Libre Office Online freezes when access via proxy

#1

I included Libre Office online into an existing Nextcloud installation. The setup consists of the following servers:

—> [dmz-proxy] —> [nextcloud-server] —> [collabora-server]

Unfortunately the DMZ only allows to access nextcloud-server and blocks the collabora one - so I had to set up a Apache2 reverse proxy on all of the above machines and route the traffic as shown above.

This routing works so far i.e. I can access their.domain.org/hosting/discovery from outside and get the usual XML file in the browser. I can even open some of the links therein - (loleaflet etc.) which of course does not opens the document but at least leaves a trail in the Apache logs. Certificates are OK as well - as they’re the base for the above to work.

When I click on a Libre Office document in Nextcloud - the app just freezes and shows a rather blank screen with no decorations from Libre Office Online. (only NC’s app icons) After a while an Internal Server Error appears.

Tracing the apache logs on the dmz-proxy do not show any attempt to establish a connection. Neither occurs on the other server’s logs of course.

To make things even stranger: When I access nextcloud-server directly from the LAN, Libreoffice works perfectly. (Of course I have to change the server address in the Collabora Online settings of Nextcloud, the Docker image includes both domains)

Doublechecking with my reference implementation at home, a working Libreoffice document opening looks like this: When a clicking on the document the NC, Collabora app first establishes a connection to some of its own directories:

  • GET /nextcloud/apps/richdocuments/css/mobile.css
  • GET /nextcloud/index.php/apps/files_external/userstorages/

… and then it first accesses the Collabora server - to get a list of links to get the decorations from.

  • GET /hosting/discovery
  • GET /nextcloud/index.php/apps/richdocuments/index?fileId=513357&requesttoken=… some crypto token …
  • a couple of times GET /loleaflet/8a1762a/images/ … some files (obviously the decorations as they include .js, .png and style.css files)
  • POST /loleaflet/8a1761a/loleaflet.html?WOPISrc=http … Server, file etc. - obviously to call LibreOffice and instruct it to fetch the desired file from Nextcloud

In the setup I’m configuring - none of the above occurs - not in the proxy-server’s Apache log nor somewhere else. So I suspect - the first network connection call from NC’s Collabora App goes astray to somewhere else.

Another source of error might be Websockets - which I haven’t found a way yet to check. I wouldn’t see them in the logs either - so perhaps the NC Collabora app first tries to establish a WSS connection which some roghe deep inspecting firewall might block. No idea how to verify this.

Thanks in advance for any hints on how to further analyse or even solve.

The proxy Server configuration is nearly identical (except certies) on both Apaches and looks like this:

SSLEngine On
    <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
    </IfModule>

    SSLCertificateFile /etc/ssl/certificate.pem
    SSLCertificateKeyFile /etc/ssl/certificate-key.pem

    SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLHonorCipherOrder     on

    AllowEncodedSlashes     NoDecode
    SSLProxyEngine  On
    SSLProxyVerify  None
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off

    ProxyPreserveHost       On
    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS

    ProxyPreserveHost On

    <Proxy *>
            Order deny,allow
            Allow from all
    </Proxy>

    # --- Libre Office Online - derzeit mit Umweg über Nextcloud Server ---
    ProxyPass /loleaflet https://ncvnextapp01.intern/loleaflet
    ProxyPassReverse /loleaflet https://ncvnextapp01.intern/loleaflet

    ProxyPass /hosting/discovery https://ncvnextapp01.netcologne.intern/hosting/discovery
    ProxyPassReverse /hosting/discovery https://ncvnextapp01.intern/hosting/discovery

    ProxyPassMatch "/lool/(.*)/ws$" wss://ncvnextapp01.intern/lool/$1/ws nocanon

    ProxyPass /lool/adminws wss://ncvnextapp01.intern/lool/adminws
    ProxyPassReverse /lool/adminws wss://ncvnextapp01.intern/lool/adminws

    ProxyPass /lool https://ncvnextapp01.intern/lool
    ProxyPassReverse /lool https://ncvnextapp01.intern/lool

