Nextcloud 12 Collabora Unauthorized WOPI host

Indemio_NoFamily · August 18, 2017, 8:00am

Hi. New clean install - ubuntu server16.04 updated, nextcloud 12, collabora via docker. Hosting Is located behind the router. There is ports forwarding - 80, 443, 4443, 9980. I have both certs - for nextcloud and for collabora subdomain. Nextcloud seems like working well.

My deploying docker command is:

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=orhcloud\\.xyz' --restart always --cap-add MKNOD collabora/code

my nginx config is:

    > fastcgi_cache_path /usr/local/tmp/cache levels=1:2 keys_zone=NEXTCLOUD:100m inactive=60m;
> map $request_uri $skip_cache {
>  default 1;
>  ~*/thumbnail.php 0;
>  ~*/apps/galleryplus/ 0;
>  ~*/apps/gallery/ 0;
> }
> server {
>  listen 80 default_server;
>  server_name orhcloud.xyz;
>  location ^~ /.well-known/acme-challenge {
>  proxy_pass http://127.0.0.1:81;
>  proxy_set_header Host $host;
>  proxy_set_header X-Real-IP $remote_addr;
>  proxy_set_header X-Forwarded-For $remote_addr;
>  proxy_set_header X-Forwarded-Host $host;
>  proxy_set_header X-Forwarded-Port $server_port;
>  proxy_set_header X-Forwarded-Protocol $scheme;
>  proxy_redirect off;
>  }
>  location / {
>  return 301 https://$host$request_uri;
>  }
> }

> server {
>     listen       4443 ssl;
>     server_name  office.orhcloud.xyz;

>     ssl_certificate /etc/letsencrypt/live/office.orhcloud.xyz/fullchain.pem;
>     ssl_certificate_key /etc/letsencrypt/live/office.orhcloud.xyz/privkey.pem;

>     # static files
>     location ^~ /loleaflet {
>         proxy_pass https://localhost:9980;
>         proxy_set_header Host $http_host;
>     }

>     # WOPI discovery URL
>     location ^~ /hosting/discovery {
>         proxy_pass https://localhost:9980;
>         proxy_set_header Host $http_host;
>     }

>    # main websocket
>    location ~ ^/lool/(.*)/ws$ {
>        proxy_pass https://localhost:9980;
>        proxy_set_header Upgrade $http_upgrade;
>        proxy_set_header Connection "Upgrade";
>        proxy_set_header Host $http_host;
>        proxy_read_timeout 36000s;
>    }

>    # download, presentation and image upload
>    location ~ ^/lool {
>        proxy_pass https://localhost:9980;
>        proxy_set_header Host $http_host;
>    }

>    # Admin Console websocket
>    location ^~ /lool/adminws {
>        proxy_pass https://localhost:9980;
>        proxy_set_header Upgrade $http_upgrade;
>        proxy_set_header Connection "Upgrade";
>        proxy_set_header Host $http_host;
>        proxy_read_timeout 36000s;
>    }
> }

> server {
>  listen 443 ssl http2 default_server;
>  server_name orhcloud.xyz;
>  root /var/www/nextcloud/;
>  access_log /var/log/nginx/nextcloud.access.log main;
>  error_log /var/log/nginx/nextcloud.error.log warn;
>  location = /robots.txt {
>  allow all;
>  log_not_found off;
>  access_log off;
>  }
>  location = /.well-known/carddav {
>  return 301 $scheme://$host/remote.php/dav;
>  }
>  location = /.well-known/caldav {
>  return 301 $scheme://$host/remote.php/dav;
>  }
>  client_max_body_size 10240M;
>  location / {
>  rewrite ^ /index.php$uri;
>  }
>  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
>  deny all;
>  }
>  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
>  deny all;
>  }
>  location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
>  fastcgi_split_path_info ^(.+\.php)(/.*)$;
>  include fastcgi_params;
>  include php_optimization.conf;
>  fastcgi_pass php-handler;
>  fastcgi_param HTTPS on;
>  fastcgi_cache_bypass $skip_cache;
>  fastcgi_no_cache $skip_cache;
>  fastcgi_cache NEXTCLOUD;
>  }
>  location ~ ^/(?:updater|ocs-provider)(?:$|/) {
>  try_files $uri/ =404;
>  index index.php;
>  }
>  location ~ \.(?:css|js|woff|svg|gif)$ {
>  try_files $uri /index.php$uri$is_args$args;
>  add_header Cache-Control "public, max-age=15778463";
>  access_log off;
>  expires 30d;
>  }
>  location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
>  try_files $uri /index.php$uri$is_args$args;
>  access_log off;
>  expires 30d;
>  }
> }

In administration page, at collabora settings i set that:

> https://office.orhcloud.xyz:4443

my ufw parameters:

