Separate Collabora Server from NextCloud

Hello,

I posted earlier this week and asked about running a Collabora Server on a separate server from where I have my nextcloud server setup. I think I’m running into a networking problem, but just in case I wanted to ask here. I tried setting it up like the instructions on the nextcloud collabora website but with letsencrypt certbot certs. They are applied and working great. I’m confused on the way I would setup the docker ports so that nextcloud can communicate with the collabora server. I’ve tried it with the

docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=cloud\.nextcloud\.com’ --restart always --cap-add MKNOD collabora/code

code and I’ve also tried it with this since it’s not really going to be looking on the local host but would be looking for communication from the network.
docker run -t -d -p 9980:9980 -e ‘domain=cloud\.nextcloud\.com’ --restart always --cap-add MKNOD collabora/code

Which of these would be the right setup for nextcloud and collabora to talk on port 9980 from across the network? OR does it need to be 10.xx.xx.x:9980:9980 with the collabora servers local ip there?

With this in mind, do I need to make any changes to the ips in the example virtual host config file? I know that I need to take out the SSL configuration section since I’m using letsencrypt, but do all of the local host loop back ips need to be my collabora servers ip?

Thank you in advance. I appreciate any help that can be offered.

For example, the 127.0.0.1’s would be my local ip 10.xx.xx.x and I would switch out office.your-domain too, is that correct?

ServerName office.your-domain.com

SSLCertificateFile /etc/letsencrypt/live/office.your-domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/office.your-domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Encoded slashes need to be allowed

AllowEncodedSlashes NoDecode

Container uses a unique non-signed certificate

SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

keep the host

ProxyPreserveHost On

static html, js, images, etc. served from loolwsd

loleaflet is the client part of LibreOffice Online

ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet

WOPI discovery URL

ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery

Main websocket

ProxyPassMatch “/lool/(.*)/ws$” wss://127.0.0.1:9980/lool/$1/ws nocanon

Admin Console websocket

ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws

Download as, Fullscreen presentation and Image upload operations

ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool

What this does is binds the listening port to a specific address. If you bind the loopback address, only the local machine can hit the port. If you specify only the port:port mapping, then it will listen on all addresses. That should be fine for what you’re describing.

I haven’t run them on separate boxes, but I can tell you from my own experience that the name resolution is very important. There’s a command you can add in Docker to add a hosts file entry to the container. You might give that a try.

You will also want to make sure they present each other with valid certificates. What I do on mine is I have a separate Apache instance installed on the host that reverse proxies both Nextcloud and Collabora with named virtual hosts, and it also runs certbot for both of them.

The reverse proxy isn’t just for users; Nextcloud and Collabora both talk to each other through it as well, rather than directly between the containers, and I used the Docker alias command to add hosts file DNS overrides for both of them to point them to the reverse proxy to contact each other.

Thank you for this information. Your explanation about the ports was very helpful. If I specify the port:port style when running the docker container. Do you think that I also need to change the virtual host config to be the server’s ip also instead of the loopback address?

Like for an example?

loleaflet is the client part of LibreOffice Online

ProxyPass /loleaflet https://10.xx.xx.xx:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://10.xx.xx.xx:9980/loleaflet

If the proxy is on a different server than Collabora then yes, don’t use loopback addresses. They will connect to the local machine instead of the other one. You’ll need to use the FQDN or LAN IP.

If your proxy is on the same server as the Collabora docker, you can optionally use loopback between the proxy and container, and I believe that’s what they do in the official example, and that’s how I did mine. But, I have a single server setup where the same VM runs all of the Docker containers and also has the reverse proxy installed on it.