Socket Error when accessing Collabora

Banjo · October 18, 2017, 3:37pm

I’m using the latest docker image for Collabora and whenever I try to access a document from Nextcloud or access the Collabora admin panel I the following in the docker logs for the Collabora container:

wsd-00027-00035 15:22:35.166101 [ websrv_poll ] ERR  Socket #20 SSL BIO error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request (errno: Success)| ./net/SslSocket.hpp:273
wsd-00027-00035 15:22:35.166184 [ websrv_poll ] ERR  Error while handling poll for socket #20 in websrv_poll: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request| ./net/Socket.hpp:474

The nextcloud log file shows this at the same time:

{"reqId":"6eMiK9X7EnshEIGDWMxw","level":3,"time":"2017-10-18T15:20:34+00:00","remoteAddr":"172.18.0.2","user":"<redacted>","app":"richdocuments","method":"GET","url":"\/index.php\/apps\/richdocuments\/index?fileId=201460&requesttoken=YlAK2j7fZJvmX7yH5R6shxSgkGNdwKj1xpHZd4LrLUA%3D%3AGyhk6H2xAdyQONC%2FtHj93kGTvyYZotqP8aCbObWtSCI%3D","message":"Exception: {\"Exception\":\"GuzzleHttp\\\\Exception\\\\ServerException\",\"Message\":\"Server error response [url] https:\\\/\\\/<redacted>\\\/hosting\\\/discovery [status code] 502 [reason phrase] Proxy Error\",\"Code\":502,\"Trace\":\"#0 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/Subscriber\\\/HttpError.php(32): GuzzleHttp\\\\Exception\\\\RequestException::create(Object(GuzzleHttp\\\\Message\\\\Request), Object(GuzzleHttp\\\\Message\\\\Response))\\n#1 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/Event\\\/Emitter.php(108): GuzzleHttp\\\\Subscriber\\\\HttpError->onComplete(Object(GuzzleHttp\\\\Event\\\\CompleteEvent), 'complete')\\n#2 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/RequestFsm.php(91): GuzzleHttp\\\\Event\\\\Emitter->emit('complete', Object(GuzzleHttp\\\\Event\\\\CompleteEvent))\\n#3 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/RequestFsm.php(132): GuzzleHttp\\\\RequestFsm->__invoke(Object(GuzzleHttp\\\\Transaction))\\n#4 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/react\\\/promise\\\/src\\\/FulfilledPromise.php(25): GuzzleHttp\\\\RequestFsm->GuzzleHttp\\\\{closure}(Array)\\n#5 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/ringphp\\\/src\\\/Future\\\/CompletedFutureValue.php(55): React\\\\Promise\\\\FulfilledPromise->then(Object(Closure), NULL, NULL)\\n#6 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/Message\\\/FutureResponse.php(43): GuzzleHttp\\\\Ring\\\\Future\\\\CompletedFutureValue->then(Object(Closure), NULL, NULL)\\n#7 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/RequestFsm.php(134): GuzzleHttp\\\\Message\\\\FutureResponse::proxy(Object(GuzzleHttp\\\\Ring\\\\Future\\\\CompletedFutureArray), Object(Closure))\\n#8 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/Client.php(165): GuzzleHttp\\\\RequestFsm->__invoke(Object(GuzzleHttp\\\\Transaction))\\n#9 \\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/Client.php(125): GuzzleHttp\\\\Client->send(Object(GuzzleHttp\\\\Message\\\\Request))\\n#10 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/Http\\\/Client\\\/Client.php(138): GuzzleHttp\\\\Client->get('https:\\\/\\\/office....', Array)\\n#11 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/richdocuments\\\/lib\\\/WOPI\\\/DiscoveryManager.php(84): OC\\\\Http\\\\Client\\\\Client->get('https:\\\/\\\/office....')\\n#12 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/richdocuments\\\/lib\\\/WOPI\\\/Parser.php(41): OCA\\\\Richdocuments\\\\WOPI\\\\DiscoveryManager->get()\\n#13 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/richdocuments\\\/lib\\\/TokenManager.php(117): OCA\\\\Richdocuments\\\\WOPI\\\\Parser->getUrlSrc('application\\\/vnd...')\\n#14 \\\/var\\\/www\\\/nextcloud\\\/apps\\\/richdocuments\\\/lib\\\/Controller\\\/DocumentController.php(168): OCA\\\\Richdocuments\\\\TokenManager->getToken(*** sensitive parameters replaced ***)\\n#15 [internal function]: OCA\\\\Richdocuments\\\\Controller\\\\DocumentController->index('201460')\\n#16 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(160): call_user_func_array(Array, Array)\\n#17 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(90): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController(Object(OCA\\\\Richdocuments\\\\Controller\\\\DocumentController), 'index')\\n#18 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(114): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch(Object(OCA\\\\Richdocuments\\\\Controller\\\\DocumentController), 'index')\\n#19 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main('OCA\\\\\\\\Richdocumen...', 'index', Object(OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer), Array)\\n#20 [internal function]: OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke(Array)\\n#21 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/private\\\/Route\\\/Router.php(299): call_user_func(Object(OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler), Array)\\n#22 \\\/var\\\/www\\\/nextcloud\\\/lib\\\/base.php(1004): OC\\\\Route\\\\Router->match('\\\/apps\\\/richdocum...')\\n#23 \\\/var\\\/www\\\/nextcloud\\\/index.php(48): OC::handleRequest()\\n#24 {main}\",\"File\":\"\\\/var\\\/www\\\/nextcloud\\\/3rdparty\\\/guzzlehttp\\\/guzzle\\\/src\\\/Exception\\\/RequestException.php\",\"Line\":89}","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko\/20100101 Firefox\/56.0","version":"12.0.3.3"}

