I included Libre Office online into an existing Nextcloud installation. The setup consists of the following servers:
—> [dmz-proxy] —> [nextcloud-server] —> [collabora-server]
Unfortunately the DMZ only allows to access nextcloud-server and blocks the collabora one - so I had to set up a Apache2 reverse proxy on all of the above machines and route the traffic as shown above.
This routing works so far i.e. I can access their.domain.org/hosting/discovery from outside and get the usual XML file in the browser. I can even open some of the links therein - (loleaflet etc.) which of course does not opens the document but at least leaves a trail in the Apache logs. Certificates are OK as well - as they’re the base for the above to work.
When I click on a Libre Office document in Nextcloud - the app just freezes and shows a rather blank screen with no decorations from Libre Office Online. (only NC’s app icons) After a while an Internal Server Error appears.
Tracing the apache logs on the dmz-proxy do not show any attempt to establish a connection. Neither occurs on the other server’s logs of course.
To make things even stranger: When I access nextcloud-server directly from the LAN, Libreoffice works perfectly. (Of course I have to change the server address in the Collabora Online settings of Nextcloud, the Docker image includes both domains)
Doublechecking with my reference implementation at home, a working Libreoffice document opening looks like this: When a clicking on the document the NC, Collabora app first establishes a connection to some of its own directories:
- GET /nextcloud/apps/richdocuments/css/mobile.css
- GET /nextcloud/index.php/apps/files_external/userstorages/
… and then it first accesses the Collabora server - to get a list of links to get the decorations from.
- GET /hosting/discovery
- GET /nextcloud/index.php/apps/richdocuments/index?fileId=513357&requesttoken=… some crypto token …
- a couple of times GET /loleaflet/8a1762a/images/ … some files (obviously the decorations as they include .js, .png and style.css files)
- POST /loleaflet/8a1761a/loleaflet.html?WOPISrc=http … Server, file etc. - obviously to call LibreOffice and instruct it to fetch the desired file from Nextcloud
In the setup I’m configuring - none of the above occurs - not in the proxy-server’s Apache log nor somewhere else. So I suspect - the first network connection call from NC’s Collabora App goes astray to somewhere else.
Another source of error might be Websockets - which I haven’t found a way yet to check. I wouldn’t see them in the logs either - so perhaps the NC Collabora app first tries to establish a WSS connection which some roghe deep inspecting firewall might block. No idea how to verify this.
Thanks in advance for any hints on how to further analyse or even solve.
The proxy Server configuration is nearly identical (except certies) on both Apaches and looks like this:
SSLEngine On<IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" </IfModule> SSLCertificateFile /etc/ssl/certificate.pem SSLCertificateKeyFile /etc/ssl/certificate-key.pem SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on AllowEncodedSlashes NoDecode SSLProxyEngine On SSLProxyVerify None SSLProxyCheckPeerCN off SSLProxyCheckPeerName off ProxyPreserveHost On RequestHeader set X-Forwarded-Proto 'https' env=HTTPS ProxyPreserveHost On <Proxy *> Order deny,allow Allow from all </Proxy> # --- Libre Office Online - derzeit mit Umweg ĂĽber Nextcloud Server --- ProxyPass /loleaflet https://ncvnextapp01.intern/loleaflet ProxyPassReverse /loleaflet https://ncvnextapp01.intern/loleaflet ProxyPass /hosting/discovery https://ncvnextapp01.netcologne.intern/hosting/discovery ProxyPassReverse /hosting/discovery https://ncvnextapp01.intern/hosting/discovery ProxyPassMatch "/lool/(.*)/ws$" wss://ncvnextapp01.intern/lool/$1/ws nocanon ProxyPass /lool/adminws wss://ncvnextapp01.intern/lool/adminws ProxyPassReverse /lool/adminws wss://ncvnextapp01.intern/lool/adminws ProxyPass /lool https://ncvnextapp01.intern/lool ProxyPassReverse /lool https://ncvnextapp01.intern/lool # --- Nextcloud --- ProxyPass / https://ncvnextapp01.intern/ ProxyPassReverse / https://ncvnextapp01.intern/