Nextcloud - Collabora - Traefik - no connection with https

Daniel-WW · May 5, 2024, 9:48am

Support intro

Sorry to hear you’re facing problems

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can

Nextcloud version (eg, 20.0.5): 29.0.0
Operating system and version (eg, Ubuntu 20.04): Docker Container nextcloud:latest
Apache or nginx version (eg, Apache 2.4.25): Apache2
PHP version (eg, 7.4): 8.2.18

The issue you are facing:

It is not possible for me to connect Nextcloud and Collabora so that they can work with each other. NC and Collabora run as independent Docker containers behind Traefik as a reverse proxy. I followed the instructions and connection tests on the troubleshooting page.
I can access NC and Collabora from the web browser.
I can access Collabora from the Nextcloud container via curl https://office.mydomain/hosting/discovery.
I cannot reach Nextcloud from the Collabora container via curl https://cloud.mydomain/status.php. BUT I can reach NC using HTTP (curl http://cloud.mydomain/status.php).

It seems that https is not working, in this direction. What could be the problem? I can post more information about my docker/traefik settings, but at the moment, I’m not sure, what is necessary. Please let me know.

When I try to open a document in NC, I get the following error message in the Collabora logs:
wsd-00001-00062 2024-05-04 20:02:28.330639 +0200 [ websrv_poll ] ERR WOPI::CheckFileInfo failed for URI [https://cloud.mydomain.com/index.php/apps/richdocuments/wopi/files/776_oc5qyxrku0dl?access_token=bzSNYoI04GxpxTR1QrC2CqyZQHq1iLPt&access_token_ttl=0&permission=edit]: 0 (Unknown) . Headers: Body: []| wsd/wopi/CheckFileInfo.cpp:95

My NC-Domain was taken in account in the Collabora Docker Compose file:
- aliasgroup2=https://cloud.mydomain.com

Is this the first time you’ve seen this error? (Y/N):

Yes, but I’ve been trying to solve the problem for a long time.

As a newbie in such server things, I tried to describe the error as best as possible. I appreciate any kind of help. I have also read various other articles in this forum, but could not solve the problem on my own. Please let me know what kind of settings or logs are needed to find the error. I could post further necessary information. - Thanks in advance and best regards - Daniel

jtr · May 5, 2024, 1:24pm

Does cloud.mydomain actually resolve to your Traefik (HTTPS) IP address from within your Collabora container (and Docker environment generally)? That is the first culprit that comes to mind.

Daniel-WW · May 5, 2024, 5:09pm

Hello, thank you very much for your answer.

I’m not entirely sure if I understood the question correctly, but I would like to try to describe my setup in more detail: Docker is running on my home server (Ubuntu LXC, Proxmox). The following three containers run within the Docker environment: Traefik (as a reverse proxy), Nextcloud (cloud.mydomain.com) and Collabora (collabora.mydomain.com).

Requests from outside reach the Docker environment via my router and a single common WAN IP (router). I use Cloudflare DNS services. From there, requests are sent to the WAN IP (router) and from there to the reverse proxy Traefik. Traefik forwards the requests to the different services/containers.

Are there any special settings I need to consider with this setup?

Daniel-WW · May 9, 2024, 8:54am

Hello everyone, I’m still stuck with the same problem and despite many attempts I haven’t gotten any further. - I cannot establish a connection to nextcloud via https from the collabora container.
If I try to test the connection from inside the collabora container, I got the following response:

root@0fa88dd73d01:/# curl -v https://cloud.mydomain.com/status.php
*   Trying 192.168.xxx.45:443...
* connect to 192.168.xxx.45 port 443 failed: Connection refused
* Failed to connect to cloud.mydomain.com port 443 after 1 ms: Couldn't connect to server
* Closing connection 0

That shows me, that if I try the nextcloud domain address, collabora is going to connect directly to the internal IP of the nextcloud container, which is 192.168.xxx.45. But the connection can’t be established, because port 443 is not open.

Only http seems to work, because port 80 can be reached. As far as I understood as a beginner, DNS is not working properly here? Collabora should try to access nextcloud over the Internet and then over my public WAN IP and traefik. Port 443 is open via traefik and nextcloud can be reached. But this route is not used.

So what do I need to change in my configuration for DNS to work properly?

