[Solved] Collabora & nextcloud on seperate host (ubuntu & pi)

Hello @arbras
I don’t know much about apache configuration
also i’m not sure why the configuration is divided in blocks in the post
for what I see I found strange the port number is given in the ServerName (see here)
Collabora is not intented to be used directly. I tried to access https://mlydesk.hopto.org/hosting/discovery but I get an error 404. I’m supposed to get an xml with a list of API
You might whant to check your configuration, unless the container is not running.
About the certificate warning : I have tested https://mlydesk.hopto.org and a saw the certificate used has been generated for mlynuage.hopto.org instead.

Maybe you missed the command line when you requested your certificate
or
Maybe i have introduced a ambiguity in my last post.
You need a ssl certification for every domain you use in https if you don’t want to deal with warning all the time
but this does’nt mean you have to use 1 certificate per domain.
1 certificate can be signed for many domains
actually I use 1 certificate for 5 domains (mostly subdomains).
I just added more domain to my certbot command line when I requested a certificate to let’s encrypt.
…that not industrial good practice of course…

I’m also able to access your nextcloud server using both
https://mlydesk.hopto.org
and
https://mlynuage.hopto.org
Unless you have a dual instance, I strongly suggest you to double check your apache2 configuration.

Thanks for your answer …Let me establish a precise point!

Situation regarding to the requirements you mentionned :
1.One domain for nextcloud=>mlynuage.hopto.org
2.One domain for collabora=>mlydesk.hopto.org
3. certificate for Dom1&2 : yes, but…given that all traffic 443 is forwarded to the rasppi, i installed a standalone certificate on the host running collabora, following the advice of Ark74, previously in this post. It’s the reason why you encounter that situation : “You might whant to check your configuration, unless the container is not running. About the certificate warning : I have tested https://mlydesk.hopto.org and a saw the certificate used has been generated for mlynuage.hopto.org instead.” Host2 is not in direct contact with internet, so i guess it is the reason why the control of certificate fails but it should be made through the reverse proxy config (in which i indicate the path to the certificate).
4. static IP for host1&2, done. I havec static IP fixed with my router (192.168.1.45 for the pi), (192.168.1.55 for the collabora server host).
5.Properly configured Network address translation (NAT) on your ISP router: port 80 (http) &/or port 443 (https) translated to host1 (you can skip port 80 if you intend to use ONLY https)=>ok
6.A working Apache2 service

besides Collabora is correctly running, checked by the command “docker ps”. I think most of the problem comes from the configuration of the reverse proxy. I made a copy of the file given in the official tuto , adapting it to my situation. I must check it is installed on host1, not host2. The reason of the 2 blocks is just a question of inadequate copy/paste.
Concerning the certificates, using 1 certificate for both domains could be the solution, although it is not good practice.
Lastly, the reason why, you could access to nextcloud with mlydesk.hopto.org is because i added it a few days ago in config.php of nextcloud for a test. I will remove it.

ok

I’m not sure if understand correctly.
Basically you put the cert for DOM1 in host1 and the cert for DOM2 in host2 ?
If this is the case, this is not a proper configuration for this architecture.
Basically your raspebrry have to handle everything coming from and to the internet. (regarding DOM1 & DOM2 only of course)
From the point of vue of Internet, you have one and only one server that serve everything
That’s what the proxy is used for. Its a intermediate service that hide the real server and manage itself. What is does is basically (of course it"s more complicated than that).

• get the request URL from internet
• convert it and send it to the correct server (it don’t care about the cert…)
• get the response from the server
• convert it as if it was it’s own and send it back to internet

That’s why The certs for DOM1 & DOM2 must be installed & served by the raspberry to the respective Virtualhost.
You might already knows this, I just want to be clear about the underliing concepts in place here.

ok

ok

ok

please also check that collabora is properly running inside the container it-self.
look with docker logs <docker_id or docker_name>

ok

Thanks for the explanation. To sum up, what I have to do, if correctly understood

• remove current certificate of DOM1 in order to get a new certificate for both Dom 1 & 2 (with something like “sudo ./letsencrypt-auto --apache -d dom1 -d www. dom2”)

• create a vhost on host 1 (/etc/apache2/sites-available/libreoffice.conf), referring to host2 &Dom2;
  something like this

