Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1971

vlad2005 · January 15, 2019, 12:52pm

No, în my case everything works well when access from internet. When I try to access nextcloud from Lan, I still have problems with opening collabora.
I try it to change /etc/hosts file like u explain, but still not working.

anon50134577 · January 18, 2019, 6:34pm

Same problem here.

EDIT: hacking the permission mask like @praet0ri4n suggest will work around the problem and make Collabora work.

Can anyone shed some light on why the request come from a host which is not mapped in the permission mask? How can this be solved?

thanks

develroo · January 23, 2019, 3:22pm

Can confirm this is still happening with the lates CODE image updates last month. In this case I have CODE set up on a separate server with docker and nginx reverse proxy I can connect to the nginx instance fine but when I open a document I get similar error.

wsd-00029-00040 2019-01-23 14:59:16.837453 [ websrv_poll ] ERR  Requesting address is denied: ::ffff:172.17.0.4| wsd/LOOLWSD.cpp:1971

Where 172.17.0.4 is the nginx container. Far as I can tell my nginx proxy is correct.

static files

location ^~ /loleaflet {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Host $http_host;
}

WOPI discovery URL

location ^~ /hosting/discovery {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Host $http_host;
}

Capabilities

location ^~ /hosting/capabilities {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Host $http_host;
}

main websocket

location ~ ^/lool/(.*)/ws$ {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}

download, presentation and image upload

location ~ ^/lool {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Host $http_host;
}

Admin Console websocket

location ^~ /lool/adminws {
proxy_pass https://172.17.0.2:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
proxy_set_header Host $http_host;
proxy_read_timeout 36000s;
}

Not sure how to resolve that. Unless I need to link the containers on their own network and turn off SSL on the CODE container?

kevdog · February 14, 2019, 2:02pm

Hmm I’m getting error:

wsd-00028-00039 2019-02-14 13:53:33.329330 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1971

I even tried have mask suggested by @prae0ri4n and still got same error
I tried changing /etc/hosts file but this didn’t work either (did this by logging into container)

I haven’t tried downgrading container version yet.
Any other suggestions?

kevdog · February 14, 2019, 2:03pm

Other than doing this trick did you do anything else to make collabra show odt document?

nextClo · February 14, 2019, 6:58pm

The problem with ::ffff:172 comes from merging IPv6 and IPv4.
Disable IPv6 with
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
and for future
echo net.ipv6.conf.all.disable_ipv6 = 1 > /etc/sysctl.d/01-disable-ipv6.conf
than restart the dockercotainer and all works fine.

with regards

anon50134577 · February 14, 2019, 7:03pm

In my case it turned out this error does not blocks Collabora from working (I still have see in the logs).

The important part to ensure is that inside the container the /etc/loolwsd/loolwsd.xml file is correctly pointing to your NextCloud domain:

    <storage desc="Backend storage">
        <filesystem allow="false" />
        <wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true">
            <host desc="Regex pattern of hostname to allow or deny." allow="true">your\.nextcloud-domain\.com</host>
         ...

kevdog · February 14, 2019, 7:04pm

@nextClo

I tried this approach and I must have something really screwed up. Where do I run these commands?? With the docker container? Within the docker host? or within the nextcloud host?

anon50134577 · February 14, 2019, 7:06pm

@kevdog Do you see any other suspicious error in your nextcloud.log file?

kevdog · February 14, 2019, 7:11pm

@anon50134577 – I do have that statement within the loolwsd.xml file:

<wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true"> <host desc="Regex pattern of hostname to allow or deny." allow="true">nextcloud\.domain\.com</host>

I substituted “domain” here and actually put my real domain name. Unfortunately I still get the same error.

How are you invoking the docker container on the command line?

I’m using the following:

sudo docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --sysctl net.ipv6.conf.default.disable_ipv6=1 -t -d -p 127.0.0.1:9980:9980 -e 'domain=nextcloud\.domain\.com' --name="jax" -e "username=admin" -e "password=dockercol" --restart always --cap-add MKNOD collabora/code

I’ve used a lot of permutations and whatever I put down always seems to result in the same error:

wsd-00028-00039 2019-02-14 18:59:57.296446 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1971

nextClo · February 14, 2019, 7:17pm

Hello kevdog,

I used these commands on the docker host.

with regards

anon50134577 · February 14, 2019, 7:18pm

I believe that is not a blocking error you should worry about at this time: did you notice some other error that is breaking Collabora?

kevdog · February 14, 2019, 8:37pm

@anon50134577

Looking at the docker log file I’m getting this as well:
frk-00031-00031 2019-02-14 19:55:51.864119 [ forkit ] ERR Error: forkit has more than a single thread after pre-init| kit/ForKit.cpp:540

That seems to be the main one.
I’ll post the log here:
https://pastebin.com/5efWScTE
The logfile is almost 2000 lines. Almost impossible to debug. I put logging level at debug

kevdog · February 14, 2019, 8:43pm

@anon50134577

Honestly after thumbing through the 2000 line log, the only other problem I’m seeing is this:
(And am I supposed be be generating certs at the top of the log???)