Nextcloud is working fine and my Apache proxy is working fine using SSL for everything else.

My virtualhost config is:

<VirtualHost *:80>
        ServerName <redacted>
        Redirect permanent / https://<redacted>/
</VirtualHost>
<VirtualHost *:443>
        ServerName <redacted>

        Include conf-available/ssl.conf

        # Encoded slashes need to be allowed
        AllowEncodedSlashes NoDecode

        SSLProxyVerify None
        SSLProxyCheckPeerCN Off
        SSLProxyCheckPeerName Off

        ProxyPreserveHost On

        # static html, js, images, etc. served from loolwsd
        # loleaflet is the client part of LibreOffice Online
        ProxyPass /loleaflet http://office:9980/loleaflet retry=0
        ProxyPassReverse /loleaflet http://office:9980/loleaflet

        # WOPI discovery URL
        ProxyPass /hosting/discovery http://office:9980/hosting/discovery retry=0
        ProxyPassReverse /hosting/discovery http://office:9980/hosting/discovery

        # Main websocket
        ProxyPassMatch "/lool/(.*)/ws$" wss://office:9980/lool/$1/ws nocanon

        # Admin Console websocket
        ProxyPass /lool/adminws wss://office:9980/lool/adminws

        # Download as, Fullscreen presentation and Image upload operations
        ProxyPass /lool http://office:9980/lool
        ProxyPassReverse /lool http://office:9980/lool
</VirtualHost>

office is the hostname of the Collabora container and is pingable from the proxy container. The docker-compose.yml is:

version: '2'

services:
    office:
        image: collabora/code
        container_name: office
        restart: always
        expose:
          - "9980"
        volumes:
          - ./site.conf:/etc/apache2/sites-available/<redacted>.conf
          - ./site.conf:/etc/apache2/sites-enabled/<redacted>.conf
        environment:
          - domain=<redacted>
          - server_name=<redacted>
          - username=<redacted>
          - password=<redacted>
        networks:
          - web
        security_opt:
          - seccomp:unconfined
        cap_add:
          - MKNOD
          - SYS_CHROOT
          - FOWNER

networks:
    web:
        external: true

Any ideas?

[edit] Addition point: the install guide talks about setting up a simple virtual host config file on the Collabora server itself in addition to the proxy config. This is the site.conf file in the docker-compose.yml. It is simply:

<VirtualHost *:9980>
    ServerName <redacted>
</VirtualHost>

The proxy error log shows:

[Wed Oct 18 15:44:39.404658 2017] [proxy_http:error] [pid 81:tid 140580982023936] (20014)Internal error: [client 94.31.37.98:58511] AH01102: error reading status line from remote server office:9980
[Wed Oct 18 15:44:39.404697 2017] [proxy:error] [pid 81:tid 140580982023936] [client 94.31.37.98:58511] AH00898: Error reading from remote server returned by /loleaflet/dist/admin/admin.html

Banjo · October 23, 2017, 2:54pm

Bump. Anyone?

Schmu · October 23, 2017, 3:01pm

I believe the problem is, that you proxy HTTPS traffic to an HTTP socket.
So if your virtual host listens on 443, then Collabora should also listen on a secured connection (https://office:9443 for example).

