I’ve installed the latest LibreOffice Online version into a fresh Ubuntu 18.04 directly. I then configured two Apache proxies to route the traffic from the internet via the DMZ into the nextcloud/collabora server - which offers both services. As I have Let’s encrypt - I terminate SSL in the DMZ and route http.
Unfortunately it doesn’t work - “Please Wait” forever showing the circle turning nicely.
What next? I analysed the LOOLWSD-Log (I had to enable it) and discovered
wsd-24175-24177 2019-01-13 18:15:30.062096 [ prisoner_poll ] INF Have 1 spare child after adding .| wsd/LOOLWSD.cpp:471 wsd-24175-24177 2019-01-13 18:15:30.062099 [ prisoner_poll ] TRC Notifying NewChildrenCV| wsd/LOOLWSD.cpp:474 wsd-24175-24175 2019-01-13 18:15:30.062124 [ loolwsd ] TRC Have 1 new children.| wsd/LOOLWSD.cpp:3172 wsd-24175-24175 2019-01-13 18:15:30.062139 [ loolwsd ] INF WSD initialization complete: setting log-level to [warning] as configured.| wsd/LOOLWSD.cpp:3179 wsd-24175-24186 2019-01-13 18:15:46.286805 [ websrv_poll ] *RR Requesting address is denied: 22.214.171.124| wsd/LOOLWSD.cpp:1997 wsd-24175-24186 2019-01-13 18:15:53.128984 [ websrv_poll ] WRN WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:610 wsd-24175-24221 2019-01-13 18:15:53.780938 [ docbroker_001 ] ERR No acceptable WOPI hosts found matching the target host [eth.kryptonerd.de] in config.| wsd/Storage.cpp:250 wsd-kit-24222-24178 2019-01-13 18:15:53.889211 [ loolkit ] ERR mknod(/opt/lool/child-roots/T7Shs0SPSFu3wAGW//dev/random) failed. (EPERM: Operation not permitted)| kit/Kit.cpp:2357 kit-24222-24178 2019-01-13 18:15:53.889279 [ loolkit ] ERR mknod(/opt/lool/child-roots/T7Shs0SPSFu3wAGW//dev/urandom) failed. (EPERM: Operation not permitted)| kit/Kit.cpp:2364 kit-24182-24178 2019-01-13 18:15:54.782334 [ loolkit ] WRN Kit connection lost without exit arriving from wsd. Setting TerminationFlag| kit/Kit.cpp:2202
With 126.96.36.199 beeing the address of the user accessing (not the public IP of the server).
As it looks, the proxy somehow preserves the caller’s IP (which it normally doen’t) I set both up according to the instructions (Collaboraoffice Apache Reverse Proxy
I’ve found a workaround which I works but which I do not trust yet:
In /etc/loolwsd/loolwsd.xml I added in the storage Section
<wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true"> ... <host desc="Scheunentor" allow="true">.*</host> ... </wopi>
Which opens the filter for all addresses and gets rid of the error message. Libre Office then works.
My question here: is it safe what I’m doing here? Would’t I open security wholes?