    # --- Nextcloud ---
    ProxyPass / https://ncvnextapp01.intern/
    ProxyPassReverse / https://ncvnextapp01.intern/

libre-office-online-hangs

1 Like
#2

univention, nextcloud, collaboraonline on *.ods works in local net perfect but from proxy it calls

::1 - - [12/May/2019:11:57:59 +0200] "GET /lool/https:%252F%252Fshare.roadmap.earth%252Fnextcloud%252Fapps%252Frichdocuments%252Fwopi%252Ffiles%252F421_ocwm3euh3epn%3Faccess_token=jWipwfLLGlKFDOoppbzLahMCdx3l5NYZ&access_token_ttl=0&permission=edit/ws?WOPISrc=https%3A%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn&compat=/ws HTTP/1.1" 500 4381 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"

with a: No protocol handler was valid for the URL /lool/https

working call from "intern" is:

172.17.0.1 - - [12/May/2019:11:58:46 +0200] "GET /nextcloud/apps/richdocuments/wopi/files/421_ocwm3euh3epn?access_token=7g9TukJpUrd1LP6Irnmc4TP30hobUFKf&access_token_ttl=0&permission=edit HTTP/1.1" 200 5516 "-" "LOOLWSD WOPI Agent 4.0.3"


-- URL (und Port) des Collabora Online-Servers
https://share.roadmap.earth
it can't go: wss://share.roadmap.earth/lool
and 192.168.0.210 says:
->[Sun May 12 11:58:00.330128 2019] [proxy:warn] [pid 24979] [client ::1:39510] AH01144: No protocol handler was valid for the URL /lool/https:%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn?access_token=jWipwfLLGlKFDOoppbzLahMCdx3l5NYZ&access_token_ttl=0&permission=edit/ws. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.


<VirtualHost 178.188.251.229:443>
	ServerName share.roadmap.earth
	# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
	SSLEngine on
	SSLProtocol all -SSLv2 -SSLv3
	SSLHonorCipherOrder on
	SSLCertificateFile /etc/letsencrypt/live/share.roadmap.earth/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/share.roadmap.earth/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf

	# Encoded slashes need to be allowed
	AllowEncodedSlashes NoDecode

	# Container uses a unique non-signed certificate
	SSLProxyEngine On
	SSLProxyVerify None
	SSLProxyCheckPeerCN Off
	SSLProxyCheckPeerName Off
	SSLProxyCheckPeerExpire off

	# keep the host
	ProxyPreserveHost On

	# 
	ProxyPass / https://localhost:5081/
	ProxyPassReverse / https://localhost:5081/
	
	# https://www.collaboraoffice.com/code/apache-reverse-proxy/
	#  proxy, proxy_wstunnel, proxy_http, and ssl
	# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of Collabora Online
ProxyPass           /loleaflet http://localhost:5081/loleaflet retry=0
ProxyPassReverse    /loleaflet http://localhost:5081/loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery http://localhost:5081/hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery http://localhost:5081/hosting/discovery

# Capabilities
ProxyPass           /hosting/capabilities http://localhost:5081/hosting/capabilities retry=0
ProxyPassReverse    /hosting/capabilities http://localhost:5081/hosting/capabilities

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" ws://localhost:5081/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws ws://localhost:5081/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool http://localhost:5081/lool
ProxyPassReverse    /lool http://localhost:5081/lool
</VirtualHost>

192.168.0.210:/var/log/apache2/access.log

172.17.0.2 - - [12/May/2019:11:57:55 +0200] "GET /hosting/discovery HTTP/1.1" 200 22421 "-" "GuzzleHttp/6.3.3 curl/7.58.0 PHP/7.2.15-0ubuntu0.18.04.2"
::1 - - [12/May/2019:11:57:54 +0200] "GET /nextcloud/apps/richdocuments/settings/check HTTP/1.1" 200 4496 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
172.17.0.2 - - [12/May/2019:11:57:55 +0200] "GET /hosting/discovery HTTP/1.1" 200 22421 "-" "GuzzleHttp/6.3.3 curl/7.58.0 PHP/7.2.15-0ubuntu0.18.04.2"
::1 - - [12/May/2019:11:57:55 +0200] "GET /nextcloud/apps/richdocuments/index?fileId=421&requesttoken=%2Fteah6I%2B7NkRNuB58lpcHQ2GX8wGchgU82o%2F8Qi%2FHLs%3D%3AtY3v3%2FtKlZopU9IavS4eJT%2FSa5RvMHN22B9HhkmMUuw%3D HTTP/1.1" 200 8517 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
::1 - - [12/May/2019:11:57:56 +0200] "GET /nextcloud/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 3216 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
::1 - - [12/May/2019:11:57:56 +0200] "PROPFIND /nextcloud/remote.php/dav/files/Administrator/ HTTP/1.1" 207 7832 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"