I would be happy if someone could help me.

wwe · May 9, 2024, 8:05pm

as long you don’t show you config nobody can help. as long you don’t fiddle with hosts files etc container are expected to use same DNS server as the host (public IP of your public DNS record by default).

maybe not the exact answer but a hint to make internal DNS resolution aka splitbraindns work for Docker Probably DNS help with NC Docker + Collabora + Wireguard tunnel - #5 by wwe

Daniel-WW · May 10, 2024, 3:36pm

Hello @wwe and thanks for help. Below I share my docker compose configuration files. At first I didn’t know which configurations could be relevant. Now I’m trying to show everything that is related to collabora, nextcloud and the reverse proxy traefik.

Container traefik.yml

services:
  # Traefik 2 - Reverse Proxy
  traefik:
    container_name: traefik
    image: traefik:2.11.2
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
    networks:
      proxynet:
        ipv4_address: 192.168.xxx.33 # You can specify a static IP
      socket_proxy:
    depends_on:
      - socket-proxy  
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.traefik.address=:8080
      # - --entrypoints.ping.address=:8081
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --api=true
      - --api.dashboard=true
      # - --api.insecure=true
      #- --ping=true
      #- --serversTransport.insecureSkipVerify=true
      # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      - --entryPoints.websecure.proxyProtocol.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
      - --log=true
      - --log.filePath=/logs/traefik.log
      - --log.level=DEBUG # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/logs/access.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=204-299,400-499,500-599
      - --providers.docker=true
      # - --providers.docker.endpoint=unix:///var/run/docker.sock # Disable for Socket Proxy. Enable otherwise.
      # - --providers.docker.endpoint=tcp://socket-proxy:2375 # Enable for Socket Proxy. Disable otherwise.
      - --providers.docker.endpoint=tcp://192.168.xx.254:2375 # Enable for Socket Proxy. Disable otherwise.
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=proxynet 
      - --providers.docker.swarmMode=false
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.options=tls-opts@file
      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
      - --entrypoints.websecure.http.tls.certresolver=dns-cloudflare
      - --entrypoints.websecure.http.tls.domains[0].main=$DOMAINNAME_HS
      - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME_HS
      # - --entrypoints.websecure.http.tls.domains[1].main=$DOMAINNAME_2 # Pulls main cert for second domain
      # - --entrypoints.websecure.http.tls.domains[1].sans=*.$DOMAINNAME_2 # Pulls wildcard cert for second domain
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
      - --providers.file.watch=true # Only works on top level files in the rules folder
      # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate

      - --experimental.plugins.real-ip.modulename=github.com/Paxxs/traefik-get-real-ip
      - --experimental.plugins.real-ip.version=v1.0.3
    #healthcheck:
    #  test: ["CMD", "traefik", "healthcheck", "--ping"]
    #  interval: 5s
    #  retries: 3

    volumes:
      - $DOCKERDIR/appdata/traefik2/rules/$HOSTNAME_HS:/rules # Dynamic File Provider directory
      - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # Certs File 
      - $DOCKERDIR/logs/$HOSTNAME_HS/traefik:/logs # Traefik logs
    environment:
      - TZ=$TZ
      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token    
      - HTPASSWD_FILE=/run/secrets/basic_auth_credentials # HTTP Basic Auth Credentials
      - DOMAINNAME_HS # Passing the domain name to traefik container to be able to use the variable in rules. 
    secrets:
      - cf_dns_api_token
      - basic_auth_credentials
    labels:
      - "traefik.enable=true"
      # Network IP
      - "traefik.docker.network=proxynet"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=websecure"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME_HS`)"
      # Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      # Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"

Container nextcloud-app.yml

services:
  # Nextcloud - Cloud Service Frontend
  nextcloud-app:
    image: nextcloud:latest
    container_name: nextcloud-app
    restart: unless-stopped
    hostname: $NEXTCLOUD_DOMAIN_NAME
    networks:
      proxynet:
        ipv4_address: 192.168.xxx.45 
    environment:
      user: $PUID:$PGID
      UID: $PUID
      GID: $PGID
      REDIS_HOST: 192.168.xxx.71
      REDIS_HOST_PASSWORD: xxx 
      NEXTCLOUD_TRUSTED_DOMAIN: $NEXTCLOUD_DOMAIN_NAME
      TRUSTED_PROXIES: 192.168.xxx.0/24
    volumes:
      - $DOCKERDIR/appdata/nextcloud/app:/var/www/html
      - $DOCKERDIR/appdata/nextcloud/daten:/var/www/html/data
      - $DOCKERDIR/appdata/nextcloud/log:/var/Log
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.nextcloud-rtr.entrypoints=websecure"
      - "traefik.http.routers.nextcloud-rtr.rule=Host(`nextcloud.$DOMAINNAME_HS`)"
      ## Middlewares
      - "traefik.http.routers.nextcloud-rtr.middlewares=chain-nextcloud@file"
      ## HTTP Service
      - "traefik.http.routers.nextcloud-rtr.service=nextcloud-svc"
      - "traefik.http.services.nextcloud-svc.loadbalancer.server.port=80"