Banjo · October 23, 2017, 3:43pm

here’a a diagram of the network structure I have. Everything outside of Docker is https and comes in through the proxy. The application containers all run on http inside a docker network.

Banjo · October 23, 2017, 3:45pm

Are you suggesting that the Nextcloud container should talk to Collabora via the https://office.tld.com end point instead of the internal office:9980 end point?

Banjo · October 24, 2017, 7:31am

Incidentally, the Collabora Online settings in Nextcloud are pointed at https://office.tld.com

Schmu · October 24, 2017, 2:29pm

For me this:
SSL routines:SSL23_GET_CLIENT_HELLO:http request
reads like there is some mix up of HTTP and HTTPS traffic. So probably a proxy issue.

However afaik Nextcloud doesn’t allow to load unsecured web content, when Nextcloud itself uses HTTPS. So you should make sure you use a secured connection to Collabora when including it in Nextcloud.

Can you successfully access https://office.tld.com with your browser?

Banjo · October 24, 2017, 2:39pm

https://office.tld.com gives me a directory listing containing the "html"directory. Clicking on that directory provide the default Apache landing page. Should probably lock that down.

https://office.tld.com/lool/ gives me this:

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /lool.

Reason: Error reading from remote server

Each time I access that url it gives:

office    | wsd-00027-00035 14:38:03.284708 [ websrv_poll ] ERR  Socket #20 SSL BIO error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request (errno: Success)| ./net/SslSocket.hpp:273
office    | wsd-00027-00035 14:38:03.284792 [ websrv_poll ] ERR  Error while handling poll for socket #20 in websrv_poll: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request| ./net/Socket.hpp:474

in the container logs.

Banjo · October 27, 2017, 9:34am

Why is Collabora even running SSL routines? The proxy is connecting to it with http. Is there some Collabora config that I’m missing?

Schmu · October 27, 2017, 10:01am

But the port to the outside is 443 and this port tells the browser to initiate a secured connection with SSL. This HTTPS request from the browser is forwarded to the web server who awaits HTTP traffic on a port for non-secured connections.

It’s probably working if you forward port 80 from the router through the proxy to cloud:80 and office:9980

Banjo · October 27, 2017, 10:15am

This scheme works with every other container, including Nextcloud itself. The proxy provides the SSL termination point. The proxy forwards the data packets to the office container using http, not https. Remember, the proxy is not a tunnel. It decrypts the data packets before sending them on.

The proxy is explicitly configured to redirect http connections to the https site as I don’t want to allow unsecured traffic on the external interface.

Banjo · October 27, 2017, 10:21am

ok, I’ve managed to increase the logging level on the proxy and I think this confirms that the proxy is not the problem:

[Fri Oct 27 10:18:48.025339 2017] [ssl:debug] [pid 83:tid 140672803735296] ssl_engine_kernel.c(1911): [client 94.31.37.98:51612] AH02043: SSL virtual host for servername office.tld.com found
[Fri Oct 27 10:18:48.033122 2017] [ssl:debug] [pid 83:tid 140672803735296] ssl_engine_kernel.c(1844): [client 94.31.37.98:51612] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Fri Oct 27 10:18:48.033808 2017] [ssl:debug] [pid 83:tid 140672803735296] ssl_engine_kernel.c(222): [client 94.31.37.98:51612] AH02034: Initial (No.1) HTTPS request received for child 83 (server office.tld.com:443)
[Fri Oct 27 10:18:48.033840 2017] [authz_core:debug] [pid 83:tid 140672803735296] mod_authz_core.c(828): [client 94.31.37.98:51612] AH01628: authorization result: granted (no directives)
[Fri Oct 27 10:18:48.033882 2017] [proxy:debug] [pid 83:tid 140672803735296] mod_proxy.c(1104): [client 94.31.37.98:51612] AH01143: Running scheme http handler (attempt 0)
[Fri Oct 27 10:18:48.033894 2017] [proxy:debug] [pid 83:tid 140672803735296] proxy_util.c(2020): AH00942: HTTP: has acquired connection for (office)
[Fri Oct 27 10:18:48.033903 2017] [proxy:debug] [pid 83:tid 140672803735296] proxy_util.c(2072): [client 94.31.37.98:51612] AH00944: connecting http://office:9980/lool to office:9980
[Fri Oct 27 10:18:48.033915 2017] [proxy:debug] [pid 83:tid 140672803735296] proxy_util.c(2206): [client 94.31.37.98:51612] AH00947: connected /lool to office:9980
[Fri Oct 27 10:18:48.034017 2017] [proxy:debug] [pid 83:tid 140672803735296] proxy_util.c(2610): AH00962: HTTP: connection complete to 172.18.0.9:9980 (office)
[Fri Oct 27 10:18:48.034272 2017] [proxy_http:error] [pid 83:tid 140672803735296] (20014)Internal error: [client 94.31.37.98:51612] AH01102: error reading status line from remote server office:9980
[Fri Oct 27 10:18:48.034297 2017] [proxy_http:debug] [pid 83:tid 140672803735296] mod_proxy_http.c(1364): [client 94.31.37.98:51612] AH01105: NOT Closing connection to client although reading from backend server office:9980 failed.
[Fri Oct 27 10:18:48.034307 2017] [proxy:error] [pid 83:tid 140672803735296] [client 94.31.37.98:51612] AH00898: Error reading from remote server returned by /lool
[Fri Oct 27 10:18:48.034337 2017] [proxy:debug] [pid 83:tid 140672803735296] proxy_util.c(2035): AH00943: HTTP: has released connection for (office)