::1 - - [12/May/2019:11:57:57 +0200] "POST /loleaflet/81ea009/loleaflet.html?WOPISrc=https%3A%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn&title=Leitfaden%20und%20Handlungsfelder%20Deutsch.ods&lang=de&closebutton=1&revisionhistory=1 HTTP/1.1" 200 2829 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
::1 - - [12/May/2019:11:57:57 +0200] "GET /nextcloud/index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1" 200 4728 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
::1 - - [12/May/2019:11:57:58 +0200] "GET /nextcloud/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 3216 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
::1 - - [12/May/2019:11:57:59 +0200] "GET /lool/https:%252F%252Fshare.roadmap.earth%252Fnextcloud%252Fapps%252Frichdocuments%252Fwopi%252Ffiles%252F421_ocwm3euh3epn%3Faccess_token=jWipwfLLGlKFDOoppbzLahMCdx3l5NYZ&access_token_ttl=0&permission=edit/ws?WOPISrc=https%3A%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn&compat=/ws HTTP/1.1" 500 4381 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
::1 - - [12/May/2019:11:58:00 +0200] "GET /lool/https:%252F%252Fshare.roadmap.earth%252Fnextcloud%252Fapps%252Frichdocuments%252Fwopi%252Ffiles%252F421_ocwm3euh3epn%3Faccess_token=jWipwfLLGlKFDOoppbzLahMCdx3l5NYZ&access_token_ttl=0&permission=edit/ws?WOPISrc=https%3A%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn&compat=/ws HTTP/1.1" 500 4381 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"

firefox:
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf eval blockiert ("script-src").
d3ad686d-2381-4757-b2a2-f00e05733b78:27:8
Content Security Policy: Die Einstellungen der Seite haben das Laden einer Ressource auf eval blockiert ("script-src"). aabe3ee7-1f2b-4232-8605-f8810f87f6c3:27:8
Firefox kann keine Verbindung zu dem Server unter wss://share.roadmap.earth/lool/https%3A%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn%3Faccess_token%3Ddn8xyEWDcLsGFO3y1UcVTGiatw6Zk4ge%26access_token_ttl%3D0%26permission%3Dedit/ws?WOPISrc=https%3A%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn&compat=/ws aufbauen.
bundle.js:41:4038
Die Verbindung zu wss://share.roadmap.earth/lool/https%3A%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn%3Faccess_token%3Ddn8xyEWDcLsGFO3y1UcVTGiatw6Zk4ge%26access_token_ttl%3D0%26permission%3Dedit/ws?WOPISrc=https%3A%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn&compat=/ws wurde unterbrochen, während die Seite geladen wurde. bundle.js:41:4038
Firefox kann keine Verbindung zu dem Server unter wss://share.roadmap.earth/lool/https%3A%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn%3Faccess_token%3Ddn8xyEWDcLsGFO3y1UcVTGiatw6Zk4ge%26access_token_ttl%3D0%26permission%3Dedit/ws?WOPISrc=https%3A%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn&compat=/ws aufbauen.