Container collabora.yml

services:
  collabora:
    image: collabora/code
    container_name: collabora
    networks:
      proxynet:
        ipv4_address: 192.168.xxx.47
    expose:
      - "9980"
    cap_add:
      - MKNOD
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - $DOCKERDIR/appdata/collabora/config:/config
    environment:
      - aliasgroup1=https://nextcloud.$DOMAINNAME_HS    
      - dictionaries=de_DE en_US
      - VIRTUAL_PROTO=http
      - VIRTUAL_PORT=9980
      - VIRTUAL_HOST=${COLLABORA_FQDN}
      - extra_params=--o:ssl.enable=false  --o:ssl.termination=true
      - username=USERNAME       
      - password=PASSWORD         
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - traefik.passHostHeader=true
      ## Network IP
      - "traefik.docker.network=proxynet"
      ## HTTP Routers
      - "traefik.http.routers.collabora-rtr.entrypoints=websecure"
      - "traefik.http.routers.collabora-rtr.rule=(Host(`collabora.$DOMAINNAME_HS`))"
      - "traefik.http.routers.collabora-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.collabora-rtr.middlewares=chain-no-auth@file"
      ## HTTP Services
      - "traefik.http.routers.collabora-rtr.service=collabora-svc"
      - "traefik.http.services.collabora-svc.loadbalancer.server.port=9980"

Middlewares chain-nextcloud

http:
  middlewares:
    chain-nextcloud:
      chain:
        middlewares:
          - middlewares-traefik-bouncer # leave this out if you are not using CrowdSec
          - middlewares-rate-limit
          - middlewares-nextcloud-secure-headers
          - middlewares-nextcloud-redirect
          - middlewares-real-ip
          #- middlewares-compress

Middlewares nextcloud-redirect

http:
  middlewares:
    middlewares-nextcloud-redirect:
      redirectRegex:
        permanent: true
        regex: "https://(.*)/.well-known/(card|cal)dav"
        replacement: "https://${1}/remote.php/dav/"

Middlewares nextcloud-secure-headers

http:
  middlewares:
    middlewares-nextcloud-secure-headers:
      headers:
        accessControlMaxAge: 100
        # sslRedirect: true
        hostsProxyHeaders:
          - "X-Forwarded-Host"
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true # This is a good thing but it can be tricky. Enable after everything works.
    ### We will modify this value for Nextcloud to remove the X-Frame-Options error:
        customFrameOptionsValue: SAMEORIGIN # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
        contentTypeNosniff: true
        browserXssFilter: true
      # sslForceHost: true # add sslHost to all of the services
      # sslHost: "example.com"
        referrerPolicy: "no-referrer"
    ### While CSP is a good security setting, Nextcloud's Apache server takes care of this for us!
      # contentSecurityPolicy: "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
      # Line below, featurePolicy, was deprecated in v2.5.x in favor permissionPolicy
      # featurePolicy = "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
        permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
        customResponseHeaders:
          # X-Robots-Tag: "none" # disable search engines from indexing home server
          # X-Robots-Tag: "noindex, nofollow"
          server: "" # hide server info from visitors

When I try to open a document with nextcloud-office, I get the following logs:

logs nextcloud

2024-05-10T15:20:27.376148370Z 88.153.xx.xxx - - [10/May/2024:15:20:27 +0000] "GET /apps/files/api/v1/views HTTP/1.1" 200 817 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0"

2024-05-10T15:20:27.473425931Z 88.153.xx.xxx - - [10/May/2024:15:20:27 +0000] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 929 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0"

2024-05-10T15:20:27.527286808Z 88.153.xx.xxx - - [10/May/2024:15:20:27 +0000] "PROPFIND /remote.php/dav/files/Nextcloud_admin/Testordner_admin/Neues_admin_dokument.odt HTTP/1.1" 207 1514 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0"

2024-05-10T15:20:27.632833412Z 88.153.xx.xxx - - [10/May/2024:15:20:27 +0000] "GET /apps/files/api/v1/views HTTP/1.1" 200 817 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0"

2024-05-10T15:20:27.667937433Z 88.153.xx.xxx - - [10/May/2024:15:20:27 +0000] "PROPFIND /remote.php/dav/files/Nextcloud_admin/Testordner_admin/Neues_admin_dokument.odt/ HTTP/1.1" 207 1506 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0"

2024-05-10T15:20:27.713683603Z 88.153.xx.xxx - - [10/May/2024:15:20:27 +0000] "POST /apps/richdocuments/token HTTP/1.1" 200 1078 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0"

2024-05-10T15:20:28.381150067Z 88.153.xx.xxx - - [10/May/2024:15:20:28 +0000] "GET /index.php/apps/files/preview-service-worker.js HTTP/1.1" 200 6686 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0"

2024-05-10T15:20:29.448166162Z 88.153.xx.xxx - - [10/May/2024:15:20:29 +0000] "GET /apps/files/api/v1/stats HTTP/1.1" 200 936 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0"

2024-05-10T15:20:32.674242530Z 88.153.xx.xxx - - [10/May/2024:15:20:32 +0000] "PUT /ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json HTTP/1.1" 200 929 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0"

2024-05-10T15:20:34.679018297Z 88.153.xx.xxx - - [10/May/2024:15:20:34 +0000] "GET /apps/files/api/v1/stats HTTP/1.1" 200 936 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0"

2024-05-10T15:20:40.561714368Z 88.153.xx.xxx - - [10/May/2024:15:20:40 +0000] "GET /ocs/v2.php/apps/dashboard/api/v2/widget-items?widgets%5B%5D=activity HTTP/1.1" 200 914 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:125.0) Gecko/20100101 Firefox/125.0"

logs collabora

2024-05-10T15:20:27.851260709Z wsd-00001-00068 2024-05-10 17:20:27.851193 +0200 [ websrv_poll ] ERR  WOPI::CheckFileInfo failed for URI [https://nextcloud.MYDOMAIN.COM/index.php/apps/richdocuments/wopi/files/776_oc5qyxrku0dl?access_token=JZAz0gRMdY3FaI40VckZEJu2YbnA8xX3&access_token_ttl=0]: 0 (Unknown) . Headers: 	Body: []| wsd/wopi/CheckFileInfo.cpp:95
2024-05-10T15:20:27.851280921Z wsd-00001-00068 2024-05-10 17:20:27.851207 +0200 [ websrv_poll ] ERR  #34: Invalid URI or access denied to [https://nextcloud.MYDOMAIN.COM/index.php/apps/richdocuments/wopi/files/776_oc5qyxrku0dl?access_token=JZAz0gRMdY3FaI40VckZEJu2YbnA8xX3&access_token_ttl=0]| wsd/wopi/CheckFileInfo.cpp:108
2024-05-10T15:20:28.078974324Z wsd-00001-00068 2024-05-10 17:20:28.078901 +0200 [ websrv_poll ] ERR  #33: CheckFileInfo failed for [https%3A%2F%2Fnextcloud.MYDOMAIN.COM%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F776_oc5qyxrku0dl], State::Fail| wsd/RequestVettingStation.cpp:236
2024-05-10T15:20:28.118596655Z wsd-00001-00068 2024-05-10 17:20:28.118498 +0200 [ websrv_poll ] ERR  FileServerRequestHandler: File not found: Invalid URI request: [/browser/f12ee1f/images/lc_statetablecellmenu.svg].| wsd/FileServer.cpp:751
2024-05-10T15:20:28.124524412Z wsd-00001-00068 2024-05-10 17:20:28.124446 +0200 [ websrv_poll ] ERR  FileServerRequestHandler: File not found: Invalid URI request: [/browser/f12ee1f/images/lc_zoom.svg].| wsd/FileServer.cpp:751

Maybe there is an obvious error in the configuration? I would be glad about any tip and advice.

wwe · May 10, 2024, 7:22pm

thank you for all the details. I don’t see any issue with your config (especially no reason why CODE → Nextcloud doesn’t work with https and works with http). you are using cloudflare - some of their security and optimization options are known to brake things e.g. JS compression - consult GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance. for details

but maybe

added to traefik.yml will help already…

PS: this is definitely not the problem and I don’t know if you have a reason to do so but in general you don’t need fixed IP with docker… usually you can skip all the ipv4_address: 192.168.xx.yy directives

Daniel-WW · May 11, 2024, 10:12am

GOOD NEWS: Collabora is working!
Thank you for all the tips.

I tried the aliases and it at least helped me, that the collabora container could find the nextcloud container. - But NC Office still couldn’t open any documents. - I share the logs below. You can see that collabora first tries to query the NC container (192.168.xxx.45) via 443. This doesn’t work, and then the request is directed to the traefik container (192.168.xxx.33). A connection could therefore be established internally. (I also had the impression that the connection ran much faster. I should keep this in mind for later experiments.)

traefik aliases: collabora logs

root@a4d81ea1fa7f:/# curl -v https://nextcloud.MYDOMAIN.COM/status.php
*   Trying 192.168.xxx.45:443...
* connect to 192.168.xxx.45 port 443 failed: Connection refused
*   Trying 192.168.xxx.33:443...
* Connected to nextcloud.MYDOMAIN.COM (192.168.xxx.33) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=MYDOMAIN.COM
*  start date: Mar 28 16:13:46 2024 GMT
*  expire date: Jun 26 16:13:45 2024 GMT
*  subjectAltName: host "nextcloud.MYDOMAIN.COM" matched cert's "*.MYDOMAIN.COM"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /status.php]
* h2h3 [:scheme: https]
* h2h3 [:authority: nextcloud.MYDOMAIN.COM]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x5d80d9574c80)
> GET /status.php HTTP/2
> Host: nextcloud.MYDOMAIN.COM
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
< access-control-allow-origin: *
< cache-control: no-store, no-cache, must-revalidate
< content-security-policy: default-src 'self'; script-src 'self' 'nonce-dEY2TEpIT0lVcERjdzh3anVWNmVEM1cvdlFLdm95aWVDeTN6bTBhc3Vwaz06L0F6WWRpVDdZc0x6cjY1VThXbk9WU0tQeUhiNjUzaXJjbHU0M1EvYzdQUT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< content-type: application/json
< date: Sat, 11 May 2024 07:51:04 GMT
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< permissions-policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()
< pragma: no-cache
< referrer-policy: no-referrer
< set-cookie: oc5qyxrku0dl=bb73a58a63622782a04b0a6813efce77; path=/; secure; HttpOnly; SameSite=Lax
< set-cookie: oc_sessionPassphrase=F2J9JKZ%2FWKrUNgG27kedCh2bkozv9NCib2GArzGKCj0IP%2Fu%2FOGqrM7he6J9kIkGzle82Wq5EfEYQYta5mwNQTPXnjI9R%2FWDgyznIQw3GQrNhzBPnkMUI2KuAQKUlneb3; path=/; secure; HttpOnly; SameSite=Lax
< set-cookie: oc5qyxrku0dl=bb73a58a63622782a04b0a6813efce77; path=/; secure; HttpOnly; SameSite=Lax
< set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< set-cookie: oc5qyxrku0dl=bb73a58a63622782a04b0a6813efce77; path=/; secure; HttpOnly; SameSite=Lax
< strict-transport-security: max-age=63072000; includeSubDomains; preload
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< x-powered-by: PHP/8.2.18
< x-robots-tag: noindex, nofollow
< x-xss-protection: 1; mode=block
< content-length: 171
< 
* Connection #0 to host nextcloud.MYDOMAIN.COM left intact
{"installed":true,"maintenance":false,"needsDbUpgrade":false,"version":"29.0.0.19","versionstring":"29.0.0","edition":"","productname":"Nextcloud","extendedSupport":false}root@a4d81ea1fa7f:/#

traefik aliases: Nextcloud logs

root@nextcloud:/var/www/html# curl -v https://collabora.MYDOMAIN.COM/hosting/discovery
*   Trying 192.168.xxx.33:443...
* Connected to collabora.MYDOMAIN.COM (192.168.xxx.33) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=MYDOMAIN.COM
*  start date: Mar 28 16:13:46 2024 GMT
*  expire date: Jun 26 16:13:45 2024 GMT
*  subjectAltName: host "collabora.MYDOMAIN.COM" matched cert's "*.MYDOMAIN.COM"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /hosting/discovery]
* h2h3 [:scheme: https]
* h2h3 [:authority: collabora.MYDOMAIN.COM]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x5c3cee511c80)
> GET /hosting/discovery HTTP/2
> Host: collabora.MYDOMAIN.COM
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
< content-type: text/xml
< date: Sat, 11 May 2024 08:47:06
< last-modified: Sat, 11 May 2024 08:47:06
< permissions-policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()
< referrer-policy: same-origin
< strict-transport-security: max-age=63072000; includeSubDomains; preload
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-robots-tag: none,noarchive,nosnippet,notranslate,noimageindex,
< x-xss-protection: 1; mode=block
< content-length: 30007
< 
<wopi-discovery>
    <net-zone name="external-http">

