Split DNS setup broken with Docker / Collabora / Reverse Proxy

ℹ️ Support 📄 Office
, , , , ,
1

Hi,
i’ve been using a setup like this one for quite a while. Now it is broken: Collabora CODE has recently (from version 24.04 upwards) started to integrate the IP of the browser into WOPI requests from the server.
When I curl my Nextcloud from the Collabora container, I see the internal IP in the Nextcloud access logs (as it should be). When I open a document via the browser, I see the public (dynamic) IP. This leads to a block, as long as that dynamic public IP isn’t in the WOPI allow list.

I don’t know if it’s a bug or a feature on Collabora’s part to put the browser IP in the WOPI request; I haven’t figured out how to disable this behavior yet.

I use Traefik as a reverse proxy. The only workaround I have found so far is to define a special router for Nextcloud that catches requests to the WOPI endpoint and resets the X-Forwarded-For header. But this is tinkering and I’m not convinced myself. Does anyone else have this problem and probably found a solid solution?

It occurs with a dockerized setup and Traefik as a reverse proxy.

  • Nextcloud 31.0.4 (I use the linuxserver image with builtin Nginx)
  • Collabora 24.04.13.3.1
2

The allowed wopi list would be the proxy ip or the nextcloud server ip. Depending on how the setup is done. The browser ip should not be needed inthe allowed wopi list.

3

I aggree. My probelm is: On openng a document the browser sends a request to the Collabra server, next the Collabora server sends a request to the Nextcloud.

In order for Collabora to connect to my Nextcloud with an internal IP (from within the Docker network) I have a split DNS setup (simply by adding extra_hosts to my containers). This isn’t working any more. For some reason Collabora includes the browser IP into the WOPI request (at least: thats what I am seeing…)

4

It goes through external hostname through the proxy most likely. Same as the browser.

5

the setup still works like a charm for me using NC 31.0.4 and Collabora CODE 24.04.13.3.1 (and 24.04.12.4.1 before)

I still have same wopi_allowlist

> docker compose exec app php occ config:app:get richdocuments wopi_allowlist
172.16.0.0/12,fd00:feed:beef::/48
  • local LAN is not listed as in allowlist
  • reverseproxy is traefik v3.3 and forwards x-forwarded-for to NC and CODE
  • office docs load from my client without issues