/var/log/apache2/access.log of 192.168.0.210
->[Sun May 12 11:58:00.330128 2019] [proxy:warn] [pid 24979] [client ::1:39510] AH01144: No protocol handler was valid for the URL /lool/https:%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn?access_token=jWipwfLLGlKFDOoppbzLahMCdx3l5NYZ&access_token_ttl=0&permission=edit/ws. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

same effect if VirtualHost 178.188.251.229 Rules:
http://localhost:5081
http://localhost:9080
http://127.0.0.1:*
https:*
with
ssh 5081:localhost:443 autossh@192.168.0.210
ssh 9980:localhost:9980 autossh@192.168.0.210

-- URL (und Port) des Collabora Online-Servers
https://192.168.0.210

192.168.0.210:/var/log/apache2/access.log

172.17.0.2 - - [12/May/2019:11:58:42 +0200] "GET /hosting/discovery HTTP/1.1" 200 21835 "-" "GuzzleHttp/6.3.3 curl/7.58.0 PHP/7.2.15-0ubuntu0.18.04.2"
::1 - - [12/May/2019:11:58:42 +0200] "GET /nextcloud/apps/richdocuments/settings/check HTTP/1.1" 200 4490 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
172.17.0.2 - - [12/May/2019:11:58:42 +0200] "GET /hosting/discovery HTTP/1.1" 200 21835 "-" "GuzzleHttp/6.3.3 curl/7.58.0 PHP/7.2.15-0ubuntu0.18.04.2"
::1 - - [12/May/2019:11:58:42 +0200] "GET /nextcloud/apps/richdocuments/index?fileId=421&requesttoken=%2Fteah6I%2B7NkRNuB58lpcHQ2GX8wGchgU82o%2F8Qi%2FHLs%3D%3AtY3v3%2FtKlZopU9IavS4eJT%2FSa5RvMHN22B9HhkmMUuw%3D HTTP/1.1" 200 8522 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
::1 - - [12/May/2019:11:58:43 +0200] "GET /nextcloud/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 3216 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
::1 - - [12/May/2019:11:58:44 +0200] "PROPFIND /nextcloud/remote.php/dav/files/Administrator/ HTTP/1.1" 207 7832 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"

192.168.0.3 - - [12/May/2019:11:58:44 +0200] "POST /loleaflet/81ea009/loleaflet.html?WOPISrc=https%3A%2F%2Fshare.roadmap.earth%2Fnextcloud%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F421_ocwm3euh3epn&title=Leitfaden%20und%20Handlungsfelder%20Deutsch.ods&lang=de&closebutton=1&revisionhistory=1 HTTP/1.1" 200 6370 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
::1 - - [12/May/2019:11:58:44 +0200] "GET /nextcloud/index.php/apps/files/ajax/getstoragestats.php?dir=%2F HTTP/1.1" 200 1197 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
192.168.0.3 - - [12/May/2019:11:58:45 +0200] "GET /loleaflet/81ea009/l10n/uno-localizations.json HTTP/1.1" 200 1150 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
172.17.0.1 - - [12/May/2019:11:58:46 +0200] "GET /nextcloud/apps/richdocuments/wopi/files/421_ocwm3euh3epn?access_token=7g9TukJpUrd1LP6Irnmc4TP30hobUFKf&access_token_ttl=0&permission=edit HTTP/1.1" 200 5516 "-" "LOOLWSD WOPI Agent 4.0.3"
172.17.0.1 - - [12/May/2019:11:58:46 +0200] "GET /nextcloud/apps/richdocuments/wopi/files/421_ocwm3euh3epn/contents?access_token=7g9TukJpUrd1LP6Irnmc4TP30hobUFKf&access_token_ttl=0&permission=edit HTTP/1.1" 200 22966 "-" "LOOLWSD WOPI Agent 4.0.3"
::1 - - [12/May/2019:11:58:47 +0200] "GET /nextcloud/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 200 3216 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"
::1 - - [12/May/2019:11:58:49 +0200] "GET /nextcloud/avatar/Administrator/32 HTTP/1.1" 304 310 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0"

-> Working fine but we need https://share.roadmap.earth ..
what is 172.17.0.1 ??!! why not from external?

#3

same effect with only (212 is the server where the port 5443 is mapped to 192.168.0.210 443)
ProxyPass / https://212.67.232.14:5443/
ProxyPassReverse / https://212.67.232.14:5443/
and with only (5081 is linked with autossh to 192.168.0.210 443)
ProxyPass / https://127.0.0.1:5081/
ProxyPassReverse / https://127.0.0.1:5081/

#4

similar problems: