NC + WOPI server setup generates duplicate CSP

The Basics

• Nextcloud Server version:
  • 31.0.7
• Operating system and version:
  • Debian 12
• Web server and version :
  • Apache 2.4.62
• Reverse proxy and version:
  • nginx 1.28
• PHP version:
  • 8.3.24
• Is this the first time you’ve seen this error?:
  • Yep
• When did this problem seem to first start?
  • When upgrading to NC 31
• Installation method
  • CLI upgrade
• Are you using CloudfIare, mod_security, or similar?
  • Yep

Summary of the issue you are facing:

When opening (trying at least) a file for editing NC shows

The document failed to load

The WOPI host is not authorized. Please try again later and inform the systems staff if the problem persists.

Also, browser console shows this two Configuration Security Policies, one after the other. AFAIK, this produce and intersection.

media-src  'self' https://odf.dominio.edu.ar; object-src  'self' blob:; style-src  'self' 'unsafe-inline'; script-src  'self' 'unsafe-inline'; frame-ancestors  odf.dominio.edu.ar:* enlinea.dominio.edu.ar:*; img-src  'self' data: https://www.collaboraoffice.com/ odf.dominio.edu.ar:* enlinea.dominio.edu.ar:*; connect-src  'self' https://www.zotero.org https://api.zotero.org wss://odf.dominio.edu.ar https://odf.dominio.edu.ar; frame-src  'self' https://nextcloud.com/pricing blob:; font-src  'self' data:; default-src  'none';

and

default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https: wss:;

Any enlightening ideas are more than welcome.

Configuration

Nextcloud

The output of occ config:list system:

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "enlinea.dominio.edu.ar"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "0": "skeletondiretory\u2019 => \u2018\/var\/www\/nextcloud\/core\/skeleton",
        "dbtype": "mysql",
        "version": "31.0.7.1",
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "overwritehost": "enlinea.dominio.edu.ar",
        "overwriteprotocol": "https",
        "overwritecondaddr": "^10\\.8\\.9\\.101$",
        "overwrite.cli.url": "https:\/\/enlinea.dominio.edu.ar",
        "forwarded_for_headers": [
            "HTTP_X_FORWARDED_FOR"
        ],
        "htaccess.RewriteBase": "\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "theme": "",
        "force_language": "es",
        "force_locale": "es",
        "default_phone_region": "ar",
        "mysql.utf8mb4": true,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "tls",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "content_security_policy": [
            "default-src https: data: 'unsafe-inline' 'unsafe-eval'",
            "script-src 'self' 'unsafe-inline' 'unsafe-eval' https:\/\/enlinea.dominio.edu.ar https:\/\/odf.dominio.edu.ar",
            "style-src 'self' 'unsafe-inline' https:\/\/enlinea.dominio.edu.ar https:\/\/odf.dominio.edu.ar",
            "img-src 'self' data: blob: https:\/\/enlinea.dominio.edu.ar https:\/\/odf.dominio.edu.ar",
            "font-src 'self' data: https:\/\/enlinea.dominio.edu.ar https:\/\/odf.dominio.edu.ar",
            "connect-src 'self' https:\/\/enlinea.dominio.edu.ar https:\/\/odf.dominio.edu.ar wss:\/\/odf.dominio.edu.ar",
            "frame-src https:\/\/enlinea.dominio.edu.ar https:\/\/odf.dominio.edu.ar",
            "frame-ancestors 'self' https:\/\/enlinea.dominio.edu.ar https:\/\/odf.dominio.edu.ar",
            "media-src 'self' data: https:\/\/enlinea.dominio.edu.ar https:\/\/odf.dominio.edu.ar",
            "object-src 'none'",
            "base-uri 'self' https:\/\/enlinea.dominio.edu.ar"
        ],
        "app_install_overwrite": [
            "epubreader",
            "integration_moodle",
            "ransomware_protection",
            "richdocuments",
            "maps",
            "groupfolders",
            "gdatavaas",
            "quicknotes",
            "electronicsignatures"
        ],
        "preview_max_x": "512",
        "preview_max_y": "512",
        "jpeg_quality": "60",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "maintenance_window_start": 1,
        "logtimezone": "America\/Argentina\/Buenos_Aires",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "logfile_audit": "\/var\/log\/nextcloud\/audit.log",
        "log.condition": {
            "apps": [
                "admin_audit"
            ]
        },
        "log_query": false,
        "loglevel": 3,
        "log_rotate_size": 0
    }
}