        <!-- Writer documents -->
        <app favIconUrl="https://collabora.MYDOMAIN.COM/browser/f12ee1f/images/x-office-document.svg" name="writer">
            <action default="true" ext="sxw" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="odt" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="fodt" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- Text template documents -->
            <action default="true" ext="stw" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="ott" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- MS Word -->
            <action default="true" ext="doc" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="dot" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- OOXML wordprocessing -->
            <action default="true" ext="docx" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="docm" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="dotx" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="dotm" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- Others -->
            <action default="true" ext="wpd" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="pdb" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="hwp" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="wps" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="wri" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="lrf" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="mw" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="rtf" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="txt" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="fb2" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="cwk" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="pages" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="abw" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="602" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <app name="writer-global">
            <!-- Text master documents -->
            <action default="true" ext="sxg" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="odm" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- Writer master document templates -->
            <action default="true" ext="otm" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <app name="writer-web">
            <action default="true" ext="oth" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Calc documents -->
        <app favIconUrl="https://collabora.MYDOMAIN.COM/browser/f12ee1f/images/x-office-spreadsheet.svg" name="calc">
            <action default="true" ext="sxc" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="ods" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="fods" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- Spreadsheet template documents -->
            <action default="true" ext="stc" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="ots" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- MS Excel -->
            <action default="true" ext="xls" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="xla" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- OOXML spreadsheet -->
            <action default="true" ext="xltx" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="xltm" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="xlsx" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="xlsb" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="xlsm" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- Others -->
            <action default="true" ext="dif" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="slk" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="csv" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="dbf" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="wk1" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="gnumeric" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="numbers" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Impress documents -->
        <app favIconUrl="https://collabora.MYDOMAIN.COM/browser/f12ee1f/images/x-office-presentation.svg" name="impress">
            <action default="true" ext="sxi" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="odp" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="fodp" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- Presentation template documents -->
            <action default="true" ext="sti" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="otp" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- MS PowerPoint -->
            <action default="true" ext="ppt" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="pot" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- OOXML presentation -->
            <action default="true" ext="pptx" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="pptm" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="potx" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="potm" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="ppsx" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- Others -->
            <action default="true" ext="cgm" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="key" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Draw documents -->
        <app name="draw">
            <action default="true" ext="sxd" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="odg" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="fodg" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- Drawing template documents -->
            <action default="true" ext="std" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="otg" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <!-- Others -->
            <action ext="svg" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="dxf" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="emf" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="wmf" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="cdr" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="vsd" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="vsdx" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="vss" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="pub" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="p65" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="wpg" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action default="true" ext="fh" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action ext="bmp" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action ext="png" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action ext="gif" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action ext="tiff" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action ext="jpg" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action ext="jpeg" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
            <action ext="pdf" name="view_comment" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Math documents -->
        <!-- In fact Math documents are not supported at all.
             See: https://bugs.documentfoundation.org/show_bug.cgi?id=97006
        <app name="math">
            <action name="view" default="true" ext="sxm"/>
            <action name="edit" default="true" ext="odf"/>
        </app>
        -->