            <VirtualHost *:443>
    	ServerName mlydesk.hopto.org:443
  
    	# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
    	SSLEngine on
    	SSLCertificateFile /etc/letsencrypt/live/mlydesk.hopto.org/cert.pem
    	SSLCertificateChainFile /etc/letsencrypt/live/mlydesk.hopto.org/chain.pem
    	SSLCertificateKeyFile /etc/letsencrypt/live/mlydesk.hopto.org/privkey.pem
    	SSLProtocol             all -SSLv2 -SSLv3
    	SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    	SSLHonorCipherOrder     on
  
    	# Encoded slashes need to be allowed
    	AllowEncodedSlashes NoDecode
  
    	# Container uses a unique non-signed certificate
    	SSLProxyEngine On
    	SSLProxyVerify None
    	SSLProxyCheckPeerCN Off
    	SSLProxyCheckPeerName Off
  
    	# keep the host
    	ProxyPreserveHost On
  
    	# static html, js, images, etc. served from loolwsd
    	# loleaflet is the client part of LibreOffice Online
    	ProxyPass           /loleaflet https://mlydesk.hopto.org:9980/loleaflet retry=0
    	ProxyPassReverse    /loleaflet https://mlydesk.hopto.org:9980/loleaflet
  
    	# WOPI discovery URL
    	ProxyPass           /hosting/discovery https://mlydesk.hopto.org:9980/hosting/discovery retry=0
    	ProxyPassReverse    /hosting/discovery https://mlydesk.hopto.org:9980/hosting/discovery
  
    	# Main websocket
    	ProxyPassMatch "/lool/(.*)/ws$" wss://mlydesk.hopto.org:9980/lool/$1/ws nocanon
  
    	# Admin Console websocket
    	ProxyPass   /lool/adminws wss://mlydesk.hopto.org:9980/lool/adminws
  
    	# Download as, Fullscreen presentation and Image upload operations
    	ProxyPass           /lool https://mlydesk.hopto.org:9980/lool
    	ProxyPassReverse    /lool https://mlydesk.hopto.org:9980/lool
    	</VirtualHost>
  

Is it coherent?
thanks a lot,

Eric

The proxy works between the docker image and apache (hence localhost or 127.0.0.1), the box with the docker image, needs to setup apache proxy for itself.
The other machine/host has nothing to do on this setup.

So ProxyPass is wrong.
It has to be 127.0.0.1

Thanks Ark74 for your contribution!
So if i keep 127.0.0.1 in the proxy config, is the rest correct? (i’m not sure to properly understand your remark).

Yeah, just make a copy paste form here https://www.collaboraoffice.com/code/
The part that says:
##Setting up Apache 2 reverse proxy

(Just change the domain name.)

This is totally what i meant
(but you can stay with 2 separate certificates if you want - your call)
If fact I’m using a very, very similar setup at home. and it work great !!

aaaalmost… you need to keep host2’s IP in all the proxyPass, proxypassreverse & ProxyPassMatch or your data won’t go anywhere. (that would be like asking someone for your destination but all he answers is your destination’s name, not really helpfull) ==> the proxy must know the “real” way
and in ServerName mlydesk.hopto.org:443 I think you can remove the :443 because i’ts already given in <VirtualHost *:443>

not in this case, it’s Host2’s IP (where the container is located)

Regards
Aal.

Im talking about the office box.

Office Box
Domain + SSL Cert → of1.domain.com
Docker
Apache (SSL) + Proxy (127.0.0.1)

Nextcloud Box
Domain + SSL Cert → nc1.domain.com
Apache (SSL)

You allow any nextcloud box/domain on the Office box by running docker with the domain prefix
'domain=nc1\\.domain\\.com\|other\\.nexcloud\\.com'

That’s it

I’m not even sure we’re speaking about the same use case here.

What you suggesting is a dual NAT of tcp 443 to his officeBox and Nextcloud box => this is not feasable in this case ==> that’s why the certificate is bad when trying to access his collabora (dom2) in https: it serve the nextcloud domain (dom1) instead because the TCP 443 is NATed to the nextcloud box (host1)

the point is, from my understanding of @arbras need,

• he is self-hosting his nextcloud and collabora and has limited routing capabilities because of his ISP’s router and Dynamic DNS service.
• A Standard ISP router will not be able to nat TCP 443 (https) and 80 (http) to more than one host in its LAN (otherwise, if it could choose the target host by domain … it would be a proxy!)
• As he want to use his nextcloud and collabora from the internet in a secured way (https), he is limited to serve everything from only one host, that should be the main https server ==> his raspberry pi(host1). and therefore put the reverse proxy on the raspberry.

