Security Setting for Nextcloud Office

Anderle · December 10, 2022, 10:16am

Hi there,

i have a question. Under the Settings: Nextcloud office (with the integratet Collabora Server) i get the following error Message:
“You have not configured the allow-list for WOPI requests. Without this setting users may download restricted files via WOPI requests to the Nextcloud server.”

If have tried to add several IP Adresses in this list. But with no ip Adress the Documents are Loading. Only if i make it blank all Documents Loading. I tried my local Network: 192.168.0.0/24, localhost, 127.0.0.1. All dont work.

Can you tell me which i IP i should Enter here? Is it necessary to restrict the Access when the Port 9983 is not accessable over the Internet

Kind Regards
Andi

Ratho · December 12, 2022, 12:13pm

Hi, I have the same problem If I use my public IP it works also - but with internal IPs not.
I hope someone can help us.

ies · December 12, 2022, 12:30pm

I don’t understand the Dokumentation.
https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html

Does it mean, default=empty, any ip on the internet is allowed to access any file in my nextcloud installation just by sending wopi requests to nextcloud?

n0plan · December 12, 2022, 3:50pm

what kind of CODE server are u usin ?

the build in CODE Server
in my case her does NOT need any entries in the WOPI seciton, you can ignore the
“error / informatin” message

seems like the same problem i got earlier →

keep me postet brNP

ies · December 12, 2022, 4:26pm

ok i switche to build in version
~~as Build in collabora server only runs on TLSv1.2~~ i use the first option, use my own server: https://office.mydomain.de
this domain leads to my nextcloud installation and there Collabora Online is running in the docker container.
nextcloud and office have the same public dynamic IP at home

snippet for apache2 revproxy to docker container

  <VirtualHost *:443>
    ServerName office.mydomain.de
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # SSL configuration, you may want to take the easy route instead and use Let's Encrypt!
    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/office/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/office/key.pem

    # Encoded slashes need to be allowed
    AllowEncodedSlashes NoDecode

    # Container uses a unique non-signed certificate
    SSLProxyEngine On
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off

    # keep the host
    ProxyPreserveHost On

    # static html, js, images, etc. served from coolwsd
    # browser is the client part of LibreOffice Online
    ProxyPass           /browser https://127.0.0.1:9980/browser retry=0
    ProxyPassReverse    /browser https://127.0.0.1:9980/browser

    # WOPI discovery URL
    ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
    ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

    # Main websocket
    ProxyPassMatch "/cool/(.*)/ws$" wss://127.0.0.1:9980/cool/$1/ws nocanon

    # Admin Console websocket
    ProxyPass   /cool/adminws wss://127.0.0.1:9980/cool/adminws

    # Download as, Fullscreen presentation and Image upload operations
    ProxyPass           /cool https://127.0.0.1:9980/cool
    ProxyPassReverse    /cool https://127.0.0.1:9980/cool

    # Endpoint with information about availability of various features
    ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
    ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
  </VirtualHost>

command to start Collabora Online in docker

docker run -t -d -p 127.0.0.1:9980:9980 -e "aliasgroup1=https://office.mydomain.de:443,https://office\\.mydomain\\.de:443" --restart always --name mycollabora collabora/code

freibadschwimmer · December 20, 2022, 10:58am

That’s a good question.
I have Collabora office (docker; CODE) and NC running on the same server, but when I put in the public server IP, or 127.0.0.1, or localhost, office stops working (“document loading failed”).

bb77 · December 20, 2022, 2:19pm

For me it worked when I added the ip range of the Docker network: 172.17.0.1/16

ip a

3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:0f:41:a6:54 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:fff:fe41:a654/64 scope link 
       valid_lft forever preferred_lft forever

freibadschwimmer · December 20, 2022, 2:34pm

Thanks a lot for the hint! Also in my case this works.

dueruem · December 20, 2022, 7:08pm

This sadly didn’t work for me. Any other ideas?

It seems my public IP is used for the connection, though I have no idea why.

nursoda · February 5, 2023, 1:03pm

Helpful cross-links:

lenfinalt · April 27, 2023, 5:55pm

For me it worked adding the Docker network range to the allowed list. However, as @ies asked, I do not fully understand the impact of not setting the allowed list. What is the exact problem? Was anyone able to access files without authorization while it was not set? May files be compromised? What exactly is the warning about?

Ben · June 4, 2023, 9:49am

This is a very important topic. Please someone help to clarify the facts:

why is the public IP address used for WOPI requests of the Built In Code server instead of localhost?
what happens if you keep the WOPI allow list empty? Has anyone access to the files without authentication?

telepath · October 19, 2023, 10:22am

It’s even worse for instances hosted on the internet - documents won’t open unless the WOPI list is empty, since the client browser needs to have access.
So, what is the point of the list if it needs to be empty anyway?

And, as has been asked, what are the security implications?