        <!-- Legacy MIME-type actions (compatibility) -->

        <app name="image/svg+xml">
            <action ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.ms-powerpoint">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.ms-excel">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Writer documents -->
        <app name="application/vnd.sun.xml.writer">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.text">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.text-flat-xml">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Calc documents -->
        <app name="application/vnd.sun.xml.calc">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.spreadsheet">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.spreadsheet-flat-xml">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Impress documents -->
        <app name="application/vnd.sun.xml.impress">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.presentation">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.presentation-flat-xml">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Draw documents -->
        <app name="application/vnd.sun.xml.draw">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.graphics">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.graphics-flat-xml">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Chart documents -->
        <app name="application/vnd.oasis.opendocument.chart">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Text master documents -->
        <app name="application/vnd.sun.xml.writer.global">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.text-master">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Math documents -->
        <!-- In fact Math documents are not supported at all.
             See: https://bugs.documentfoundation.org/show_bug.cgi?id=97006
        <app name="application/vnd.sun.xml.math">
            <action name="view" default="true" ext=""/>
        </app>
        <app name="application/vnd.oasis.opendocument.formula">
            <action name="edit" default="true" ext=""/>
        </app>
        -->
        <!-- Text template documents -->
        <app name="application/vnd.sun.xml.writer.template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.text-template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Writer master document templates -->
        <app name="application/vnd.oasis.opendocument.text-master-template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Spreadsheet template documents -->
        <app name="application/vnd.sun.xml.calc.template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.spreadsheet-template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Presentation template documents -->
        <app name="application/vnd.sun.xml.impress.template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.presentation-template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Drawing template documents -->
        <app name="application/vnd.sun.xml.draw.template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.graphics-template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- MS Word -->
        <app name="application/msword">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/msword">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- MS Excel -->
        <app name="application/vnd.ms-excel">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- MS PowerPoint -->
        <app name="application/vnd.ms-powerpoint">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- OOXML wordprocessing -->
        <app name="application/vnd.openxmlformats-officedocument.wordprocessingml.document">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.ms-word.document.macroEnabled.12">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.openxmlformats-officedocument.wordprocessingml.template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.ms-word.template.macroEnabled.12">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- OOXML spreadsheet -->
        <app name="application/vnd.openxmlformats-officedocument.spreadsheetml.template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.ms-excel.template.macroEnabled.12">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.ms-excel.sheet.binary.macroEnabled.12">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.ms-excel.sheet.macroEnabled.12">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- OOXML presentation -->
        <app name="application/vnd.openxmlformats-officedocument.presentationml.presentation">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.ms-powerpoint.presentation.macroEnabled.12">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.openxmlformats-officedocument.presentationml.template">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.ms-powerpoint.template.macroEnabled.12">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- Others -->
        <app name="application/vnd.wordperfect">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-aportisdoc">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-hwp">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.ms-works">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-mswrite">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-dif-document">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="text/spreadsheet">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="text/csv">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-dbase">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.lotus-1-2-3">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/cgm">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/vnd.dxf">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/x-emf">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/x-wmf">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/coreldraw">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.visio2013">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.visio">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.ms-visio.drawing">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-mspublisher">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-sony-bbeb">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-gnumeric">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/macwriteii">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-iwork-numbers-sffnumbers">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.oasis.opendocument.text-web">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-pagemaker">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="text/rtf">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="text/plain">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-fictionbook+xml">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/clarisworks">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/x-wpg">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-iwork-pages-sffpages">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.openxmlformats-officedocument.presentationml.slideshow">
            <action default="true" ext="" name="edit" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-iwork-keynote-sffkey">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-abiword">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/x-freehand">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/vnd.sun.xml.chart">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/x-t602">
            <action default="true" ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/bmp">
            <action ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/png">
            <action ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/gif">
            <action ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/tiff">
            <action ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/jpg">
            <action ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="image/jpeg">
            <action ext="" name="view" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>
        <app name="application/pdf">
            <action ext="" name="view_comment" urlsrc="https://collabora.MYDOMAIN.COM/browser/f12ee1f/cool.html?"/>
        </app>

        <!-- End of legacy MIME-type actions -->

        <app name="Capabilities">
            <action ext="" name="getinfo" urlsrc="https://collabora.MYDOMAIN.COM/hosting/capabilities"/>
        </app>
    </net-zone>
* Connection #0 to host collabora.MYDOMAIN.COM left intact

But Nextcloud Office was only able to work successfully when I carried out the following step: I noticed that the Collabora Container always tries to address the NC Container internally as long as it is in the same network. I have therefore assigned Collabora a different network that also takes traefik into account. I then tested the connection to NC again from the collabora container and received the following successfull logs:

