No, Ʈn my case everything works well when access from internet. When I try to access nextcloud from Lan, I still have problems with opening collabora.
I try it to change /etc/hosts file like u explain, but still not working.
Same problem here.
EDIT: hacking the permission mask like @praet0ri4n suggest will work around the problem and make Collabora work.
Can anyone shed some light on why the request come from a host which is not mapped in the permission mask? How can this be solved?
thanks
Can confirm this is still happening with the lates CODE image updates last month. In this case I have CODE set up on a separate server with docker and nginx reverse proxy I can connect to the nginx instance fine but when I open a document I get similar error.
wsd-00029-00040 2019-01-23 14:59:16.837453 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.4| wsd/LOOLWSD.cpp:1971
Where 172.17.0.4 is the nginx container. Far as I can tell my nginx proxy is correct.
static files
location ^~ /loleaflet {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Host $http_host;
}
WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Host $http_host;
}
Capabilities
location ^~ /hosting/capabilities {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Host $http_host;
}
main websocket
location ~ ^/lool/(.*)/ws$ {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection āUpgradeā;
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
download, presentation and image upload
location ~ ^/lool {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Host $http_host;
}
Admin Console websocket
location ^~ /lool/adminws {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection āUpgradeā;
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}
Not sure how to resolve that. Unless I need to link the containers on their own network and turn off SSL on the CODE container?
Hmm Iām getting error:
wsd-00028-00039 2019-02-14 13:53:33.329330 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1971
I even tried have mask suggested by @prae0ri4n
and still got same error
I tried changing /etc/hosts file but this didnāt work either (did this by logging into container)
I havenāt tried downgrading container version yet.
Any other suggestions?
Other than doing this trick did you do anything else to make collabra show odt document?
The problem with ::ffff:172 comes from merging IPv6 and IPv4.
Disable IPv6 with
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
and for future
echo net.ipv6.conf.all.disable_ipv6 = 1 > /etc/sysctl.d/01-disable-ipv6.conf
than restart the dockercotainer and all works fine.
with regards
In my case it turned out this error does not blocks Collabora from working (I still have see in the logs).
The important part to ensure is that inside the container the /etc/loolwsd/loolwsd.xml
file is correctly pointing to your NextCloud domain:
<storage desc="Backend storage">
<filesystem allow="false" />
<wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true">
<host desc="Regex pattern of hostname to allow or deny." allow="true">your\.nextcloud-domain\.com</host>
...
I tried this approach and I must have something really screwed up. Where do I run these commands?? With the docker container? Within the docker host? or within the nextcloud host?
@anon50134577 ā I do have that statement within the loolwsd.xml file:
<wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true"> <host desc="Regex pattern of hostname to allow or deny." allow="true">nextcloud\.domain\.com</host>
I substituted ādomainā here and actually put my real domain name. Unfortunately I still get the same error.
How are you invoking the docker container on the command line?
Iām using the following:
sudo docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --sysctl net.ipv6.conf.default.disable_ipv6=1 -t -d -p 127.0.0.1:9980:9980 -e 'domain=nextcloud\.domain\.com' --name="jax" -e "username=admin" -e "password=dockercol" --restart always --cap-add MKNOD collabora/code
Iāve used a lot of permutations and whatever I put down always seems to result in the same error:
wsd-00028-00039 2019-02-14 18:59:57.296446 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1971
Hello kevdog,
I used these commands on the docker host.
with regards
I believe that is not a blocking error you should worry about at this time: did you notice some other error that is breaking Collabora?
Looking at the docker log file Iām getting this as well:
frk-00031-00031 2019-02-14 19:55:51.864119 [ forkit ] ERR Error: forkit has more than a single thread after pre-init| kit/ForKit.cpp:540
That seems to be the main one.
Iāll post the log here:
https://pastebin.com/5efWScTE
The logfile is almost 2000 lines. Almost impossible to debug. I put logging level at debug
Honestly after thumbing through the 2000 line log, the only other problem Iām seeing is this:
(And am I supposed be be generating certs at the top of the log???)
