So I realized that even when I clear the Wopi Host I get the same message “Access Denied” instead of something else.
please post the answer of the following questions:
Nextcloud Version is 11.0.2 (Stable)
Collaboraplugin Version is 1.1.25
Yes, https://collabora-domain/hosting/discovery is showing an xml file
docker ps:
> CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES > e3885874bec7 collabora/code "/bin/sh -c 'bash sta" About a minute ago Up About a minute 127.0.0.1:9980->9980/tcp compassionate_mahavira
docker logs:
Generating RSA private key, 2048 bit long modulus
..................................................+++
..............+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
........+++
.....................................+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.4 - 2.0.4
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.1", "ProductExtension": ".10.21", "BuildId": "e91d2c2d59b035e40bdefac5fe06fb210180ed86" }
docker info:
Containers: 21 (why is it 21? I only know one of them...)
Running: 1
Paused: 0
Stopped: 20
Images: 1
Server Version: 1.12.6
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 50
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor seccomp
Kernel Version: 4.4.0-71-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 3.859 GiB
Name: *******
ID: ZCG7:HFWE:BWNL:YGR3:ZV2C:P434:47TY:JBCI:PNC4:CNOW:YP4G:HFNS
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
my docker start command is:
docker run -t -d -p 127.0.0.1:9980:9980 -e "domain=subdomain\\.domain\\.net" --restart always --cap-add MKNOD collabora/code
For the vhost i took the default ssl vhost and added the collabora options to it:
<IfModule mod_ssl.c>
<VirtualHost *:443>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>
ServerAdmin mail@mydomain.de
ServerName subdomain.domain.net
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
#SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
#SSLVerifyClient require
#SSLVerifyDepth 10
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
I am using the self signed certificates from the apache webserver.
the date of the download was a week ago, so th 28.03.2017
uname -a:
Linux Hostname 4.4.0-71-generic #92-Ubuntu SMP Fri Mar 24 12:59:01 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
and nope, it doesnt work at all. It never did until now 
Hi,
seems like your having the same problem as me.
I couldnt find any solutions on the internet so i switched to OnlyOffice.
Didnt have any problems yet.
Probably not the solution youre looking for but an opportunity.
Regards
yes, I already had the idea switching to OnlyOffice. But I don’t know how this is with licensing. I’m not using this as my private cloud. We’re using the nextcloud in our company…
check it out on github
about the 21 containers, issue the command:
docker ps -a
then you might find a ton of stopped containers.
Clean them up with docker rm
then if you just want to reboot a container use docker stop and docker start
not the full run command. Thats why you have 20 idle containers 
then please print the docker logs after you got the access denied error message.
What do you mean with docker logs? if you mean the output of docker logs container-ID then there is only the output I’ve already posted. this only says that he generated some kind of certificate…
Or which logs do you mean?
the output of the docker logs looks like you started the image just now.
But the important output is that onem that cames after you run into the error message in the browser.
there comes no log, if I call docker logs container-ID there still is the log about the certificate…
so I followed the log with docker -f -t container-ID and then I tried to open a Document in my nextcloud, but nothing appears…
But maybe if this helps,
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.1", "ProductExtension": ".10.21", "BuildId": "e91d2c2d59b035e40bdefac5fe06fb210180ed86" }
appeared in my logs
But I don’t know, maybe theres something wrong with my apache configuration and the reverse proxy:
HTTP vhost:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerName subdomain.domain.net
ServerAdmin edv@domain.de
DocumentRoot /var/www/html
<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
Satisfy Any
</Directory>
#Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
#keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet http://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet http://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery http://127.0.0.1:9980/hosting/discovery
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool http://127.0.0.1:9980/lool
ProxyPassReverse /lool http://127.0.0.1:9980/lool
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
HTTPS vhost
<IfModule mod_ssl.c>
<VirtualHost *:443>
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
</IfModule>
ServerAdmin edv@domain.de
ServerName subdomain.domain.net
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
#SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
#SSLVerifyClient require
#SSLVerifyDepth 10
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# keep the host
ProxyPreserveHost On
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
Maybe anyone can say me if this vhost configuration is right…
You need two domains (or subdomains) one for nextcloud and another for the reverse proxy
You seem to have both in one.
Also, for it to work you need valid SSL certs on both domains (nextcloud and collabora).
Yes, I have both in one, I’ll try it with a subdomain
that could be it 
Use 2 separated domains, both with ssl.
Cheers.
mhm… two completely seperated domains isnt possible in our environment, but two seperate subdomains should also do or am I wrong with that? also, I have nextcloud and collabora running on the same server, is it needed to have two server, one for the nextcloud and one for the collabora image?
They can be domain or subdomain on the same server.
Also you can use a second server, for the CODE/Collabora domain and docker set up.
id like to mention that it worked before on the same domain and subdomain.
i’ve used to work with this selfmade walktrough, and it worked fine until the last update of collabora/code.
this is the walktrough btw: [easy-HOWTO] Collabora, Ubuntu 16.04 with Docker and selfsigned | wildcard certificates
anyway, what are the neccessary informations (logs) needed to point the exact issue on this?
- Apache Error-Log?
- Docker Error-Log (mostly empty)?
- loolwsd Error-Log (from inside the docker)?
- anything else?
tried it but didnt work for me…
apache logs dont sho anything useful, docker error log: is this one different from docker logs docker-ID, if yes, how do I get them?
loolwsd: same, how do I get them?
This means that docker has no communication/activity at all, means it has no communication with Nextcloud so your configuration is still missing a proper setup.
But can you say me which configuration is missing?
It’s both the environment you are running and the configuration what need to be set.
I would suggest to test VM with Ubuntu 16.04 server (default installation options), open port 443 to that instance and run the installation script.
Follow the steps and you’ll end with collabora working, because it’s a standard controlled environment.
Take your time to grasp the way it works, check there what you need to modify on your own environment to get it working.
Also you could try the IRC Channel, since it’s a faster way to get in touch with people in real time.
And remember to have fun.