I explained myself, i leave @arbras to choose what configuration he wants.
regards
Aal.

Oh, i see.
Ok.

As i’m currently working on the configuration you’re proposing @aalaesar, i will go on for the moment. (But the other solution may not be impossible)
I also put the reverse proxy on the raspberry (host1) by creating the libreoffice.conf file as mentioned previously. I tried to create a new certificate for both dom2 but i had a message error in the process, due to incorrect ssl config in the reverse proxy, as far as i understand this message :

sudo ./letsencrypt-auto --apache -d mlydesk.hopto.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/mlydesk.hopto.org.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mlydesk.hopto.org
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
Deploying Certificate to VirtualHost /etc/apache2/sites-available/libreoffice.conf
Enabling available site: /etc/apache2/sites-available/libreoffice.conf
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 22 of /etc/apache2/sites-enabled/libreoffice.conf:
Invalid command ‘ProxyPreserveHost’, perhaps misspelled or defined by a module not included in the server configuration

Rolling back to previous server configuration…
Error while running apache2ctl configtest.
Action ‘configtest’ failed.
The Apache error log may have more information.

AH00526: Syntax error on line 22 of /etc/apache2/sites-enabled/libreoffice.conf:
Invalid command ‘ProxyPreserveHost’, perhaps misspelled or defined by a module not included in the server configuration

IMPORTANT NOTES:

• We were unable to install your certificate, however, we
  successfully restored your server to its prior configuration.
• Congratulations! Your certificate and chain have been saved at
  /etc/letsencrypt/live/mlydesk.hopto.org/fullchain.pem. Your cert
  will expire on 2017-06-15. To obtain a new or tweaked version of
  this certificate in the future, simply run letsencrypt-auto again
  with the “certonly” option. To non-interactively renew all of
  your certificates, run “letsencrypt-auto renew”

I also put the config of the reverse proxy :

           <VirtualHost *:443>
                    ServerName mlydesk.hopto.org

                    # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
                    SSLEngine on
                    SSLCertificateFile /etc/letsencrypt/live/mlydesk.hopto.org/
                    SSLCertificateChainFile /etc/letsencrypt/live/mlydesk.hopto.org/
                    SSLCertificateKeyFile /etc/letsencrypt/live/mlydesk.hopto.org/
                    SSLProtocol             all -SSLv2 -SSLv3
                    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-S$
                    SSLHonorCipherOrder     on

                    # Encoded slashes need to be allowed
                    AllowEncodedSlashes NoDecode

                    # Container uses a unique non-signed certificate
                    SSLProxyEngine On
                    SSLProxyVerify None
                    SSLProxyCheckPeerCN Off
                    SSLProxyCheckPeerName Off

                    # keep the host
                    ProxyPreserveHost On

                    # static html, js, images, etc. served from loolwsd
                    # loleaflet is the client part of LibreOffice Online
                    ProxyPass           /loleaflet https://192.168.1.45:9980/loleaflet retry=0
                    ProxyPassReverse    /loleaflet https://192.168.1.45:9980/loleaflet

                    # WOPI discovery URL
                    ProxyPass           /hosting/discovery https://192.168.1.45:9980/hosting/discovery retry=0
                    ProxyPassReverse    /hosting/discovery https://192.168.1.45:9980/hosting/discovery

                    # Main websocket
                    ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.1.45:9980/lool/$1/ws nocanon

                    # Admin Console websocket
                    ProxyPass   /lool/adminws wss://mlydesk.hopto.org:9980/lool/adminws
                    # keep the host
                    ProxyPreserveHost On

                    # static html, js, images, etc. served from loolwsd
                    # loleaflet is the client part of LibreOffice Online
                    ProxyPass           /loleaflet https://192.168.1.45:9980/loleaflet retry=0
                    ProxyPassReverse    /loleaflet https://192.168.1.45:9980/loleaflet

                    # WOPI discovery URL
                    ProxyPass           /hosting/discovery https://192.168.1.45:9980/hosting/discovery retry=0
                    ProxyPassReverse    /hosting/discovery https://192.168.1.45:9980/hosting/discovery

