Loolwsd (no docker) behind apache2 reverse proxy - returns wrong URL

ā„¹ļø Support šŸ“„ Collabora
1

I have an outward facing reverse proxy server (proxy.wan.com) in one box. It proxies Nextcloud and Collabora Online (no docker). These are together in another box. All are apache2 and Ubuntu 20.04. Collabora is set up with its own reverse proxy on localhost with LAN virtual host (office.lan.com:4435). Proxy.wan.com uses a letsencrypt cert. Office.lan.com:4435 uses a self-signed cert which is accepted by proxy.wan.com because its self-signed cert is in the proxyā€™s ca store.

When I point my browser at https://proxy.wan.com/hosting/discovery it says:

"

<!-- Writer documents -->

<app favIconUrl="https://office.lan.com:4435/loleaflet/3a048ea/images/x-office-document.svg" name="writer">

<action default="true" ext="sxw" name="view" urlsrc="https://office.lan.com:4435/loleaflet/3a048ea/loleaflet.html?"/>"

etc etc

It should say: ā€œā€¦ā€¦ https://proxy.wan.com ā€¦.ā€ Etc. This is why on Nextcloud I get an error message that the IP for office.lan.com canā€™t be found so I canā€™t integrate Nextcloud. However, proxy.wan.com in my Nextcloud config for own WOPI server does not complain.

Iā€™ve tried a few mod_proxy variations but nothing works. Any suggestions? Do I need ReWrite stuff? Does ProxyPassReverse need adjusting? I feel the problem should be easy to solve (but not for me so far)!

Proxy virtual host configs and office virtual host configs follow.

<VirtualHost *:443>
        ServerName proxy.wan.com:443
 <Directory /var/www/html/proxy-ssl>
        Options -Indexes +FollowSymLinks
        AllowOverride All
 </Directory>
  ErrorLog ${APACHE_LOG_DIR}/proxy-ssl-error.log
  CustomLog ${APACHE_LOG_DIR}/proxy-ssl-access.log combined
        # SSL configuration, you may want to take the easy route instead and use                                                                              Lets Encrypt!
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/ proxy.wan.com /fullchain.pem
        SSLCertificateChainFile /etc/letsencrypt/live/ proxy.wan.com /fullchain.                                                                             pem
        SSLCertificateKeyFile /etc/letsencrypt/live/ proxy.wan.com /privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf

        SSLProxyEngine On
       ProxyPreserveHost Off
        # static html, js, images, etc. served from loolwsd
        # loleaflet is the client part of LibreOffice Online
        ProxyPass /loleaflet https://office.xxx:4435/loleaflet retry=0
        ProxyPassReverse /loleaflet https://office.xxx:4435/loleaflet
        # WOPI discovery URL
        ProxyPass /hosting/discovery https://officexxx:4435/hosting/di                                                                             scovery retry=0
        ProxyPassReverse /hosting/discovery https://office.xxx:4435/hos                                                                             ting/discovery
        # Capabilities
        ProxyPass /hosting/capabilities https://office.xxx:4435/hosting                                                                             /capabilities retry=0
        ProxyPassReverse /hosting/capabilities https://office.xxx:4435/                                                                             hosting/capabilities
        # Main websocket
        ProxyPassMatch "/lool/(.*)/ws$" wss://office.xxx:4435/lool/$1/w                                                                             s nocanon
        # Admin Console websocket
        ProxyPass /lool/adminws wss://office.xxx:4435/lool/adminws
        # Download as, Fullscreen presentation and Image upload operations
        ProxyPass /lool https://office.xxx:4435/lool
        ProxyPassReverse /lool https://office.xxx:4435/lool
</VirtualHost>

<VirtualHost *:4435>
ServerName office.lan.com
Options -Indexes
ErrorLog ā€œ/var/log/apache2/collabora_errorā€

SSLEngine On
SSLCertificateFile /etc/ssl/certs/office.crt
SSLCertificateKeyFile /etc/ssl/private/office.key
SSLVerifyClient optional
AllowEncodedSlashes NoDecode
ProxyPreserveHost On

ProxyPass /loleaflet http://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet http://127.0.0.1:9980/loleaflet

ProxyPass /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery http://127.0.0.1:9980/hosting/discovery

ProxyPass /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry =0
ProxyPassReverse /hosting/capabilities http://127.0.0.1:9980/hosting/capabilitie s

ProxyPassMatch ā€œ/lool/(.*)/ws$ā€ ws://127.0.0.1:9980/lool/$1/ws nocanon
t
ProxyPass /lool/adminws ws://127.0.0.1:9980/lool/adminws

ProxyPass /lool http://127.0.0.1:9980/lool
ProxyPassReverse /lool http://127.0.0.1:9980/lool

2

I bet the question is better placed in collabora forum

3

Hi @cnic023

Is it really necessary to configure two reverse proxies behind each other? Why not access the container on the Nextcloud server directly from the first reverse proxy via port 9080?

Somehow like thisā€¦

ProxyPass /loleaflet http://IP_NextcloudServer:9980/loleaflet retry=0
ProxyPassReverse /loleaflet http://IP_NextcloudServer:9980/loleaflet

I didnā€™t test this, but I guess this should workā€¦ Maybe this thread will help youā€¦

https://help.nextcloud.com/t/collabora-nextcloud-on-different-server-than-reverse-proxy

In particular this post:

https://help.nextcloud.com/t/collabora-nextcloud-on-different-server-than-reverse-proxy/8168/14

1 Like
4

Thanks. I have seen these posts before but think Iā€™m not understanding the concept.
Iā€™m assuming your advice that I only need one proxy (mine is at the 'internet border" and is accessed by port forwarding of port 443) is not altered because I am not using docker?
So I donā€™t need the office.lan.example.com virtual host at all? I can point the proxy server to the loolwsd server on port 9980 that is in the same box as the nextcloud instance (nextcloud.lan.example.com:443? In this case I am assuming my loolwsd.xml would say: *<server_name desc="External hostname:port of the server running loolwsd. If empty, it's derived from the request (please set it if this doesn't work). Must be specified when behind a reverse-proxy or when the hostname is not reachable d irectly." type="string" default="">nextcloud.lan.example.com:443</server_name>*
If you could help me with these basic questions I will get the ā€˜big pictureā€™ and be able to make some real progress. Perhaps my big mistake was to think that proper integration with nextcloud required the localhost configs when really the same thing can be achieved by communicating with port 9980 with the proxypass directives on ā€˜myā€™ border proxy server on a different machine?

5

Thatā€™s how I understood this other post I linked to. Unfortunately, I canā€™t test this myself or speak from personal experience. My setup is much simpler. I run the Collabora CODE Docker container in the same VM where I have installed Netxlocud, without a separate reverse proxy in front of it.

I guess you would have to start Collabora with the server name / IP address of your Nextcloud server (Docker), respective configure it accordingliy in th loolwsd.xml (package install). Then you would have to proxy to the name / IP address of your Nextcloud server from your border proxy and DNS for office.yourdomain.tld had to point to the IP of the border proxy, not to the IP address of your Nextcloud/Collabora server.

Maybe Iā€™m making a misconception here. But as I said, thatā€™s how I understood the other postā€¦

6

I am very grateful for your help Iā€™ll give it a try. It does seem unnecessary to have 2 proxies so it ought to work.
Thanks again

1 Like