    > Default: deny (incoming), allow (outgoing), deny (routed)
> 80/tcp                     ALLOW IN    Anywhere                  
> 443/tcp                    ALLOW IN    Anywhere                  
> 22/tcp                     ALLOW IN    Anywhere                  
> 9980/tcp                   ALLOW IN    Anywhere                  
> 4443/tcp                   ALLOW IN    Anywhere

When i try to open any document collabora show me the message “Unauthorized WOPI host”
My docker logs:
> Generating RSA private key, 2048 bit long modulus

> ............+++
> ...........+++
> e is 65537 (0x10001)
> Generating RSA private key, 2048 bit long modulus
> .................................................................................................................................................................................................+++
> ..........................................+++
> e is 65537 (0x10001)
> Signature ok
> subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
> Getting CA Private Key
> loolforkit version details: 2.1.1 - 52f0568e
> office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.3", "ProductExtension": ".10.13", "BuildId": "e639c2ad9c05a793b16db13bd879342ed75dcf95" }
> wsd-00024-00032 08:15:47.871330 [ websrv_poll ] WRN  WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:317
> wsd-00024-00034 08:15:48.471832 [ docbroker_001 ] ERR  Cannot get file info from WOPI storage uri [https://orhcloud.xyz/apps/richdocuments/wopi/files/16_ocq3l4548162?access_token=8Uq6toPoai4PwNOLikp57Kz5fAoLnCZe&access_token_ttl=0&permission=edit]. Error: Connection refused| wsd/Storage.cpp:449
> wsd-00024-00034 08:15:48.471980 [ docbroker_001 ] ERR  Error while handling loading : Connection refused| wsd/LOOLWSD.cpp:2113
> wsd-00024-00034 08:15:48.474540 [ docbroker_001 ] ERR  #15: Wrote outgoing data -1 bytes. (errno: Broken pipe)| ./net/Socket.hpp:909
> wsd-00024-00034 08:15:48.475094 [ docbroker_001 ] WRN  Child session [0003] not found to forward message: load url=https://orhcloud.xyz/apps/richdocuments/wopi/files/16_ocq3l4548162?access_token=8Uq6toPoai4PwNOLikp57Kz5fAoLnCZe&access_token_ttl=0&permission=edit readonly=0 lang=ru| wsd/DocumentBroker.cpp:1272
> wsd-00024-00034 08:15:48.475144 [ docbroker_001 ] WRN  Attempted ping on non-upgraded websocket!| ./net/WebSocketHandler.hpp:285
> wsd-00024-00034 08:15:48.475187 [ docbroker_001 ] ERR  #15: Wrote outgoing data -1 bytes. (errno: Broken pipe)| ./net/Socket.hpp:909
> wsd-00024-00034 08:15:48.494488 [ docbroker_001 ] ERR  Socket #19 SSL BIO error: closed (0).| ./net/SslSocket.hpp:255
> wsd-00024-00034 08:15:48.494632 [ docbroker_001 ] ERR  Socket #19 SSL BIO error: error:140D00CF:SSL routines:SSL_write:protocol is shutdown (errno: Success)| ./net/SslSocket.hpp:273
> wsd-00024-00034 08:15:48.494731 [ docbroker_001 ] WRN  ToClient-0003: Exception while closing socket for docKey [orhcloud.xyz:443/apps/richdocuments/wopi/files/16_ocq3l4548162]: error:140D00CF:SSL routines:SSL_write:protocol is shutdown| wsd/ClientSession.cpp:805
> wsd-00024-00025 08:15:49.370466 [ prisoner_poll ] WRN  Waking up dead poll thread [docbroker_001], started: true, finished: true| ./net/Socket.hpp:507
> wsd-00024-00025 08:15:49.370542 [ prisoner_poll ] WRN  Waking up dead poll thread [docbroker_001], started: true, finished: true| ./net/Socket.hpp:507
> wsd-00024-00025 08:15:49.370602 [ prisoner_poll ] WRN  Waking up dead poll thread [docbroker_001], started: false, finished: true| ./net/Socket.hpp:507
> wsd-00024-00025 08:15:49.370617 [ prisoner_poll ] WRN  Waking up dead poll thread [docbroker_001], started: false, finished: true| ./net/Socket.hpp:507

I know that there is i am make misstake somewhere, but i can’t see that.
Can anyone help me? Thx.

Indemio_NoFamily · August 20, 2017, 6:28am

Any thouts? Anyone?

abaalkh · August 22, 2017, 7:59am

From the Nexcloud collabora installation page:

Issue: I get connection errors when trying to open documents
Be sure to check the error log from docker (docker logs id-of-your-instance). If the logs note something like:
No acceptable WOPI hosts found matching the target host [YOUR NEXTCLOUD DOMAIN] in config.
Unauthorized WOPI host. Please try again later and report to your administrator if the issue persists.
you might have started the docker container with the wrong URL. Be sure to triplecheck that you start it with the URL of your Nextcloud server, not the server where Collabora Online runs on.

