Nextcloud office uses always https with collabora

example

longer
example
here

Nextcloud version (eg, 29.0.5): docker latest
Operating system and version (eg, Ubuntu 24.04): fedora server
Apache or nginx version (eg, Apache 2.4.25): nginx
PHP version (eg, 8.3): docker version

The issue you are facing:
What I debugged:
Nextcloud office uses always https with collabora and I cannot disable it.
When I enable collabora ssl, nextcloud will not connect because collabora docker uses self signed cerificates.
When I disable collabora ssl and replace https with http and try nextcloud POST request via curl from nextcloud, it seems to return correct result.
I tried everything to disable https from nextcloud and nothing works.
Only workaround I can think of is put collabora behind nginx, where I have ssl certificates for my domain. But I don’t want to make my collabora public.

My question is how to disable this https? I have nextcloud behind the mentioned nginx, so I don’t need any ssl in nextcloud.

I have nextcloud, postgres, valkey, collabora in podman rootless containers,
If needed, I can provide quadlet files with all podman configurations.

The output of your Nextcloud log in Admin > Logging:

There are not even debug logs for this.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

only custom thing is now:
'overwritehost' => '****:1180',
and 'trusted_domains' =>
**** is my domain 
this is needed otherwise I can't login to nginx (untrusted domain)

The output of your Apache/nginx/system log in /var/log/____:

Not applicable

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

Error is that connection to collabora timed out

I moved forward with this issue. I played with requests which nextcloud sends to collabora.

This command will time out:

curl -k 'https://192.168.4.5:9980/browser/d5ebff5/cool.html?WOPISrc=https%3A%2F%2Fxxxxxxxxxxxx%3A1180%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F12500_ockwjlr0cmfa&title=%2FDocuments%2FDane%2FDane2023%2Finvestice%2FVypocet2022.xlsx&lang=en&closebutton=1&revisionhistory=1' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/jxl,image/webp,image/png,image/svg+xml,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br, zstd' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Content-Length: 4313' -H 'Origin: null' -H 'DNT: 1' -H 'Sec-GPC: 1' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: iframe' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: cross-site' -H 'Sec-Fetch-User: ?1' -H 'Priority: u=4'

It seems to be caused by:

-H 'Content-Length: 4313'

If I will set it to 0 or remove it, command returns the html page.

I think that is the root cause of the issue. But I don’t know why this happen.

this is how the WOPI protocol works - both system must be accessible from the client and have valid TLS certificates.

as long your Nextcloud is public Collabora must be as well. Please review Collabora Integration guide for details.

no valid (public) TLS certificate can be issued for an IP address

I’m not sure why,
right now I have nextcloud, valkey, postgress, collabora on one podman localhost network. Nextcloud has in this time no certificates and i publish only ports on nextcloud container (I can attach quadlet files if needed).
And then I access this published port via nginx with certificates (to nginx goes https and from nginx http). So, I don’t see any reason, why collabora should be public.

Regardless of that, I tried what you mentioned. I detached collabora, publish port and connect to nginx same way as nextcloud is (and disable ssl in collabora settings). When I access it via web browser, it shown “ok” on default page, like it should (if i understand correctly). But nextcloud office never shown green validation page. And I cannot debug it in web browser like when I open file.

When collabora is in same podman network as nextcloud, validation passes, but due content length open file in collabora times out. So, make collabora public is step back.

I’m thinking, maybe you are confused by the curl command I posted.

curl -k 'https://192.168.4.5:9980/browser/d5ebff5/cool.html?WOPISrc=https%3A%2F%2Fxxxxxxxxxxxx%3A1180%2Findex.php.....

Yest first part has ip address, but WOPISrc contains not ip address. In xxxxxxxxx is a domain name. And I don’t want to make it too public, because it publicly accessible. So, WOPI uses publicly accessible domain name, like you said.