NC logs look like this

app-1  | 192.168.11.203 - - [22/Apr/2025:19:19:12 +0000] "POST /apps/text/session/5291/sync HTTP/1.1" 200 1075 "https://dev-nc.mydomain.tld/apps/files/files" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" [XFF: 192.168.11.203] [realIP: -]
app-1  | 192.168.11.203 - - [22/Apr/2025:19:19:17 +0000] "POST /apps/text/session/5291/sync HTTP/1.1" 200 1075 "https://dev-nc.mydomain.tld/apps/files/files" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" [XFF: 192.168.11.203] [realIP: -]
app-1  | 192.168.11.203 - - [22/Apr/2025:19:19:19 +0000] "GET /apps/files/api/v1/views HTTP/1.1" 200 842 "https://dev-nc.mydomain.tld/apps/files/files/6706?dir=/&openfile=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" [XFF: 192.168.11.203] [realIP: -]
app-1  | 192.168.11.203 - - [22/Apr/2025:19:19:19 +0000] "PROPFIND /remote.php/dav/files/myuser/directly_shared.ods HTTP/1.1" 207 1517 "https://dev-nc.mydomain.tld/apps/files/files/6706?dir=/&openfile=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" [XFF: 192.168.11.203] [realIP: -]
app-1  | 192.168.11.203 - - [22/Apr/2025:19:19:20 +0000] "GET /apps/files/api/v1/views HTTP/1.1" 200 842 "https://dev-nc.mydomain.tld/apps/files/files/6706?dir=/&openfile=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" [XFF: 192.168.11.203] [realIP: -]
app-1  | 192.168.11.203 - - [22/Apr/2025:19:19:20 +0000] "PROPFIND /remote.php/dav/files/myuser/directly_shared.ods/ HTTP/1.1" 207 1511 "https://dev-nc.mydomain.tld/apps/files/files/6706?dir=/&openfile=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" [XFF: 192.168.11.203] [realIP: -]
app-1  | 192.168.11.203 - - [22/Apr/2025:19:19:20 +0000] "POST /apps/richdocuments/token HTTP/1.1" 200 1025 "https://dev-nc.mydomain.tld/apps/files/files/6706?dir=/&openfile=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" [XFF: 192.168.11.203] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:20 +0000] "GET /index.php/apps/richdocuments/wopi/files/6706_oc52dthqts8g?access_token=lXIGbsUT2yiUH0U4WPG7X18xWyUnAAVb&access_token_ttl=0 HTTP/1.1" 200 2764 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:20 +0000] "GET /index.php/apps/richdocuments/wopi/settings?type=systemconfig&access_token=FDillUwbXZSn2vEjn50IViEa7BLJN1NN&fileId=-1 HTTP/1.1" 200 1522 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:20 +0000] "GET /index.php/apps/richdocuments/wopi/files/6706_oc52dthqts8g/contents?access_token=lXIGbsUT2yiUH0U4WPG7X18xWyUnAAVb&access_token_ttl=0 HTTP/1.1" 200 19222 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:20 +0000] "GET /index.php/apps/richdocuments/wopi/settings?type=userconfig&access_token=FDillUwbXZSn2vEjn50IViEa7BLJN1NN&fileId=-1 HTTP/1.1" 200 1681 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:20 +0000] "GET /apps/richdocuments/settings/userconfig/KAqtliX2mtCJDcggO7j6C5cKBmErtqxN/browsersetting/browsersetting.json HTTP/1.1" 200 1879 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:20 +0000] "GET /index.php/apps/richdocuments/wopi/settings?type=userconfig&access_token=FDillUwbXZSn2vEjn50IViEa7BLJN1NN&fileId=-1 HTTP/1.1" 200 1683 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:20 +0000] "GET /apps/richdocuments/settings/userconfig/yTCpn21pIlL2e4HghXDbn2NuIEol9F9n/browsersetting/browsersetting.json HTTP/1.1" 200 1873 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
app-1  | 192.168.11.203 - - [22/Apr/2025:19:19:20 +0000] "GET /index.php/apps/files/preview-service-worker.js HTTP/1.1" 200 6807 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" [XFF: 192.168.11.203] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:21 +0000] "POST /index.php/apps/richdocuments/wopi/settings/upload?access_token=lXIGbsUT2yiUH0U4WPG7X18xWyUnAAVb&access_token_ttl=0&fileId=%2Fsettings%2Fuserconfig%2Fbrowsersetting%2Fbrowsersetting.json HTTP/1.1" 200 2321 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:21 +0000] "POST /index.php/apps/richdocuments/wopi/settings/upload?access_token=lXIGbsUT2yiUH0U4WPG7X18xWyUnAAVb&access_token_ttl=0&fileId=%2Fsettings%2Fuserconfig%2Fbrowsersetting%2Fbrowsersetting.json HTTP/1.1" 200 2323 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:21 +0000] "POST /index.php/apps/richdocuments/wopi/settings/upload?access_token=lXIGbsUT2yiUH0U4WPG7X18xWyUnAAVb&access_token_ttl=0&fileId=%2Fsettings%2Fuserconfig%2Fbrowsersetting%2Fbrowsersetting.json HTTP/1.1" 200 2320 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:21 +0000] "POST /index.php/apps/richdocuments/wopi/settings/upload?access_token=lXIGbsUT2yiUH0U4WPG7X18xWyUnAAVb&access_token_ttl=0&fileId=%2Fsettings%2Fuserconfig%2Fbrowsersetting%2Fbrowsersetting.json HTTP/1.1" 200 2320 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
app-1  | 192.168.11.203 - - [22/Apr/2025:19:19:22 +0000] "POST /apps/text/session/5291/sync HTTP/1.1" 200 1075 "https://dev-nc.mydomain.tld/apps/files/files/6706?dir=/&openfile=true" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0" [XFF: 192.168.11.203] [realIP: -]
app-1  | fd00:feed:beef:1::2 - - [22/Apr/2025:19:19:24 +0000] "GET /apps/richdocuments/settings/fonts.json HTTP/1.1" 304 1394 "-" "COOLWSD HTTP Agent 24.04.13.3" [XFF: fd00:feed:beef:1::2] [realIP: -]
  • 192.168.11.203 is accessing client
  • fd00:feed:beef:1::2 is CODE container
  • [XFF] and [real-ip] fields are custom-made contents of the respective http headers
6

Thank you, that’s a help! It has saved me from my own blindness… :man_facepalming:

As I said, I’m using the Linuxserver image. There I edited the site-conf/default (about two years ago) to match the container to the reverse proxy and have the correct IP in the Nextcloud logs (as described here). With one of the last updates I deleted the old file because there was a new default. Since I suspected Collabora to be the cause, I looked thoroughly in the wrong place.

1 Like
7

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.