different network: collabora logs

root@eb3456ae0ff3:/# curl -v https://nextcloud.MYDOMAIN.COM/status.php
*   Trying 104.XXX.XXX.193:443...
* Connected to nextcloud.MYDOMAIN.COM (104.XXX.XXX.193) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=MYDOMAIN.COM
*  start date: Mar 18 06:57:13 2024 GMT
*  expire date: Jun 16 06:57:12 2024 GMT
*  subjectAltName: host "nextcloud.MYDOMAIN.COM" matched cert's "*.MYDOMAIN.COM"
*  issuer: C=US; O=Let's Encrypt; CN=E1
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /status.php]
* h2h3 [:scheme: https]
* h2h3 [:authority: nextcloud.MYDOMAIN.COM]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x56a752a79c80)
> GET /status.php HTTP/2
> Host: nextcloud.MYDOMAIN.COM
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200 
< date: Sat, 11 May 2024 08:57:57 GMT
< content-type: application/json
< content-length: 171
< access-control-allow-origin: *
< cache-control: no-store, no-cache, must-revalidate
< content-security-policy: default-src 'self'; script-src 'self' 'nonce-K01LcHhMMmY0UW5TeHM4Qm1kckl4Z2VkeVpRWU5vcVJGVElLQU9JbkFvUT06dS9YOXQvclhxRm1BaVp0WTErdUdoRy96cnRBcVhzdmlmRWhGTjZCS2Vzaz0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< permissions-policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()
< pragma: no-cache
< referrer-policy: no-referrer
< set-cookie: oc5qyxrku0dl=132ceae77d58031d9576e15d013e78b2; path=/; secure; HttpOnly; SameSite=Lax
< set-cookie: oc_sessionPassphrase=3Y9nK%2B4ILTJDeQ04dWZh0FjwpEC5nHLoSHrVPsql7zywx9KU6DxZ0LiWVt9aXILqNbCTft1FRYAMmdwn%2BKi9osFR%2B0NJ%2BlWa44CuBUhDKbhYRNVQkppKGsiFOhCMUrGt; path=/; secure; HttpOnly; SameSite=Lax
< set-cookie: oc5qyxrku0dl=132ceae77d58031d9576e15d013e78b2; path=/; secure; HttpOnly; SameSite=Lax
< set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< set-cookie: oc5qyxrku0dl=132ceae77d58031d9576e15d013e78b2; path=/; secure; HttpOnly; SameSite=Lax
< strict-transport-security: max-age=63072000; includeSubDomains; preload
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< x-powered-by: PHP/8.2.18
< x-robots-tag: noindex, nofollow
< x-xss-protection: 1; mode=block
< cf-cache-status: DYNAMIC
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kacRUGsd51BTbGCBS0bsgF4oy2g3BEVNVmSBsgXvURUH1aZL%2BUh0Pvlb7G79EM95d6BtADwuD%2FUHV6vZFvNJsr4Q5V7vqDoVAUaXuDw2LZndxdaj%2FTut35ui%2FFlcwUZc2FFSYSY%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 8820f6dfead95d49-FRA
< alt-svc: h3=":443"; ma=86400
< 
* Connection #0 to host nextcloud.MYDOMAIN.COM left intact
{"installed":true,"maintenance":false,"needsDbUpgrade":false,"version":"29.0.0.19","versionstring":"29.0.0","edition":"","productname":"Nextcloud","extended

With these settings, Collabora no longer tries to establish an internal connection to the NC Container and Nextcloud Office works. - For now, I’m just happy that it works. I have a guess as to what the reasons could be: I have several LXC containers running on my Proxmox system, all of which are connected to one another via an internal Proxmox network. Let’s call it ProxNet. Some LXC containers run Docker with different applications. ProxNet is also stored on the Docker systems as macvlan so that the containers can communicate with each other across the LXC boundaries. (This works well for different scenarios.) In the aforementioned case, traefik, nextcloud and collabora were also all connected via this macvlan. (Unfortunately, I forgot to mention this special feature before. Sorry!) - So I think the connection didn’t work like it does with a normal Docker network. - I suspect a NAT problem in the internal Proxmox network. Is anyone familiar with it? Does Docker handle requests differently within a Macvlan network than in its own network? - Unfortunately, I only have very rudimentary knowledge of this.
Thank you also for the tip about the cloudflare barriers. I will take these into account in the future. Apparently this also slows down the speed a lot. - And yes, the fixed IP addresses are generally not necessary. But I use it especially in connection with macvlans to keep a good overview.

I would be happy if there is someone else who is familiar with Proxmox networks and macvlans in Docker and can give me some tips. Maybe the aforementioned problem can be solved in the Proxmox or Docker settings without having to use two separate networks. Thank you and best regards - Daniel

wwe · May 11, 2024, 8:33pm

I think there is some issue with your DNS. macvlan is more or less directly connected to the physical network - maybe you have some kind of local DNS for nextcloud.MYDOMAIN.COM there… this would explain this is used as first connection (and why it worked with http from the beginning).

I don’t think there is a good reason for direct connection with containers behind reverse proxy - this is why I recomend to completely hide the container inside docker network and route all communications through reverse proxy. I you scenario you would only connect traefik with macvlan but Nextcloud and CODE only connect to an internal docker network with no “external” IP. This helps to make connection always follow the same path and avoid strange routing issues resulted from http vs https connection etc…