Init vcl
preload: merged unordf ucpchelp1 msforms vbaobj pcr vbaswobj sw animcore hwp flash chartcore solver sc wpftcalc xof ucpcmis1 wpftdraw sd svgfilter evtatt ucpftp1 graphicfilter wpftimpress sdfilt sm:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
pdffilter PresentationMinimizer rptxml:failed
:failed
:failed
:failed
protocolhandler ucpdav1 wpftwriter msword lwpft writerfilter t602filter xmlfa basctl binaryurp uuresolver scd chartcontroller ldapbe2 dba sdbt dbu:failed
:failed
:failed
dbmm:failed
:failed
:failed
deploymentgui migrationoo2 migrationoo3 xsltfilter sdd embobj emboleobj log expwrap odfflatxml textfd storagefd xmlfd frm fwl fwm io textconversiondlgs smd:failed
mozbootstrap oox scfilt OGLTrans:failed
slideshow proxyfac cairocanvas vclcanvas canvasfactory mtfrenderer simplecanvas oglcanvas rptui:failed
:failed
:failed
:failed
:failed
:failed
rpt:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
dlgprov basprov stringresource dbaxml:failed
mork odbc sdbc2 calc dbase flat mysqlc writer xsec_xmlsec reflection bootstrap introspection invocation invocadapt namingservice stocservices cmdmail syssh cached1 ucphier1 ucpimage ucppkg1 srtrs1 ucptdoc1 xsltdlg swd cui bib guesslang offacc:failed
:failed
scn scriptframe dbpool2 xmlsecurity analysis date pricing fps_office:failed
:failed
i18nsearch wizards.agenda.CallWizard wizards.fax.CallWizard wizards.letter.CallWizard emfio vbaevents PresenterScreen:failed
pdfimport abp:failed
dbp:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
:failed
mysql ucpext hyphen spell lnth mailmerge for ctl passwordcontainer svgio updatefeed

anon50134577 · February 14, 2019, 8:49pm

I think it’s the intended (albeit convoluted) behaviour of how NextCloud talks with Collabora

The error that you mention a bit earlier, too, doesn’t seem to be a showstopper: see here and here

What was the error again? .ODT documents do not open? Are you experiencing, too, the spinning loading icon that doesn’t disappear?

kevdog · February 14, 2019, 8:55pm

Yea on screen its the spinning loading icon that does not disappear. Yes my test documents are .odt. Should I try a different document type?
I assumed the spinning loading icon was due to the error I keep posting…Maybe not?

anon50134577 · February 14, 2019, 9:36pm

I believe so. The log file you posted looks fine (although I may be not the best person to inspect that).

Asking a basic question, did you configure the Collabora endpoint on NextCloud, right?

kevdog · February 14, 2019, 9:53pm

Yes I did configure the endpoint on Nextcloud.

I first attempted a local IP address, but that didn’t work since I suspect that was a cert thing.
I then put in the URL and that’s when I get the spinny thing.

kevdog · February 14, 2019, 9:57pm

You know the funny thing is when I go into the web admin console for collobora, the initial web page loads showing the interface then I get a connection error. In the logs I get:

[Thu Feb 14 15:25:37.381571 2019] [proxy:warn] [pid 17119:tid 1405042391
75424] [client 10.0.1.158:39243] AH01144: No protocol handler was valid
for the URL /lool/adminws/ (scheme ‘wss’). If you are using a DSO versio
n of mod_proxy, make sure the proxy submodules are included in the confi
guration using LoadModule.

I’m not sure that has anything to do with it.

kevdog · February 15, 2019, 5:18pm

Ok I wanted to add some closure to this topic. I managed to get things up and running and the actual error had nothing to do with it.

I’ll just describe what the problem was and my solution and give anyone a chance to comment on the solution

I originally had a apache webserver located within the DMZ → forwarding to apache webserver located within LAN —> forwarding to collabora docker container running on same machine as the internal LAN apache server.

