With my subdomain office.mydom.com, i can discover the XML file :
It’s really works here.
But nothing be good in nexcloud server :
When i open a document, message Error :
…Please Try later
Where i can show log file for that ?
Apcahe log :
office.error_log : nothing
office.acces_log : no access
docker log : all passed
I use Docker behind a NAT.
curl -k https://127.0.0.1:9980/loleaflet
I use the lastest nextcloud version (17)
All test passed.
Let-s encrypt with *.mydom.com
It’s crazzy !
docker logs <container-id>
This is likely to be expected as 127.0.0.1 is a loopback address. It would only work from the server running Collabora. Use your FQDN instead.
curl -k https://cloud.mydom.org/loleaflet
In docker logs :
File not found: Invalid URI request: [/loleaflet].| wsd/FileServer.cpp:441
OK there (??) :
Apache conf :
# static html, js, images, etc. served from loolwsd
** # loleaflet is the client part of LibreOffice Online**
** ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0**
** ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet**
Nextcloud err :
(…) Please Try later
In these url :
==> Good ! I can show Stats & Param.
==> Good, i can show XML file
In nextcloud server : https://cloud.mydom.com
Collabora config : https://office.mydom.com:443
When i launch a doc (last nxcloud version,18) , after a while, error :
(…) Please try later.
Error logs, in Apache : nothing
Access logs, in Apache : nothing (no access !)
Docker logs instance : Nothing red…
NextCloud logs (graphical) : All right !
Iptable rule on 9980 port works (open).
I read and test so much things in these trheads.
Nothing can be done.
Finaly i found a working Collabora Docker config under a NAT / Firewall :
-> hosts IP must be local.
-> dns must be local too.
To find LOCAL HOST IP :
To find LOCAL HOST DNS :
ipatble rule :
sudo iptables -t filter -A INPUT -p tcp --dport 9980 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --dport 9980 -j ACCEPT
Finaly, working docker image :
docker stop myid
docker rm myid
docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=cloud\.mydom\.com’ --restart always --cap-add MKNOD --add-host=cloud.mydom.com:192.168.0.144 --add-host=office.mydom.com:192.168.0.144 --dns=192.168.0.1 -e ‘username=user’ -e ‘password=123’ collabora/code
If trouble :
service docker restart
So in essence it was a firewall problem?
Yes it was. May be, this is a working configuration for all kinds under docker systems.
I forget also settings in server hosts file (the main server, not the docker image) :
127.0.0.1 localhost cloud.mydom.com office.mydom.com
Yes I suppose you could set your host names at the level of the host’s /etc/hosts file. Totally valid. I usually set hostnames at the router level since I’m a lot less likely to forget what I’ve done. I also have cloud and office on physically different VM’s so it’s easier for me to set the parameter at the router level. If they are on the same host, modification of /etc/hosts may be easier.
Things I see commonly as errors:
- Don’t open firewall ports
- Don’t set local resolution of domain names at the /etc/host or router level
- Don’t enable kernel packet forwarding.
Thank’s for the recommandations !
Did you know why the iptable rule bellow stop the connection beetween nexcloud to Docker ?
By default, i need to use this geoip rule for security reason. It blocks all traffic, execpt for countries ID :
sudo iptables -A INPUT -m geoip ! --src-cc FR,DE,BE,CH,US,GB,IE,FI,IT,ES -j DROP
But, i must disable this rule to open all docs in Collabora.
Netstat show only locals IP in server host (not the docker). Strange ?
netstat -np --inet
Collabora needs to connect to its own server (external(s) IP) ?
Very strange …
Honestly I’ve never really done a packet capture with Collabora. I never really knew you could write an iptables rule based on country of origin. However you have your rule on the input chain (not output). This would imply you are receiving packets externally.
I’m thinking about my own setup. I have wide open input rules to the collabora port (just a generic pass all rule which I believe is being controlled ufw (which definitely isn’t as fine grained as an actual iptables rule)), however at the router level there are no port forwarding rules to allow external access. In fact on my nginx configuration, I only allow LAN IP address access to nextcloud. All my docs open in Collabora (locally). Perhaps your iptables rule is blocking more than what it should?