[Solved] 502 error with Collabora on Apache

ℹ️ Support 📄 Collabora
#1

Hi!

I’ve tried to get Collabora work on Apache for 3 days, following the official guide (https://nextcloud.com/collaboraonline/). I encountered some issues because my self-signed certificates, but I think I managed to get trough.

However, I keep having this error when clicking on the Nextcloud’s app:

Collabora en ligne, erreur inconnue : Server error response [url] https://office.(mydomain)/hosting/discovery [status code] 502 [reason phrase] Proxy Error Merci de contacter l'administrateur de "https://office.(mydomain)".

I’ve triplechecked my virtual host conf file:

<VirtualHost *:443>
ServerName office.(mydomain)
ServerAdmin benoit.reyt@(mydomain)

SSLEngine On
SSLCertificateFile /home/apache2/ssl/office.crt
SSLCertificateKeyFile /home/apache2/ssl/apache.pem
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder On
    
# Encoded slashes need to be allowed
AllowEncodedSlashes On

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
#SSLVerifyClient None

# Keep the host
ProxyPreserveHost On

# Static html, js, images, etc., served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass               /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse        /loleaflet https://127.0.0.1:9980/loleaflet

# WOPI discovery URL
ProxyPass               /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse        /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws

# Admin console websocket
ProxyPass               /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass               /lool https://127.0.0.1:9980/lool
ProxyPassReverse        /lool https://127.0.0.1:9980/lool

ErrorLog /var/log/apache2/office-error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel trace6

CustomLog /var/log/apache2/office-access.log combined
</VirtualHost>

It seems to me that it matches the guide…

I only see 4 lines in Apache errors’ log that seem related to the issue:

[proxy_http:error] [pid 28263] (103)Software caused connection abort: [client 127.0.0.1:33372] AH01102: error reading status line from remote server 127.0.0.1:9980
[proxy_http:debug] [pid 28263] mod_proxy_http.c(1372): [client 127.0.0.1:33372] AH01105: NOT Closing connection to client although reading from backend server 127.0.0.1:9980 failed.
[proxy:error] [pid 28263] [client 127.0.0.1:33372] AH00898: Error reading from remote server returned by /hosting/discovery
[ssl:trace4] [pid 28263] ssl_engine_io.c(2065): [client 127.0.0.1:33372] OpenSSL: I/O error, 5 bytes expected to read on BIO#80775890 [mem: 80870c6b]

I’ve tried to set up a no-ssl virtual host to “fix” the OpenSSL related line, but the three first lines remained.

When pointing my browser to https://office.(mydomain)/hosting/discovery, the errors seem the same:

Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /hosting/discovery.
Reason: Error reading from remote server

Where may I have to look to debug this?

#2

I have the same exact issue, except I’m using certificate signed by “Let’s Encrypt”. Were you able to resolve it?

#3

Unfortunately not.

As you can see on this thread, it doesn’t seem to be a frequent issue, and I was not able to find anything more helpful around the web.

I tried two ways more:

  • upgrading to Collabora 2;
  • adding my nextcloud and collabora autosigned certs to nextcloud/resources/config/ca-bundle.crt.

But I still got the exact same result.

I can understand there’s an SSL issue, but I’m not skilled enough with SSL and Apache proxying to debug and solve it.

I’m thinking about trying an nginx server…

#4

Actually, I don’t think it’s SSL, unless you have some additional errors related to self-signed cert (but I’m not expert either).
I was able to solve my issue - it was a firewall. I run “shorewall” and it was blocking traffic to/from docker. Docker created its own bridge “docker0” with private IP in 172.xx.xxx.xxx range. I use 192.xxx for my local network. Since 172/docker0 was not recognized as local traffic it was blocked (as it should). Solution was to create policy allowing traffic to/from FW <-> docker.
In case you’re using shorewall, here are the steps (again I’m not expert, so this may not be the best way to fix it):
in interfaces:
dock docker0

in zones add:
dock ipv4

in policy:
dock all ACCEPT
$FW dock ACCEPT

Hope this helps

#5

Many thanks for sharing that.

I’m pretty sure I’m not using any firewall on my server; but I’ll check my interfaces.

#6

Maybe late but I had a functioning collabora/code and some update stopped it from working be it either collabora or nextcloud update i’m not sure.

But as OP posted the virtual host config I noticed some difference which made it work for me.

Maybe someone with a 502 error or the “This is embarrassing” message can confirm this sollution.

in you virtual host file for apache that serves your collabora/code

change

# Encoded slashes need to be allowed
AllowEncodedSlashes On

to

# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

and

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws

to

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

This loaded my documents again :slight_smile: hope this helps for you too.

1 Like
#7

It finally works!

The main issue was that the Docker’s image was endless restarting, so Collabora wasn’t up. It was because of my 32-bits Ubuntu Server setup! The Collabora image is only meant for 64-bits version.

I had to make a fresh install of Ubuntu Server 16.04.2 LTS, to install the 64-bits Docker’s version, and so Collabora went up. Just had to complete Nextcloud configuration with adding my self-signed CA certificate to Nextcloud’s bundle.

1 Like
#8

yes great to mention it’s only 64 bit. also I think your the first to mention this. this was my first problem as well and for newbies to docker there is no information about the minimum system requirements for collabora/code.

now a days they simply assume everyone is on 64bit. while the 32bit docker happily downloads the collabora/code without error and it looks like its working but never really starts.