Unauthorised WOPI host

Hello, I am trying to configure nextcloud instance with Collabora server. Unfortunately I still get error “Unauthorised WOPI host. Please try again later and report to your administrator if the issue persists.” Below is my configuration and network schema.

Network schema:

Nextcloud

Nginx

server {
		listen 443 ssl;
		listen [::]:443 ssl;
		http2 on;

		server_name nextcloud.example.com;

		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

		ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
		client_max_body_size 50G;

		location / {
			proxy_pass http://192.168.1.17:80;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header Host $host;
			add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;

			proxy_redirect off;
		}

		location /.well-known/carddav {
			 return 301 $scheme://$host/remote.php/dav;
		}

		location /.well-known/caldav {
			return 301 $scheme://$host/remote.php/dav;
		}

	}

#Collabora


	server {
		listen       443 ssl;
		server_name  collabora-office.example.com;
		set $collabora_server "192.168.1.17:9980";

		ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

# static files
		location ^~ /browser {
			proxy_pass http://$collabora_server;
			proxy_set_header Host $http_host;
		}


# WOPI discovery URL
		location ^~ /hosting/discovery {
			proxy_pass http://$collabora_server;
			proxy_set_header Host $http_host;
		}


# Capabilities
		location ^~ /hosting/capabilities {
			proxy_pass http://$collabora_server;
			proxy_set_header Host $http_host;
		}


# main websocket
		location ~ ^/cool/(.*)/ws$ {
			proxy_pass http://$collabora_server;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "Upgrade";
			proxy_set_header Host $http_host;
			proxy_read_timeout 36000s;
		}


# download, presentation and image upload
		location ~ ^/(c|l)ool {
			proxy_pass http://$collabora_server;
			proxy_set_header Host $http_host;
		}


# Admin Console websocket
		location ^~ /cool/adminws {
			proxy_pass http://$collabora_server;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "Upgrade";
			proxy_set_header Host $http_host;
			proxy_read_timeout 36000s;
		}
	}

Unfortunately Nextcloud does not show any useful logs to solve my problem.
Logs from Collabora after document opening:

Aug 12 15:41:16 nextcloud coolwsd[130]: wsd-00130-00337 2024-08-12 15:41:16.398382 +0000 [ websrv_poll ] ERR  #33: CheckFileInfo failed for [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1102_ocfgntjao767], State::Fail| wsd/RequestVettingStation.cpp:272
Aug 12 15:41:16 nextcloud coolwsd[130]: wsd-00130-00337 2024-08-12 15:41:16.323114 +0000 [ websrv_poll ] ERR  #34: Invalid URI or access denied to [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/1102_ocfgntjao767?access_token=xxxxxxxxxxxxxxx&access_token_ttl=0]| wsd/wopi/CheckFileInfo.cpp:109
Aug 12 15:41:16 nextcloud coolwsd[130]: WOPI::CheckFileInfo failed for URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/1102_ocfgntjao767?access_token=xxxxxxxxxxxxxxx&access_token_ttl=0]: 0 (Unknown) . Headers:         Body: []| wsd/wopi/CheckFileInfo.cpp:95
Aug 12 15:38:04 nextcloud coolwsd[130]: wsd-00130-00337 2024-08-12 15:38:04.575084 +0000 [ websrv_poll ] ERR  #26: CheckFileInfo failed for [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1102_ocfgntjao767], State::Fail| wsd/RequestVettingStation.cpp:272
Aug 12 15:38:04 nextcloud coolwsd[130]: wsd-00130-00337 2024-08-12 15:38:04.458067 +0000 [ websrv_poll ] ERR  #33: Invalid URI or access denied to [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/1102_ocfgntjao767?access_token=xxxxxxxxxxxxxxx&access_token_ttl=0]| wsd/wopi/CheckFileInfo.cpp:109
Aug 12 15:38:04 nextcloud coolwsd[130]: WOPI::CheckFileInfo failed for URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/1102_ocfgntjao767?access_token=xxxxxxxxxxxxxxx&access_token_ttl=0]: 0 (Unknown) . Headers:         Body: []| wsd/wopi/CheckFileInfo.cpp:95
Aug 12 15:22:33 nextcloud coolwsd[130]: wsd-00130-00337 2024-08-12 15:22:33.202768 +0000 [ websrv_poll ] ERR  #25: CheckFileInfo failed for [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1102_ocfgntjao767], State::Fail| wsd/RequestVettingStation.cpp:272
Aug 12 15:22:33 nextcloud coolwsd[130]: wsd-00130-00337 2024-08-12 15:22:33.168203 +0000 [ websrv_poll ] ERR  #26: Invalid URI or access denied to [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/1102_ocfgntjao767?access_token=xxxxxxxxxxxxxxx&access_token_ttl=0]| wsd/wopi/CheckFileInfo.cpp:109
Aug 12 15:22:33 nextcloud coolwsd[130]: WOPI::CheckFileInfo failed for URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/1102_ocfgntjao767?access_token=xxxxxxxxxxxxxxx&access_token_ttl=0]: 0 (Unknown) . Headers:         Body: []| wsd/wopi/CheckFileInfo.cpp:95
Aug 12 15:22:30 nextcloud coolwsd[130]: wsd-00130-00337 2024-08-12 15:22:30.728519 +0000 [ websrv_poll ] ERR  #25: Invalid URI or access denied to [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/1102_ocfgntjao767?access_token=xxxxxxxxxxxxxxxx&access_token_ttl=0&permission=edit]| wsd/wopi/CheckFileInfo.cpp:109
Aug 12 15:22:30 nextcloud coolwsd[130]: WOPI::CheckFileInfo failed for URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/1102_ocfgntjao767?access_token=xxxxxxxxxxxxxxxx&access_token_ttl=0&permission=edit]: 0 (Unknown) . Headers:         Body: []| wsd/wopi/CheckFileInfo.cpp:95
Aug 12 15:22:30 nextcloud coolwsd[130]: wsd-00130-00337 2024-08-12 15:22:30.639203 +0000 [ websrv_poll ] ERR  #23: CheckFileInfo failed for [https%3A%2F%2Fnextcloud.example.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1102_ocfgntjao767], State::Fail| wsd/RequestVettingStation.cpp:272
Aug 12 15:22:30 nextcloud coolwsd[130]: wsd-00130-00337 2024-08-12 15:22:30.597183 +0000 [ websrv_poll ] ERR  #24: Invalid URI or access denied to [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/1102_ocfgntjao767?access_token=xxxxxxxxxxxxxxxxxxx&access_token_ttl=0]| wsd/wopi/CheckFileInfo.cpp:109
Aug 12 15:22:30 nextcloud coolwsd[130]: WOPI::CheckFileInfo failed for URI [https://nextcloud.example.com/index.php/apps/richdocuments/wopi/files/1102_ocfgntjao767?access_token=xxxxxxxxxxxxxxxxxxx&access_token_ttl=0]: 0 (Unknown) . Headers:         Body: []| wsd/wopi/CheckFileInfo.cpp:95