Apps

Enabled

• activity: 4.0.0
• analytics: 5.8.0
• announcementcenter: 7.1.4
• app_api: 5.0.2
• audioplayer: 3.5.1
• bookmarks: 15.1.3
• bruteforcesettings: 4.0.0
• calendar: 5.3.9
• circles: 31.0.0
• cloud_federation_api: 1.14.0
• comments: 1.21.0
• contactsinteraction: 1.12.0
• context_chat: 4.4.1
• dashboard: 7.11.0
• dav: 1.33.0
• deck: 1.15.2
• dicomviewer: 2.3.1
• federatedfilesharing: 1.21.0
• federation: 1.21.0
• files: 2.3.1
• files_downloadlimit: 4.0.0
• files_pdfviewer: 4.0.0
• files_reminders: 1.4.0
• files_sharing: 1.23.1
• files_trashbin: 1.21.0
• files_versions: 1.24.0
• forms: 5.1.2
• google_synchronization: 3.2.0
• groupfolders: 19.1.3
• integration_google: 4.1.0
• jitsi: 0.19.0
• logreader: 4.0.0
• lookup_server_connector: 1.19.0
• maps: 1.6.0
• music: 2.2.0
• notifications: 4.0.0
• oauth2: 1.19.1
• password_policy: 3.0.0
• photos: 4.0.0
• privacy: 3.0.0
• profile: 1.0.0
• provisioning_api: 1.21.0
• quicknotes: 0.8.30
• recommendations: 4.0.0
• related_resources: 2.0.0
• richdocuments: 8.7.4
• riotchat: 0.19.0
• serverinfo: 3.0.0
• settings: 1.14.0
• support: 3.0.0
• survey_client: 3.0.0
• suspicious_login: 9.0.1
• systemtags: 1.21.1
• text: 5.0.0
• theming: 2.6.1
• twofactor_backupcodes: 1.20.0
• twofactor_totp: 13.0.0-dev.0
• updatenotification: 1.21.0
• user_status: 1.11.0
• viewer: 4.0.0
• weather_status: 1.11.0
• webhook_listeners: 1.2.0
• workflowengine: 2.13.0
  Disabled:
• admin_audit: 1.21.0
• electronicsignatures: 3.0.5 (installed 3.0.5)
• encryption: 2.19.0
• files_external: 1.23.0
• firstrunwizard: 4.0.0 (installed 2.13.0)
• gdatavaas: 31.0.6 (installed 31.0.6)
• libresign: 11.2.5 (installed 11.2.5)
• nextcloud_announcements: 3.0.0 (installed 1.9.0)
• openotp_sign: 1.31.0 (installed 1.31.0)
• sharebymail: 1.21.0 (installed 1.14.0)
• twofactor_nextcloud_notification: 5.0.0
• user_ldap: 1.22.0
• video_converter: 1.0.6 (installed 1.0.6)

Additional info

• https://odf.dominio.edu.ar host is behind an nginx reverse proxy working as SSL termination
• https://odf.dominio.edu.ar/hosting/discovery/ shows WOPI response over https
• https://odf.dominio.edu.ar/hosting/capabilities show service availabilty
• https://odf.dominio.edu.ar is defined as WOPI server in richdocuments

occ config:app:get richdocuments wopi_allowlist
https://odf.dominio.edu.ar https://enlinea.dominio.edu.ar

occ config:app:get richdocuments wopi_url
https://odf.dominio.edu.ar

assuming you’re trying to bypass reverse proxy by overwriting conditional address, this will fail as WOPI-Host will not have a valid TLS causing this error: The WOPI host is not authorized. Please try again later and inform the systems staff if the problem persists, thus remove the conditional address overwrite and don’t bypass reverse proxy so that TLS is certified by reverse proxy.

there is no reason to bypass reverse proxy… neither speed nor resources are effected. see also Config Param 'overwritecondaddr' not working · Issue #6914 · nextcloud/server · GitHub

That config was working so far. However, even removing such line error still remains.

