We have a nextcloud server running together with a reverse proxy (both under the same apache) and a collabora docker. All on the same server.
Our nextcloud server requires client certificates. In order to use collabora this seems to be a big problem.
First nextcloud itself needs to use a client certificate when addressing collabora through the proxy. It does not do that by itself. It seems to work when adding a ‘cert’ option to the RequestOptions in lib/private/Http/Client/Client.php.
Now it looks like collabora has the same problem when trying to load the document from the nextcloud server.
Does anybody know how to force collabora to use a specific client certificate?
Does anybody know what log information can be gotten from the collabora docker instance?
The thing is we do need client certificates. We use them for authorizing access to our nextcloud server. Users install the client certificate in their OS or browser and then the webserver (apache) allows them access.
To get collabora/code working it seems also nextcloud itself and collabora/code itself need to use a valid client certificate. For nextcloud I found a solution, for collabora/code not.
Question about your setup
Your running apache as a reverse proxy for the SSL authentication. My understanding is the encryption stops here – meaning it doesn’t extend beyond the proxy. I’m not sure why you would want the encryption to extend past the proxy, since collabora docker runs on same server as apache.
Tell me about your certs? What domains are listed on the cert? Are your certs self signed?
We use letsencrypt for the server certificates. The collabora docker has it’s own server certificate which I guess is self signed. These are not the problem.
We give our users a self signed client certificate without which they have no access. The apache server verifies this (SSLRequire). Now it seems for collabora-online the nextcloud php scripts also make a request to the nextcloud server itself and thus also need a valid client certificate.
So I would be best I think for you either to obtain a wildcard cert or a cert in which you can list multiple domains. (I use LetsEncrypt certs which allow multiple domain names to be placed in one cert). Other people may refer to these types of certs as SAN certs. I would give every virtual host a domain name that runs within apache. Such as next cloud.
Either then modify the dns records on your router or modify the /etc/hosts files on respective hosts that will associate the domain name with the Local IP address.
I’d like to keep exposing just one server to the outside (office.blabla.com).
For collabora (which also sends to request from the nextcloud server) I did as you describe, create a locally accessible virtualhost not requiring a client certificate and make collabora docker think this is office.blabla.com (using --addhost).
Maybe I should do the same trick for the nextcloud server. Right now I modified a nextcloud php script to add the client certificate to it’s requests.
Btw great post you just made on your working setup. It helps me understand what the various problems and possible solutions are.