I think I just need to solve issue with

 'Content-Length: 4313'

and everything will be working. But this is header, which is created by nextcloud or apache in docker image nextcloud.

I’m sorry but you are wrong. Reasons for external access are explained in the reference article.

is not going to work behind reverse proxy as it must be https://collabora.mydomain.tld or https://collabora.mydomain.tld:443.

and

might be not enough as CODE requires special configuration especially websockets.

I configured nginx for collabora according to

https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html
Reverse proxy settings in Nginx config (SSL termination)

https://xxxxx:9980/hosting/discovery is giving me correct xml page

but nextcloud office verify says:

Could not establish connection to the Collabora Online server.

Failed to connect to the remote server: cURL error 7: Failed to connect to xxxxxport 9980 after 1 ms: Couldn't connect to server (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://xxxxx:9980/hosting/discovery

Hmm, I tried curl with the same from nextcloud container:

www-data@ksj:~/html$ curl -vvv -XGET https://xxxxx:9980/hosting/discovery
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 192.168.4.2:9980...
* connect to 192.168.4.2 port 9980 failed: Connection refused
* Failed to connect to xxxxx port 9980 after 1 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to xxxxx port 9980 after 1 ms: Couldn't connect to server

It seems nextcloud creates his own dns record and it is redirecting messages for someone else…

no it does not.

and it is still wrong to connect to CODE using https and port :9980 which is plain http… your internal DNS must resolve the IP address of the reverse proxy (external or internal) to utilize public TLS certs. This must happen for both cloud and CODE - please read and understand the integration guide.

I can’t use port 443, because it is used for another service.
I maybe don’t understand, but why there is need to use some specific port?
I had issue with specific port only when I configured selinux on server, where there are groups of ports defined.
If there is a specific port, other than 443, i can use it, but which one is that?

Also, when this translation my domain name xxxxx to 192.168.4.2 is not done by nextcloud, then I don’t know what else can translate it.
I don’t have dns service on server. And nginx, which only has domain name is on different machine in site. 192.168.4.2 is local address of nextcloud.

I think it is done by nextcloud docker image (possibly by apache) by this only argument, I’m using:

OVERWRITEHOST=xxxxx:1180 

And I can’t remove it, otherwise I can’t access to nextcloud due to untrusted proxy.

is used to make the system aware of reverse proxy.

if there is a reverse proxy it should use port 443 and forward the connection to specific application.

Please familiarize yourself how to run an application behind reverseproxy. shortly we published an article 101: reverse proxy explaining the basics of reverse proxy and Nextcloud configuration.

I have on server around 10 services through this proxy. I can’t give all of them the same port 443. I think i would need 10 different hostnames at least.

you nailed it - this exactly the main reason to use a reverse proxy - you want to have every application running on :443 because this is the most frequent and reliable port (many corporate networks block other ports even for outgoing traffic).

You have one single entry point aka port forward from the firewall to a reverse proxy. the reverse proxy provide TLS certificates and decides based on some rules (different hostnames are the most simple design, but specific routes e.g. main.mydomain.tld/app1 and …/app2 would work as well).

find attached a drawing of a reverse proxy with TLS termination (SSL offloading):

image897×453 22.4 KB

I understand the principe, but I think in that wiki should be example of configuration.

Meanwhile I found out the way how to run collabora in nextcloud without this.
And I think in next podman version (with new arguments for quadlet file) I will be able to have collabora in private network, without open public port.

but I wish you success in you success with the new podman.

for the future visitors reference: WOPI protocol always require access to Collabora from the client (external as well).

Podman creates pod, which behave like everything inside is on localhost.
WOPI protocol contains link to nextcloud which is always public, so it should be ok.

You know, I don’t know collabora. I have seen the admin username and password in configuration, but I haven’t seen it in nextcloud, so, if it is without password, someone can at least use it. (Register in nextcloud or other client). And I don’t know if you can to DOS with it to server.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.