…until what happened?

recollect steps taken, note recent changes and structure that information

@drodriguez, please be clear about your requirements. Note this is a community forum we are not associated with the official Nextcloud GmbH support and will not support commercial/institutional systems!

• how many active users are hosted on your instance?
• is your instance a corporate/institutional instance or rather private/personal instance?

As said, functionality broken when updated to 31.x

I have tried to provide all the necessary information to explain the situation.

It’s not that I haven’t tried to find a solution before resorting to the forum.

This is the institutional cloud of a small public university in Argentina, with around 200 accounts.

I’m not looking for support, just some advice or a hint would be enough. Now, if I’m in the wrong place… please pardon for the noise.

• is the Collabora online instance you’re connecting to a CODE instance?
• if you are using CODE, has that been updated also?

since your issue seems to be a WOPI issue pointing to uncertified host you could try to remove WOPI configs and reconfigure them, or try using aliasgroups instead as aliasgroup represents the allowed client domain, which will prevent unregistered clients from accessing the service and possibly reduce WOPI issues.
see Configuration — SDK https://sdk.collaboraonline.com/ documentation
see https://sdk.collaboraonline.com/docs/installation/Configuration.html#multihost-configuration

Delete public_wopi configuration

occ config:app:delete richdocuments public_wopi_url ;

Delete wopi_url configuration

occ config:app:delete richdocuments wopi_url ;

After delete prior values (which were the same), set them again and checked…

# php ./occ richdocuments:activate-config

✓ Reset callback url autodetect
Checking configuration
🛈 Configured WOPI URL: https://odf.dominio.edu.ar
🛈 Configured public WOPI URL: https://odf.dominio.edu.ar
🛈 Configured callback URL: 

✓ Fetched /hosting/discovery endpoint
✓ Valid mimetype response
✓ Valid capabilities entry
✓ Fetched /hosting/capabilities endpoint
✓ Detected WOPI server: OxOffice Online Community 5.0.1.1

Collabora URL (used for Nextcloud to contact the Collabora server):
  https://odf.dominio.edu.ar
Collabora public URL (used in the browser to open Collabora):
  https://odf.dominio.edu.ar
Callback URL (used by Collabora to connect back to Nextcloud):
  autodetected (will use the same URL as your user for browsing Nextcloud)

… error is still there

Maybe a dumb question, but what is: OxOffice Online Community 5.0.1.1?

On my server it says:

Detected WOPI server: Collabora Online Development Edition 25.04.4.2

It’s kind of like a fork, GitHub - OSSII/oxool-community: OxOffice Online Community. Oriented to asian countries but suitable for anywhere.

Ah ok, interesting. Didn’t know it.

…but you can definitely rule out this fork as the cause of the problem?

Otherwise, I’m afraid I can’t contribute much, apart from pointing out those CSP errors. They suggest it might have something to do with your webserver/reverse proxy configuration. Alternatively, one of the involved applications may have changed something in this area—bringing us back to OxOffice, or perhaps to some incompatibility between Richdocuments and OxOffice.

Yep, it was working just fine prior upgrading to 31.0.7

However there was also an update to Richdocuments two days ago: Releases · nextcloud/richdocuments · GitHub

That hasn’t caused any issues with my Collabora server, but maybe it did with OxOffice?

I know, I’ve updated it to 8.7.4. Error was there before that update already.

It’s interesting. I’m wondering about this config part

it is completely unknown to me - I also don’t find it in the sample config.

In general you would recommend you remove any custom CSP you add in your reverse proxy, webserver etc. Nextcloud is supposed to generate right CSP itself → csp. After you removed custom CSP stuff review the Collabora integration guide - maybe you find some hints.

I would also give a try to a test server (or spin up a “real” CODE instance for testing) - it looks OxOffice doesn’t receive many updates.. maybe your OxOffice variant is somewhat outdated - version number looks like 3y old Collabora..

Update:

this one is wrong wopi_allowlist should contain IP ranges of your CODE not URLs. Depending on networking config this might be some internal IP or public IP of the CODE system. I recommend to start without any restriction and tighten later.