Setup Collabora server Ok, nothing in nexcloud

Hi,

With my subdomain office.mydom.com, i can discover the XML file :

(…)

It’s really works here.

But nothing be good in nexcloud server :

https//cloud.mydom.com

When i open a document, message Error :
…Please Try later

Where i can show log file for that ?

Apcahe log :
office.error_log : nothing
office.acces_log : no access

docker log : all passed
I use Docker behind a NAT.

Also :
curl -k https://127.0.0.1:9980/loleaflet
return 404

I use the lastest nextcloud version (17)
PHP 7.1
All test passed.
Let-s encrypt with *.mydom.com

It’s crazzy !

Thanks.

docker logs <container-id>

This is likely to be expected as 127.0.0.1 is a loopback address. It would only work from the server running Collabora. Use your FQDN instead.

Hi,

curl -k https://cloud.mydom.org/loleaflet

In docker logs :
File not found: Invalid URI request: [/loleaflet].| wsd/FileServer.cpp:441

OK there (??) :
https://office.mydom.com/hosting/discovery

Apache conf :
# static html, js, images, etc. served from loolwsd
** # loleaflet is the client part of LibreOffice Online**
** ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0**
** ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet**

Nextcloud err :
(…) Please Try later

Thanks.

In these url :

https://office.mydom.com/loleaflet/dist/admin/adminSettings.html
==> Good ! I can show Stats & Param.

https://office.mydom.com/hosting/discovery
==> Good, i can show XML file

In nextcloud server : https://cloud.mydom.com
Collabora config : https://office.mydom.com:443

When i launch a doc (last nxcloud version,18) , after a while, error :
(…) Please try later.

Error logs, in Apache : nothing
Access logs, in Apache : nothing (no access !)

Docker logs instance : Nothing red…

NextCloud logs (graphical) : All right !

Iptable rule on 9980 port works (open).

I read and test so much things in these trheads.
Nothing can be done.

Finaly i found a working Collabora Docker config under a NAT / Firewall :

-> hosts IP must be local.
-> dns must be local too.

To find LOCAL HOST IP :
hostname -I

To find LOCAL HOST DNS :
cat /etc/resolv.conf

ipatble rule :

sudo iptables -t filter -A INPUT -p tcp --dport 9980 -j ACCEPT
sudo iptables -t filter -A OUTPUT -p tcp --dport 9980 -j ACCEPT

Finaly, working docker image :
docker ps
docker stop myid
docker rm myid
docker run -t -d -p 127.0.0.1:9980:9980 -e ‘domain=cloud\.mydom\.com’ --restart always --cap-add MKNOD --add-host=cloud.mydom.com:192.168.0.144 --add-host=office.mydom.com:192.168.0.144 --dns=192.168.0.1 -e ‘username=user’ -e ‘password=123’ collabora/code

If trouble :
service docker restart

So in essence it was a firewall problem?

Yes it was. May be, this is a working configuration for all kinds under docker systems.
I forget also settings in server hosts file (the main server, not the docker image) :
nano /etc/hosts
127.0.0.1 localhost cloud.mydom.com office.mydom.com

Yes I suppose you could set your host names at the level of the host’s /etc/hosts file. Totally valid. I usually set hostnames at the router level since I’m a lot less likely to forget what I’ve done. I also have cloud and office on physically different VM’s so it’s easier for me to set the parameter at the router level. If they are on the same host, modification of /etc/hosts may be easier.

Things I see commonly as errors:

  1. Don’t open firewall ports
  2. Don’t set local resolution of domain names at the /etc/host or router level
  3. Don’t enable kernel packet forwarding.

Thank’s for the recommandations !

Did you know why the iptable rule bellow stop the connection beetween nexcloud to Docker ?

By default, i need to use this geoip rule for security reason. It blocks all traffic, execpt for countries ID :

sudo iptables -A INPUT -m geoip ! --src-cc FR,DE,BE,CH,US,GB,IE,FI,IT,ES -j DROP

But, i must disable this rule to open all docs in Collabora.

Netstat show only locals IP in server host (not the docker). Strange ?

netstat -np --inet

Collabora needs to connect to its own server (external(s) IP) ?
Very strange …

Honestly I’ve never really done a packet capture with Collabora. I never really knew you could write an iptables rule based on country of origin. However you have your rule on the input chain (not output). This would imply you are receiving packets externally.

I’m thinking about my own setup. I have wide open input rules to the collabora port (just a generic pass all rule which I believe is being controlled ufw (which definitely isn’t as fine grained as an actual iptables rule)), however at the router level there are no port forwarding rules to allow external access. In fact on my nginx configuration, I only allow LAN IP address access to nextcloud. All my docs open in Collabora (locally). Perhaps your iptables rule is blocking more than what it should?