                    # Main websocket
                    ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.1.45:9980/lool/$1/ws nocanon

                    # Admin Console websocket
                    ProxyPass   /lool/adminws wss://mlydesk.hopto.org:9980/lool/adminws

                    # Download as, Fullscreen presentation and Image upload operations
                    ProxyPass           /lool https://192.168.1.45:9980/lool
                    ProxyPassReverse    /lool https://192.168.1.45:9980/lool
                    </VirtualHost>

Humm, besides, the proxy seems to have bad influence on nextcloud…which was temporarily inacessible. A apache restart succeeded once, but after a new problem (white page), it failed to restart (timeout for response) and i had to reboot the pi. I removed temporarily libreoffice.conf.

you are asking for a cert for dom2 only here

Letsencrypt is modifying the configuration file but fails to pass validation tests both with the new one and the saved ones.
Which make me assume your Dom2 virtual host may have not been loaded by apache2 …
You can try apachectl configtest to check the config
Reading the error you have:

• You need to check you have activated the proper apache2 modules

a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod ssl

there is also this entire block that is present twice in the configuration file

# keep the host
                    ProxyPreserveHost On

                    # static html, js, images, etc. served from loolwsd
                    # loleaflet is the client part of LibreOffice Online
                    ProxyPass           /loleaflet https://192.168.1.45:9980/loleaflet retry=0
                    ProxyPassReverse    /loleaflet https://192.168.1.45:9980/loleaflet

                    # WOPI discovery URL
                    ProxyPass           /hosting/discovery https://192.168.1.45:9980/hosting/discovery retry=0
                    ProxyPassReverse    /hosting/discovery https://192.168.1.45:9980/hosting/discovery

                    # Main websocket
                    ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.1.45:9980/lool/$1/ws nocanon

                    # Admin Console websocket
                    ProxyPass   /lool/adminws wss://mlydesk.hopto.org:9980/lool/adminws

just after the first ProxyPass /lool/adminws ...
I recommend you to remove it unless it is a copy/paste typo here
and be sure apache2 enabled the virtualhost a2ensite '*' (that should be the case)
then reload apache2: service apache2 restart or systemctl restart apache2.service

What i have to do, in the right order (tell me please if correct)

• check the activation of modules proxy, proxy_wstunnel, proxy_http & ssl;
• modify reverse proxy config file by removing the block you mentionned;
• get a new certificate for both dom1&2 (but i’m not sure it’ll work cause it’s for the same IP);
  -check that vhost is enabled by a2ensite ‘*’
  -reload apache2;

Nota : the apachectl configtest command return this

“AH00526: Syntax error on line 30 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/mlynuage.hopto.org/fullchain.pem’ does not exist or is empty
Action ‘configtest’ failed.”

Nothing about dom2, but normal because i removed it temporarily as explained in last post. But there is an error concerning my nextcloud domain…why?

this is becoming very specific support
can you send me, via private message (in french if you want)

• all the apache2 conf file /etc/apache2/sites-enabled/ and /etc/apache2/sites-available/
• the list of files in /etc/letsencrypt (apt-get install tree -y && tree /etc/letsencrypt
• your apache2 logs journalctl -u apache2.service & files /var/log/apache2/access.log & error.log
• the result of the following cmd: find /etc/letsencrypt -type f -exec ls -l {} \;
  thanks

yes, please do

It works great!!! thanks aalesar!

You’re welcome .
For info : We had to rewrite part of the apache2 configuration for the certificate to be used correctly , enable some apache 2 module and recreate a collabora container linked to the lan and not only the localhost.

Hi everyone! I’m may be too late in this disscussion but i have nearly the same installation setup as arbras : I have a nextcloud server perfectly running and i want to install collabora online on another server (Debian 8.6). My question might be stupid, but I would like to know where did you put the configuration of the reverse proxy ? Did you just add another virtual host on the /Apache2/sites-available/“your apache config of nextcloud” or did you create another file ?

Thanks a lot

That’s it, i put a “collabora.conf” file in /Apache2/sites-available/. I was helped by @aalaesar in finding the solution. I can send you my “collabora.conf” file if you want.

ok ! yes it would be really kind, as i’m struggling to find an issue for days…