Unable to open Office documents with `overwritewebroot` configured

JacobDB · February 26, 2025, 6:48pm

I’ve recently set up Nextcloud on my TrueNAS Scale system, and while it’s mostly working great, I’m having an issue opening any kind of office document. I set up my install at https://server.example.com/cloud/, and when I try to open a document using the “Built in CODE” system, I get errors in the console that point to https://server.example.com/custom_apps/*, missing the /cloud prefix.

I’ve tried setting the WOPI allow list to 0.0.0.0/0, and the server’s correct IP, but neither made any difference. “URL used by browser” is reported as https://server.example.com, and “Nextcloud URL used by Collabora” is reported as https://server.example.com/cloud.

Under Administration → Overview, the only issues reported are some old error logs that where left while I was setting things up.

I’m using Apache2 for my reverse proxy, and my config file is properly configured like so:

  'overwritewebroot' => '/cloud',
  'overwritehost' => 'server.example.com',
  'overwriteprotocol' => 'https',
  'overwritecondaddr' => '^256\.256\.256\.256$', // obviously replaced with my real server IP
  'trusted_proxies' => 
  array (
    0 => '256.256.256.256',  // obviously replaced with my real server IP
  ),

My SSL Apache is configured like so (I did strip out everything related to alternative apps, but this should be accurate to Nextcloud):

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName server.example.com
    DocumentRoot /var/www/server.example.com/public_html

    <Directory />
        AllowOverride All
    </Directory>

    <Directory /var/www/server.example.com/public_html>
        Options FollowSymLinks MultiViews
        AllowOverride all
        Require all granted
    </Directory>

    # Error and Access logging
    LogLevel error
    ErrorLog /var/log/apache2/server.example.com-error.log
    CustomLog /var/log/apache2/server.example.com-access.log combined

    # Set upgrade headers
    Header set Connection "upgrade"
    Header set Upgrade $http_upgrade

    # Security and Performance Headers
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
    Header set X-XSS-Protection "1; mode=block"

    # Enable Proxy settings
    ProxyPreserveHost On
    ProxyRequests Off

    # Redirect partial URLs to prevent unexpected 404s
    RewriteEngine on
    RewriteRule ^/cloud$ cloud/ [R=301,L]

    # Proxy to Nextcloud instance
    <Location /cloud/>
        ProxyPass http://128.128.128.128/
        ProxyPassReverse http://128.128.128.128/

        RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/cloud/remote.php/dav/ [R=301,L]
        RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/cloud/remote.php/dav/ [R=301,L]
    </Location>

    # Certificate settings
    SSLCertificateFile /etc/letsencrypt/live/ssl-0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/ssl-0001/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    # Handle HTTP2
    Protocols h2 http/1.1
    H2WindowSize 5242880

    # Handle SSL
    SSLEngine On

    # Enable only strong encryption ciphers and prefer versions with Forward Secrecy
    SSLCipherSuite HIGH:RC4-SHA:AES128-SHA:!aNULL:!MD5
    SSLHonorCipherOrder on

    # Disable insecure SSL and TLS versions
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

    # Forward requests that came from TLS connections
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

    # Enable HSTS
    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"

    # Forward additional data for some apps (i.e. Nextcloud)
    RequestHeader set X-Forwarded-For %{REMOTE_ADDR}e
    RequestHeader set X-Forwarded-Host %{HTTP_HOST}e

    # Configure additional security settings
    RemoteIPHeader X-Forwarded-For
    RemoteIPInternalProxy 256.256.256.256
</VirtualHost>
</IfModule>

wwe · February 26, 2025, 8:34pm

Hello @JacobDB welcome to the community of Nextcloud.

we had topics related to this please use search. as far I remember overwritewebroot not supported for collabora-built-in

PS: great you found the issue already. pls post once you receive an answer

JacobDB · February 26, 2025, 9:10pm

Yes, I’ve done quite a bit of searching but to no avail. I suppose I should’ve mentioned that, but everything I’ve come across in my search is included in my Apache config, so I assumed that’d speak for itself. I’ll definitely let you know if I hear back from that other thread, but I’m not expecting much, it hasn’t been active for years.

I did see that the “overwrite” features don’t work with Collabra, but in my research it seemed that the X-Forward headers should account for that, though I’ve not actually seen any evidence to support that (searching through the richdocumentscode source code, it seems to be hard coded to pull the domain and script name without any attempt to resolve the additional path).

I’ve got a few feelers out on different forums. I’ll follow up if I find anything, but additional help would be great.

wwe · February 26, 2025, 9:26pm

yes this is true CODE learns the hostname (and scheme?) from the x-forwarded reverseproxy headers… but not webroot… on the other side somehow it works with collabora-built-in running very deep behind /apps/richdocuments/..proxy/