Init vcl
preload: merged unordf ucpchelp1 msforms vbaobj pcr vbaswobj sw animcore hwp flash chartcore solver sc wpftcalc xof ucpcmis1 wpftdraw sd svgfilter evtatt ucpftp1 graphicfilter wpftimpress sdfilt sm:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
pdffilter PresentationMinimizer rptxml:failed
:failed
:failed
:failed
protocolhandler ucpdav1 wpftwriter msword lwpft writerfilter t602filter xmlfa basctl binaryurp uuresolver scd chartcontroller ldapbe2 dba sdbt dbu:failed
:failed
:failed
dbmm:failed
:failed
:failed
deploymentgui migrationoo2 migrationoo3 xsltfilter sdd embobj emboleobj log expwrap odfflatxml textfd storagefd xmlfd frm fwl fwm io textconversiondlgs smd:failed
mozbootstrap oox scfilt OGLTrans:failed
slideshow proxyfac cairocanvas vclcanvas canvasfactory mtfrenderer simplecanvas oglcanvas rptui:failed
:failed
:failed
:failed
:failed
:failed
rpt:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
dlgprov basprov stringresource dbaxml:failed
mork odbc sdbc2 calc dbase flat mysqlc writer xsec_xmlsec reflection bootstrap introspection invocation invocadapt namingservice stocservices cmdmail syssh cached1 ucphier1 ucpimage ucppkg1 srtrs1 ucptdoc1 xsltdlg swd cui bib guesslang offacc:failed
:failed
scn scriptframe dbpool2 xmlsecurity analysis date pricing fps_office:failed
:failed
i18nsearch wizards.agenda.CallWizard wizards.fax.CallWizard wizards.letter.CallWizard emfio vbaevents PresenterScreen:failed
pdfimport abp:failed
dbp:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
mysql ucpext hyphen spell lnth mailmerge for ctl passwordcontainer svgio updatefeed
I think itās the intended (albeit convoluted) behaviour of how NextCloud talks with Collabora
The error that you mention a bit earlier, too, doesnāt seem to be a showstopper: see here and here
What was the error again? .ODT documents do not open? Are you experiencing, too, the spinning loading icon that doesnāt disappear?
Yea on screen its the spinning loading icon that does not disappear. Yes my test documents are .odt. Should I try a different document type?
I assumed the spinning loading icon was due to the error I keep postingā¦Maybe not?
I believe so. The log file you posted looks fine (although I may be not the best person to inspect that).
Asking a basic question, did you configure the Collabora endpoint on NextCloud, right?
Yes I did configure the endpoint on Nextcloud.
I first attempted a local IP address, but that didnāt work since I suspect that was a cert thing.
I then put in the URL and thatās when I get the spinny thing.
You know the funny thing is when I go into the web admin console for collobora, the initial web page loads showing the interface then I get a connection error. In the logs I get:
[Thu Feb 14 15:25:37.381571 2019] [proxy:warn] [pid 17119:tid 1405042391
75424] [client 10.0.1.158:39243] AH01144: No protocol handler was valid
for the URL /lool/adminws/ (scheme āwssā). If you are using a DSO versio
n of mod_proxy, make sure the proxy submodules are included in the confi
guration using LoadModule.
Iām not sure that has anything to do with it.
Ok I wanted to add some closure to this topic. I managed to get things up and running and the actual error had nothing to do with it.
Iāll just describe what the problem was and my solution and give anyone a chance to comment on the solution
I originally had a apache webserver located within the DMZ ā forwarding to apache webserver located within LAN ā> forwarding to collabora docker container running on same machine as the internal LAN apache server.
I believe my problems all stem from the way the SSL certs were being handled. Iām not certain exactly how to handle all the SSL forwarding and certification credentials, so anyone with experience can had input
I have one master SSL cert <domain.com> and the subdomains also are attached to this certificate <nextcloud.domain.com> <office.domain.com>
Solution Iāve come up with is to basically take the back end apache webserver out of the loop (although Iād really like to keep this in).
