Nextcloud + Collabora CODE + Cloudflare

amaciuc · January 20, 2025, 7:04pm

Hi guys,

I need some help from you.

Let’s describe my configuration firstly.
I have a server with Home Assistant OS, Cloudflare for TCP Tunnel. Nextcloud & Collabora are also part of docker containers (Add-ons in term of HA).

- hostname: cloud.my_domain.com
  service: https://2937404c-nextcloud-ocr:443
- hostname: code.my_domain.com
  service: http://172.30.33.14:9980

Nextcloud Add-on is actually docker-nextcloud, it has its own nginx. Collabora CODE I deployed my own by using Portainer. Extra arguments are: extra_params=--o:logging.level=debug --o:ssl.enable=false --o:ssl.termination=true --o:admin_console.username=admin --o:admin_console.password=admin.
Both services are accessible over internet. I have also a success response from code.my_domain.com/hosting/discovery.

In Office app of Nextcloud I receive a green check (Collabora Online server is reachable).
My problem is that I can access documents only when I set the WOPI list to empty. I tried to set it with Cloudflare IP-ranges as it is described here and many other options. Everytime I receive Unauthorised WOPI host. Please try again later and report to your administrator if the issue persists. The only 2 options that are working is when I leave it empty or I put my external IP address. Both options are insecure and should be avoided (I think).
Other observation is that when I save the URL CODE in Office app, I can see in CODE logs as follows:

wsd-00001-00031 2025-01-20 18:55:37.558830 +0000 [ websrv_poll ] DBG  #28: Handling request: /hosting/capabilities, closeConnection false| wsd/ClientRequestDispatcher.cpp:689
wsd-00001-00031 2025-01-20 18:55:37.558876 +0000 [ websrv_poll ] DBG  #28: Wopi capabilities request: /hosting/capabilities| wsd/ClientRequestDispatcher.cpp:2473
wsd-00001-00031 2025-01-20 18:55:37.558974 +0000 [ websrv_poll ] INF  convert-to: X-Forwarded-For is: <MY_EXTERNAL_IP> | wsd/ClientRequestDispatcher.cpp:568
wsd-00001-00031 2025-01-20 18:55:37.559060 +0000 [ websrv_poll ] DBG  #28: Handled request: /hosting/capabilities, inBuf[sz 786 -> 0, rm 786], connection open true| wsd/ClientRequestDispatcher.cpp:983
wsd-00001-00031 2025-01-20 18:55:37.559434 +0000 [ websrv_poll ] WRN  convert-to: Requesting address is denied: <MY_EXTERNAL_IP>| wsd/ClientRequestDispatcher.cpp:503
wsd-00001-00031 2025-01-20 18:55:37.559643 +0000 [ websrv_poll ] INF  Sent capabilities.json successfully.| wsd/ClientRequestDispatcher.cpp:2465

It says that requesting from my host with external IP are denied.

What am I missing ?

wwe · January 20, 2025, 9:13pm

Nextcloud access CODE using public DNS and (as long there no additional measures) the request proceeds the whole way to you public-facing webserver/reverseproxy, which in your case seems to be cloudflare and then back to your CODE. If you setup everything right and each server in the chan add proper http headers and each server in the chain trust this headers the (CODE) service at the end could learn the origin of the request from the proxy headers. In your installation it seems to be the case - this is likely the reason why the request is shown as coming from your public IP. The solution would be to add your public IP to the wopi_allowlist or if you want to avoid the loop through the internet and all the intermediate system something like splitbraindns. For Docker setup I described a possible solution in Probably DNS help with NC Docker + Collabora + Wireguard tunnel which makes the server request coming from internal IP docker range 172.16.0.0/16 and allows simple and secure WOPI allow list config.

system · April 20, 2025, 7:05pm

This topic was automatically closed after 90 days. New replies are no longer allowed.