LibreOffice Online behind HAProxy

My configuration includes a Nextcloud and a separate LibreOffice Online server. Access from outside is provided by another machine running HAProxy. To avoid having to fiddle with this one (as this is the central firewall outside my scope) I configured another Apache reverse proxy on the Nextcloud server.

So I’m able to successfully access Nextcloud and LibreOffice Online from within the local network. An outside call to LO would go through the HAProxy and then via the Apache proxy to the LO server.

Unfortunately this doesn’t work while it is possible to access Nextcloud that way. As the routing for LO takes the same way I can only suspect the Websockets beeing blocked within HAProxy. We change the encoding in HAProxy - but this works for Nextcloud - so why should it fail for WSS?

My questions:

  • Has anyone successfully deployed LibreOffice Online behind HAProxy?
  • Could it be that my config blocks WSS?
  • How would a working config look like

Thank you in advance

Please see the attached config:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
   #ca-base /etc/ssl/certs
    #crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3 no-tlsv10
    tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

listen stats
stats enable
stats uri /stats
stats realm Haproxy\ Statistics

frontend www-https
bind 81.23.45.67:443 ssl crt /etc/ssl/cloud.example.com/cloud.example.com.pem <- outside IP and domain
-<
reqadd X-Forwarded-Proto:\ https
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket_server hdr_end(host) -i cloud.example.com
use_backend ws if is_websocket is_websocket_server
default_backend www-backend

backend www-backend
redirect scheme https if !{ ssl_fc }
server www-1 192.168.123.45:443 ssl verify none check <— Nextcloud server’s IP - LO calls would be forwarded there

backend ws
timeout server 600s
server ws-1 192.168.123.45:443 ssl verify none check <— Nextcloud server’s IP