Current working setup is
apache webserver (DMZ) ā> with redirects to port 9980 directly on machine located within LAN.
How I achieved this was the following:
- Relevant portions of the virtual host file on apache webserver located within DMZ: (Sorry about the formatting guys, I donāt know whats up with this BB)
<Virtualhost *:443>
ServerAdmin admin@domain.com
ServerName office.domain.com
DirectoryIndex /index.php index.php index.html index.htm
DocumentRoot /usr/local/www/office
Options -IndexesSSLEngine on
SSLCertificateFile /usr/local/etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/domain.com/privkey.pemSSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire# Encoded slashes need to be allowed AllowEncodedSlashes NoDecode # Container uses a unique non-signed certificate SSLProxyEngine On SSLProxyVerify None SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off # keep the host ProxyPreserveHost On # static html, js, images, etc. served from loolwsd # loleaflet is the client part of LibreOffice Online ProxyPass /loleaflet https://office.domain.com:9980/loleaflet retry=0 ProxyPassReverse /loleaflet https://office.domain.com:9980/loleaflet # WOPI discovery URL ProxyPass /hosting/discovery https://office.domain.com:9980/hosting/discovery retry=0 ProxyPass /hosting/discovery https://office.domain.com:9980/hosting/discovery retry=0 # Capabilities ProxyPass /hosting/capabilities https://office.domain.com:9980/hosting/capabilities retry=0 ProxyPassReverse /hosting/capabilities https://office.domain.com:9980/hosting/capabilities # Main websocket ProxyPassMatch "/lool/(.*)/ws$" wss://office.domain.com:9980/lool/$1/ws nocanon # Admin Console websocket ProxyPass /lool/adminws wss://office.domain.com:9980/lool/adminws # Download as, Fullscreen presentation and Image upload operations ProxyPass /lool https://office.domain.com:9980/lool ProxyPassReverse /lool https://office.domain.com:9980/lool </VirtualHost>
Please note that I have an official office.domain.com.
On the second machine I setup the docker collabora installation, and started the container with the following parameters:
sudo docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --sysctl net.ipv6.conf.default.disable_ipv6=1 -t -d -p 9980:9980 -e ādomain=nextcloud\.gohilton\.comā --name=ājaxā -e āusername=adminā -e āpassword=dockercolā --restart always --cap-add MKNOD collabora/code
A couple of things when the starting parameters ā I passed the sysctl parameters to disable ipv6 within the container as suggested, and I bound the 9980 listening port directly rather than the typical -p 127.0.0.1:9980:9980 which would only listen on the localhost.
The major issue is that I didnāt want port 9980 on the LAN machine to be exposed to the internet. This was my major stumbling point. The reverse proxy statements required a valid ssl certificate ā in my case office.domain.com ā however this URL resolved to an external IP address (if using an external DNS server). Since Iām not running an internal DNS server, I ended up modifying the /etc/hosts file on the computer running the apache webserver.
I added the following:
10.0.1.162 office.domain.com
10.0.1.162 represented the internal LAN address of the VM host running the docker instance.
My only exposed ports in the DMZ were 80/443.
With this setup, the docker collabora setup seems to be working ā no more spinning icon ā however the docker log files still produced the following error:
wsd-00028-00039 2019-02-15 16:12:43.064003 [ websrv_poll ] ERR FileServerRequestHandler::NotAuthenticated: No authentication information found| wsd/FileServer.cpp:414
And occasionally I get this error as well
wsd-00028-00039 2019-02-15 16:12:43.063898 [ websrv_poll ] WRN client - server version mismatch, disabling browser cache.| wsd/FileServer.cpp:279
I donāt know how to interpret these errors, but just to report everything seems to work.
Iām not sure if this setup is correct however it works in my case. Iām running the Apache webserver within a FreeNAS jail running Freebsd. The docker container is running within a VM running Ubuntu linux. Perhaps a different setup would help.
Thanks for everyoneās help in trying to resolve the issue.