud.DOMAIN.de//index.php/apps/richdocuments/wopi/files/1647060_oc0o1xnu8572/contents?access_token=&access_token_ttl=0&permission=edit] failed: []| wsd/COOLWSD.cpp:5423
wsd-00001-00043 2024-01-15 19:18:55.794000 +0000 [ docbroker_002 ] ERR  #26: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1445
wsd-00001-00043 2024-01-15 19:18:55.826332 +0000 [ docbroker_002 ] ERR  #18: Read failed, have 0 buffered bytes (ECONNRESET: Connection reset by peer)| net/Socket.hpp:1137
wsd-00001-00043 2024-01-15 19:18:55.826612 +0000 [ docbroker_002 ] WRN  #18: Unassociated Kit (36) disconnected unexpectedly| wsd/COOLWSD.cpp:3840

Nexcloud:

172.16.1.1 - - [15/Jan/2024:19:18:54 +0000] "GET //index.php/apps/richdocuments/wopi/files/1647060_oc0o1xnu8572?access_token=<TOKEN>&access_token_ttl=0 HTTP/1.1" 200 2063 "-" "COOLWSD HTTP Agent 23.05.7.2"
172.16.1.1 - - [15/Jan/2024:19:18:54 +0000] "GET //index.php/apps/richdocuments/wopi/files/1647060_oc0o1xnu8572/contents?access_token=<TOKEN>&access_token_ttl=0 HTTP/1.1" 403 1618 "-" "COOLWSD HTTP Agent 23.05.7.2"
172.16.1.1 - - [15/Jan/2024:19:18:55 +0000] "GET //index.php/apps/richdocuments/wopi/files/1647060_oc0o1xnu8572?access_token=<TOKEN>&access_token_ttl=0&permission=edit HTTP/1.1" 200 2057 "-" "COOLWSD HTTP Agent 23.05.7.2"

Ansible/Docker:

 name: Configure collabora container
        community.general.docker_container:
          name: collabora
          image: collabora/code
          restart: yes
          restart_policy: always
          labels:
            com.centurylinklabs.watchtower.enable: 'true'
            # May be unnecessary depending on Traefik config, but can't hurt
            traefik.enable: 'true'
            # The  container will receive traffic from these subdomains
            traefik.http.routers.collabora.rule: 'Host(`collabora.DOMAIN.de`)'
            # address the entrypoint used in traefik config
            traefik.http.routers.collabora.entrypoints: 'https'
            # (The 'default' certificate resolver must be defined in Traefik config)
            traefik.http.routers.collabora.tls.certResolver: 'letsencrypt'
            traefik.http.routers.collabora.tls.options: 'intermediate@file'
            traefik.http.routers.collabora.middlewares: hsts-header@file,xssfilter-header@file
            # address the internal destionation
            traefik.http.services.collabora.loadbalancer.server.port: '9980'
          state: started
          capabilities:
            - MKNOD
          env:
            aliasgroup1: "https://nextcloud.DOMAIN.de:443"
            username: "{{ vault_collabora_user }}"
            password: "{{ vault_collabora_passwd }}"
            extra_params: "--o:ssl.enable=false --o:ssl.termination=true"
          networks:
              - name: nextcloud
              - name: traefik_proxy


- name: Configure nextcloud
        community.general.docker_container:
          name: nextcloud
          image: nextcloud
          restart: yes
          restart_policy: always
          labels:
            com.centurylinklabs.watchtower.enable: 'true'
            # May be unnecessary depending on Traefik config, but can't hurt
            traefik.enable: 'true'
            # The  container will receive traffic from these subdomains
            traefik.http.routers.nextcloud.rule: 'Host(`nextcloud.DOMAIN.de`)'
            # address the entrypoint used in traefik config
            traefik.http.routers.nextcloud.entrypoints: 'https'
            # (The 'default' certificate resolver must be defined in Traefik config)
            traefik.http.routers.nextcloud.tls.certResolver: 'letsencrypt'
            traefik.http.routers.nextcloud.tls.options: 'intermediate@file'
            traefik.http.routers.nextcloud.middlewares: hsts-header@file,xssfilter-header@file,nextcloud-dav@docker
            # address the internal destionation
            traefik.http.services.nextcloud.loadbalancer.server.port: '80'
            traefik.http.middlewares.nextcloud-dav.replacepathregex.regex: '^/.well-known/ca(l|rd)dav'
            traefik.http.middlewares.nextcloud-dav.replacepathregex.replacement: '/remote.php/dav/'
          state: started
          volumes:
            - /srv/docker/nextcloud/nextcloud/var/www/html:/var/www/html
          env:
            MYSQL_HOST: 'mariadb-nextcloud'
            MYSQL_DATABASE: '{{ vault_vmd38354_mariadb_nextcloud_MYSQL_DATABASE }}'
            MYSQL_USER: '{{ vault_vmd38354_mariadb_nextcloud_MYSQL_USER }}'
            MYSQL_PASSWORD: '{{ vault_vmd38354_mariadb_nextcloud_MYSQL_PASSWORD }}'
            REDIS_HOST_PASSWORD: '{{ vault_vmd38354_redis_nextcloud_PASSWORD }}'
            REDIS_HOST: redis-nextcloud
          networks_cli_compatible: yes
          networks:
            - name: nextcloud
            - name: traefik_proxy

Does one of you has any idea why nextcloud returns an 403 error?

foxcris · February 24, 2024, 4:55pm

I am still facing this error and i have no clue how to solve it. I would really appreciate some ideas.

foxcris · February 24, 2024, 5:02pm

I just noticed that i can open a document when i created it just new. Afterwords i get the same error as described above.

Tak · February 24, 2024, 5:45pm

Try

sudo coolconfig set net.post_allow.host <nextcloud IP>

Or set it in coolwsd.xml
With the Nextcloud AIO setup, which I am running, there is a list of subnets that is set per default: , 127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1 Not sure if this is there for you as well: check Administration Settings > Office > Allow list for WOPI requests

wwe · February 24, 2024, 9:11pm

please follow Collabora integration guide and almost all issues are resolved.

foxcris · February 24, 2024, 10:06pm

Thanks for your tipps. I configured the subnets and currently set them to empty to elminate an configuration error there. I also check the integration guide and everything seems to be configured correctly. However it’s still only working once directly after creating a file from the webui. Afterwords i get the error that the file cannot be loaded.