Hello,
I’m facing problems with opening documents in my browser using Nextcloud Office.
My set up looks like this:
Nextcloud 25.0.4, Snap Installation on Ubuntu 22.04.2
On that same server I got the Collabora Server running with Docker: collabora/code:latest
On a different VM I got a nginx reverse proxy running, forwarding traffic to my nextcloud and collabora server.
That nginx reverse proxy used to forward the local IP of itself, not the clients IP, to my Nextcloud instance.
Adding the local IP of the reverse proxy to the “Allow list for WOPI requests” in the Nextcloud Office UI for my Collabora Server worked fine. Configuration worked and I could open and edit documents.
Because I didn’t like the fact, that I couldn’t see the real IP of clients connecting to my nextcloud server in the logs and security reasons, I edited the configuration of my nginx reverse proxy.
Using headers it worked with the logs. I could see the corret IP of clients.
(see configuration below)
But all of a sudden opening documents doesn’t work now.
Only if I add my public IP to “Allow list for WOPI requests” I’m able to open documents now.
To me it seems, like my reverse proxy is now forwarding the public IP of my network when the collabora server and the nextcloud server are communicating.
My public IP could change any time so of course adding it to the allow list can only be a workaround.
From the behaviour and setup described above, do you guys know where the error is in my configuration?
Nginx Reverse Proxy Config:
server {
server_name nc.example.de;
location / {
proxy_pass http://192.168.1.5/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $https;
add_header Strict-Transport-Security "max-age=15768000;includeSubDomains";
}
client_max_body_size 0;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/nc.example.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nc.example.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
}
server {
if ($host = nc.example.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name nc.example.de;
return 404; # managed by Certbot
}
server {
server_name collabora.example.de;
# static files
location ^~ /browser {
proxy_pass http://192.168.1.5:9980;
proxy_set_header Host $http_host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://192.168.1.5:9980;
proxy_set_header Host $http_host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://192.168.1.5:9980;
proxy_set_header Host $http_host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://192.168.1.5:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://192.168.1.5:9980;
proxy_set_header Host $http_host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://192.168.1.5:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/collabora.example.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/collabora.example.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = collabora.example.de) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name collabora.example.de;
listen 80;
return 404; # managed by Certbot
}