Banjo · October 27, 2017, 12:51pm

ok, so I created a base ubuntu container hooked up to the docker network and ran:

wget office:9980/lool

Which results in:

--2017-10-27 12:32:29--  http://office:9980/lool
Resolving office (office)... 172.18.0.9
Connecting to office (office)|172.18.0.9|:9980... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

At the same time, I got the familiar output in the CODE logs:

office    | wsd-00027-00036 12:46:19.371693 [ websrv_poll ] ERR  Socket #21 SSL BIO error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request (errno: Success)| ./net/SslSocket.hpp:273
office    | wsd-00027-00036 12:46:19.371772 [ websrv_poll ] ERR  Error while handling poll for socket #21 in websrv_poll: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request| ./net/Socket.hpp:474

I get the same thing trying to access:

office:9980/lool/adminws

Banjo · October 27, 2017, 4:23pm

ok, solved it. There’s two things that need to be changed:

/etc/loolwsd/loolwsd.xml in the office container needs to be edited to turn off SSL.
The proxy configuration needs to be modified to use “ws://” not “wss://”.

alexis.rosano · February 1, 2018, 4:31pm

Hello, I have the same configuration, but I still have the same problem that you have reported.

ucarkamon · September 10, 2018, 1:55am

How did you edit “/etc/loolwsd/loolwsd.xml” ?

jiveman · August 29, 2019, 4:54pm

I just got mine to work with system wide nginx install reverse proxying out nextcloud and collabora. I had the same issues described here and found Banjo’s post helpful.

I have both nextcloud and collabora setup via docker-compose (I’m a bit of a docker noob so pardon me if there is an easier way).

Basic overview:

Standup nexus docker (not going over this)
Standup collabora docker (docker-compose.yml below)
Copy the loolwsd.xml from the docker’s environment to your local machine to customize. (I ran an interactive shell on the office container, but I think you can just exec a copy command as well)
Modify the loolwsd.xml to turn off SSL (my ssl proxy is the termination, so http after that point) per Banjos post.
Modify my nginx config for collabora to include examples from #2 ngix reverse proxy termination
Change the nginx config to proxy the http://localhost not https:.
restart nginx
test you have fully signed https working (you should get text “ok”).
Setup the https://collabora.tld.com url in nextcloud, not http://foo:9980 like the examples show.
test by clicking on an office document in nextcloud (should open up collabora editor)

My docker-compose.yml:

version: '2'

services:
    office:
        image: collabora/code
        container_name: office
        restart: always
        ports:
          - 127.0.0.1:9980:9980
        volumes:
          - ./loolwsd.xml:/etc/loolwsd/loolwsd.xml
        environment:
          - domain=nextcloud_subdomain.tld.com
          - server_name=collabora_subdomain.tld.com
          - username=myadmin
          - password=mysecretpaassword
        security_opt:
          - seccomp:unconfined
        cap_add:
          - MKNOD
          - SYS_CHROOT
          - FOWNER

I hope this helps the next guy!

jiveman · August 29, 2019, 5:06pm

I also just now saw this post with options to turn off SSL which I believe you should be able to incorporate the options directly in the docker-compose.yml file so you can skip the copying of loolwsd.xml etc… https://www.collaboraoffice.com/code/quick-tryout-nextcloud-docker/