Indemio_NoFamily · November 13, 2017, 9:38am

Trouble was in /etc/loolwsd/loolwsd.xml in section wopi host, there was no my domain. I manually added hostname and it works.

jbonlinea · June 11, 2019, 9:45am

Hi

@Indemio_NoFamily

Could you detail how you implemented your solution please

Thank’s

nestor · August 1, 2019, 8:40am

Hey, I had the same problem and just managed to solve it following @Indemio_NoFamily’s tip of looking into the loolwsd.xml.
If for you have trouble finding the file you can do something like
sudo nano $(sudo find / -name “loolwsd.xml”)
Then, look for the block starting with Backend storage and add your nextcloud domain (not the collabora one) to it:

<storage desc=“Backend storage”>
<filesystem allow=“false” />
<wopi desc=“Allow/deny wopi storage. Mutually exclusive with webdav.” allow=“true”>
<host desc=“Regex pattern of hostname to allow or deny.” allow=“true”>localhost</host>
<!-- Here are a bunch of allowed hostnames, put yours as well": →
<host desc=“Regex pattern of hostname to allow or deny.” allow=“true”>your-nextcloud-domain.com</host>
<max_file_size desc=“Maximum document size in bytes to load. 0 for unlimited.” type=“uint”>0</max_file_size>
</wopi>

fanpero · January 8, 2021, 6:19pm

Hello,
I found the file but I can’t edit it.
If I try nano, vi or vim. I got “not found” and if I try "sudo apt-install " It says that I don’t have permissions.
How can I edit the file inside the docker container?

`fabio@collabora:~$ sudo docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6790ca91533b collabora/code “/bin/sh -c 'bash st…” 20 hours ago Up 20 hours 127.0.0.1:9980->9980/tcp sleepy_sutherland
fabio@collabora:~$
fabio@collabora:~$ sudo docker exec -it 6790ca91533b /bash
OCI runtime exec failed: exec failed: container_linux.go:370: starting container process caused: exec: “/bash”: stat /bash: no such file or directory: unknown
fabio@collabora:~$ sudo docker exec -it 6790ca91533b bash
lool@6790ca91533b:/$
lool@6790ca91533b:/$ cd
lool@6790ca91533b:~$ vi /etc/loolwsd/loolwsd.xml
bash: vi: command not found
lool@6790ca91533b:~$ sudo apt-get install vi
bash: sudo: command not found
lool@6790ca91533b:~$ sudo apt-get install nano
bash: sudo: command not found
lool@6790ca91533b:~$ apt-get install nano
E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)
E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?
lool@6790ca91533b:~$
lool@6790ca91533b:~$
`

Thanks.

Reiner_Nippes · January 8, 2021, 6:39pm

you don’t want to do this. you never edit files “inside” a container. with each update of the image you’ll have to do it again.

you are not root. you are lool.
maybe sudo docker exec -u root -it 6790ca91533b bash would do the trick.
but you don’t want. see above.

what’s your problem. why do you want to edit this file?

fanpero · January 8, 2021, 6:51pm

Thanks for the tip.
The reason is that, I used the docker image to created a Collabora server:

fabio@collabora:/etc/apache2/sites-available$ cat collabora.conf
<VirtualHost *:443>
ServerName office.newtws.com:443
…

I added to my Nextcloud server (That I’m running as plugin on Plesk)

But if I try to edit a file I got this error:
Unauthorized WOPI host. Please try again later and report to your administrator if the issue persists.

This is the docker command that I run:
sudo docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=panel\.newtws\.com’ -e ‘dictionaries=en’ --name collaboraserver --restart always --cap-add MKNOD collabora/code

My plesk server is on https://panel.newtws.com and my Nextcloud website is https://newtws.com/nextcloud

So, I was trying to modify the file mentioned before (/etc/loolwsd/loolwsd.xml)
to see if that solve my problem.

If not, what else can I do?

Thanks.

palto42 · January 10, 2021, 7:29pm

I had a working Nextcloud / Collabora installation on my local server until recent update of docker image collabora/code to version 6.4.3.1 (latest). After reverting back to previous docker image 6.4.2.2 it works again.
To me it seems that something changes with latest collabora/code docker image 6.4.3.1

Found an issue on the Collabora Github which suggests that the syntax might have changes and no backslashes are required anymore in the domain name (escaping the dots). After removing the backslashes in the domain names, the latest version 6.4.3.1 works fine, no “unothrised WOPI” error anymore

fanpero · January 11, 2021, 7:20pm

Hey,
Thank you so much. That really made it work!!!
I run:
sudo docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain2.com’ --restart always --cap-add MKNOD collabora/code

And both accounts have access to Collabora.