Set up collabora CODE server behind a proxy - nginx via docker - error:1408F10B:SSL routines:ssl3_get_record:wrong version number

my_forums_alias_blah · March 2, 2021, 5:12pm

I have a collabora server set up via docker. I’d like to put it behind a proxy so that it’s accessible only via https:

I’ve followed documentation here and here.

On the second link I’m using set up option 2 of 3. I was unsure if I should be using option 1. My set is that I have a out of the box NC with Hetzner and then separate to that I have a cloud server I’m running docker with. I’m setting up the collabora code server on the cloud server to use with my NC instance that is elsewhere on the internet.

After running the container, I wanted to check that collabora server is running per the bottom of the first documentation link above. Obtaining the ‘OK’ message signifies that all is set up correctly:

curl -k https://localhost:9980
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

If I remove the s:

curl -k http://localhost:9980
OK

I have 3 services in the docker-compose, here’s the last couple of lines of the logs:

docker ps
CONTAINER ID   IMAGE               COMMAND                  CREATED       STATUS       PORTS                                      NAMES
ee6bdb68f8e2   collabora/code      "/bin/sh -c 'bash st…"   2 hours ago   Up 2 hours   0.0.0.0:9980->9980/tcp                     collabora
1488465463c6   nginx:1.15-alpine   "/bin/sh -c 'while :…"   2 hours ago   Up 2 hours   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   collabora_nginx_1
4361ed3f6df7   certbot/certbot     "/bin/sh -c 'trap ex…"   2 hours ago   Up 2 hours   80/tcp, 443/tcp                            collabora_certbot_1

The collabora server container/service:

docker logs collabora
wsd-00006-00042 2021-03-02 16:39:07.374169 [ websrv_poll ] WRN  convert-to: Requesting address is denied: ::ffff:168.119.3.73| wsd/LOOLWSD.cpp:2315
wsd-00006-00042 2021-03-02 16:40:10.725982 [ websrv_poll ] ERR  Looks like SSL/TLS traffic on plain http port| wsd/LOOLWSD.cpp:2383

The nginx container/service:

docker logs collabora_nginx_1
2021/03/02 16:49:47 [error] 10#10: *54 open() "/etc/nginx/html/robots.txt" failed (2: No such file or directory), client: 198.20.87.98, server: collabora.mydomain.de, request: "GET /robots.txt HTTP/1.1", host: "135.181.152.187"
198.20.87.98 - - [02/Mar/2021:16:49:47 +0000] "GET /robots.txt HTTP/1.1" 404 154 "-" "-" "-"
2021/03/02 16:49:48 [error] 10#10: *55 open() "/etc/nginx/html/sitemap.xml" failed (2: No such file or directory), client: 198.20.87.98, server: collabora.mydomain.de, request: "GET /sitemap.xml HTTP/1.1", host: "135.181.152.187"
198.20.87.98 - - [02/Mar/2021:16:49:48 +0000] "GET /sitemap.xml HTTP/1.1" 404 154 "-" "-" "-"
2021/03/02 16:49:50 [error] 10#10: *56 open() "/etc/nginx/html/.well-known/security.txt" failed (2: No such file or directory), client: 198.20.87.98, server: collabora.mydomain.de, request: "GET /.well-known/security.txt HTTP/1.1", host: "135.181.152.187"
198.20.87.98 - - [02/Mar/2021:16:49:50 +0000] "GET /.well-known/security.txt HTTP/1.1" 404 154 "-" "-" "-"
2021/03/02 16:49:51 [error] 10#10: *57 open() "/etc/nginx/html/favicon.ico" failed (2: No such file or directory), client: 198.20.87.98, server: collabora.mydomain.de, request: "GET /favicon.ico HTTP/1.1", host: "135.181.152.187"
198.20.87.98 - - [02/Mar/2021:16:49:51 +0000] "GET /favicon.ico HTTP/1.1" 404 154 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0" "-"
2021/03/02 16:49:56 [error] 10#10: *62 "/etc/nginx/html/index.html" is not found (2: No such file or directory), client: 104.155.101.3, server: collabora.mydomain.de, request: "GET / HTTP/1.1", host: "135.181.152.187"
104.155.101.3 - - [02/Mar/2021:16:49:56 +0000] "GET / HTTP/1.1" 404 154 "-" "python-requests/2.25.1" "-"

The certbot container:

docker logs collabora_certbot_1
logs collabora_certbot_1 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/collabora.mydomain.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/collabora.mydomain.de/fullchain.pem expires on 2021-05-31 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My docker-compose.yaml:

version: "3.5"
services:
  collabora:
    image: collabora/code
    container_name: collabora
    restart: always
    depends_on:
      - nginx
    cap_add:
      - MKNOD
    environment:
      - "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
      - domain=nx12345\.blah\.de
      - dictionaries=en_US
    ports:
      - "9980:9980"
    volumes:
      - ./appdata/collabora:/config    
  nginx:
    image: nginx:1.15-alpine
    restart: unless-stopped
    volumes:
      - ./data/nginx:/etc/nginx/conf.d
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    ports:
      - "80:80"
      - "443:443"
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./data/certbot/conf:/etc/letsencrypt
      - ./data/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

My nginx config app.conf:

server {
    listen 80;
    server_name mydomain.de;
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}


server {
    listen       443 ssl;
    server_name  collabora.mydomain.de;

    ssl_certificate /etc/letsencrypt/live/collabora.mydomain.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/collabora.mydomain.de/privkey.pem;
    
    # static files
    location ^~ /loleaflet {
        proxy_pass http://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass http://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Capabilities
    location ^~ /hosting/capabilities {
        proxy_pass http://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/lool/(.*)/ws$ {
        proxy_pass http://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/lool {
        proxy_pass http://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_pass http://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }
}

How can I correctly place the collabora server behind a proxy using nginx per the above set up using docker?

starlays · March 7, 2021, 10:18pm

Hello there,

I have the same problem like yours.

I have installed nextcloud and collabora on the same server, from packages without docker, and have setup nginx reverse proxy for collabora, I have exame results when I do the request on the server from the command line with curl, like you have in your 2 described situation. I have the same config nginx reverse file that I have got from collabora docs.

Collabora has it own localdev domain: collabora.nextcloud.localdev
Nextcloud has his own localdev domain: nextcloud.localdev

I think that the problem is somehow related to the default location / on nginx reverse proxy config file, I have notice if I use your FQDN for collabor I end up with the nginx default page because the reverse proxy has no rule for the root location /.
If I access FQDN/<nginx reverse proxy/path> all of them are working.

At the moment I’m trying to figure how nextcloud is resolving the https://FQDN to collabora…

If you look to this ansible config file: Ansible config nextcloud you will se that the nginx reverse proxy is in the same block nginix block file as nextcloud. I haven’t tried that yet, this will be the next step.

If you find other information or an solution to this problem it will be nice.