I believe my problems all stem from the way the SSL certs were being handled. I’m not certain exactly how to handle all the SSL forwarding and certification credentials, so anyone with experience can had input

I have one master SSL cert <domain.com> and the subdomains also are attached to this certificate <nextcloud.domain.com> <office.domain.com>

Solution I’ve come up with is to basically take the back end apache webserver out of the loop (although I’d really like to keep this in).

Current working setup is
apache webserver (DMZ) —> with redirects to port 9980 directly on machine located within LAN.

How I achieved this was the following:

Relevant portions of the virtual host file on apache webserver located within DMZ: (Sorry about the formatting guys, I don’t know whats up with this BB)

<Virtualhost *:443>
ServerAdmin admin@domain.com
ServerName office.domain.com
DirectoryIndex /index.php index.php index.html index.htm
DocumentRoot /usr/local/www/office
Options -Indexes

SSLEngine on
SSLCertificateFile /usr/local/etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/domain.com/privkey.pem

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
# HSTS (mod_headers is required) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
# Encoded slashes need to be allowed
   AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
        SSLProxyEngine On
        SSLProxyVerify None
        SSLProxyCheckPeerCN Off        
        SSLProxyCheckPeerName Off

        # keep the host
        ProxyPreserveHost On

        # static html, js, images, etc. served from loolwsd
        # loleaflet is the client part of LibreOffice Online
        ProxyPass /loleaflet https://office.domain.com:9980/loleaflet retry=0
        ProxyPassReverse /loleaflet https://office.domain.com:9980/loleaflet

         # WOPI discovery URL
        ProxyPass /hosting/discovery https://office.domain.com:9980/hosting/discovery retry=0
        ProxyPass /hosting/discovery https://office.domain.com:9980/hosting/discovery retry=0

        # Capabilities
        ProxyPass           /hosting/capabilities https://office.domain.com:9980/hosting/capabilities retry=0
        ProxyPassReverse    /hosting/capabilities https://office.domain.com:9980/hosting/capabilities

        # Main websocket
        ProxyPassMatch "/lool/(.*)/ws$" wss://office.domain.com:9980/lool/$1/ws nocanon
       
       # Admin Console websocket
        ProxyPass /lool/adminws wss://office.domain.com:9980/lool/adminws
       
        # Download as, Fullscreen presentation and Image upload operations
        ProxyPass /lool https://office.domain.com:9980/lool
        ProxyPassReverse /lool https://office.domain.com:9980/lool
 
</VirtualHost>

Please note that I have an official office.domain.com.

On the second machine I setup the docker collabora installation, and started the container with the following parameters:

sudo docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --sysctl net.ipv6.conf.default.disable_ipv6=1 -t -d -p 9980:9980 -e ‘domain=nextcloud\.gohilton\.com’ --name=“jax” -e “username=admin” -e “password=dockercol” --restart always --cap-add MKNOD collabora/code

A couple of things when the starting parameters – I passed the sysctl parameters to disable ipv6 within the container as suggested, and I bound the 9980 listening port directly rather than the typical -p 127.0.0.1:9980:9980 which would only listen on the localhost.

The major issue is that I didn’t want port 9980 on the LAN machine to be exposed to the internet. This was my major stumbling point. The reverse proxy statements required a valid ssl certificate – in my case office.domain.com – however this URL resolved to an external IP address (if using an external DNS server). Since I’m not running an internal DNS server, I ended up modifying the /etc/hosts file on the computer running the apache webserver.

I added the following:

10.0.1.162 office.domain.com

10.0.1.162 represented the internal LAN address of the VM host running the docker instance.

My only exposed ports in the DMZ were 80/443.

With this setup, the docker collabora setup seems to be working – no more spinning icon – however the docker log files still produced the following error:

wsd-00028-00039 2019-02-15 16:12:43.064003 [ websrv_poll ] ERR FileServerRequestHandler::NotAuthenticated: No authentication information found| wsd/FileServer.cpp:414

And occasionally I get this error as well

wsd-00028-00039 2019-02-15 16:12:43.063898 [ websrv_poll ] WRN client - server version mismatch, disabling browser cache.| wsd/FileServer.cpp:279

I don’t know how to interpret these errors, but just to report everything seems to work.

I’m not sure if this setup is correct however it works in my case. I’m running the Apache webserver within a FreeNAS jail running Freebsd. The docker container is running within a VM running Ubuntu linux. Perhaps a different setup would help.

Thanks for everyone’s help in trying to resolve the issue.