Hi @Michal123456747 ,

Read → this please ←

hth


Much and good luck,
ernolf

Thank you for your reply. To be more specific, I don’t use docker instance of Collabora - I have installed it directly inside my LXC container.
I added this block into storage.wopi.alias_groups. Unfortunately it didn’t help.

<group>
                    <host desc="hostname to allow or deny." allow="true">nextcloud.ramus.ovh</host>
</group>

Relevant settings to solve your problem may be found in the

<net desc="Network settings">
   / .. here .. /
</net>

section.

hth


ernolf

Aaaah, I think I found the reason of your issue:

You have entered the IP address of your nextcloud server in the “Allowlist for WOPI requests” which is incorrect.

  • the coolwsd server is the WOPI client
  • the nextcloud server is the WOPI host/server

You must enter the IP address of your coolwsd server (WOPI client), as this is the WOPI endpoint that makes the requests to your WOPI host (the Nextcloud server).

hth


Much and good luck,
ernolf

I will check if settings inside the net section will solve my problem. Collabora server and Nextcloud server are inside the same LXC container - these services have same IP addresses. As you can see above, I have entered both Nginx and LXC container IPs.

No it won’t if it is the default and not changed before.

Since you need an IP Address in the allow list (no host name) you MUST find out, under what IP Address the coolwsd is seen from within the nextcloud server.
you can find out exactly under which IP Address nextcoud sees the Coolwsd with

grep COOLWSD /path/to/nextcloud/webserver/access.log

as explained in a lot of posts in this forum.


It is possible that the service talks via a loopback address, then you have to add

127.0.0.0/8

or add

192.168.1.0/24

and if that still does not work, enter

0.0.0.0/0


Much and good luck,
ernolf

Unfortunately even setting WOPI IP as 0.0.0.0/0 in Nextcloud didn’t make any afford. I think, the problem may be caused by Nginx reverse proxy or my Nextcloud do not respect WOPI whitelist setting. I have installed NextCloud inside /var/www/nextcloud. Where can I find access.log file?

Then you should add the ipv6 counterpart to it:

0.0.0.0/0, ::/0

/var/log/apache2/access.log

hth


ernolf

Sorry for my late reply. Unfortunately setting WOPI allow list to 0.0.0.0/0, ::/0 didn’t help. I have also checked this setting from command line, but everything looks right.

I’m not sure if it will help, but try it without a space after the comma:

0.0.0.0/0,::/0

If it still doesn’t work, just leave it blank, which afaik is basically the same as 0.0.0.0/0 anyway. If that still doesn’t work, then your problem is most likely not related to the WOPI allow list.

1 Like

I’ve tried both without comma and leaving blank. It also didn’t help. In that case what can I do to check what causes the problem?

Not sure, as my setup is quite different from yours.

My Nextcloud is installed in a VM and served directly from that VM by Apache (no external reverse proxy), and Colabora is running as a Docker container inside the same VM, also served by the same Apache instance, so basically this setup. I’ve been running it this way for years, and expect for a few minor changes in Apache when they renamed the service and a few environment variables that have been added/changed over the years, I’ve never had any issues.

Did you also read this? Maybe it is of any help: Collabora integration guide

Or maybe it’s some kind name resolving issue (it’s always DNS, or at least related to DNS :wink: ), similiar to the one discussed in this GitHub issue, that came up when I googled the error in your logs: WOPI::CheckFileInfo failed for URI - Broken PIPE · Issue #2906 · nextcloud/richdocuments · GitHub

1 Like

@bb77 Finally I decided to prepare the same setup as you have and everything started working. Despite this, I still see warnings in Collabora:

frk-00027-00027 2024-08-15 15:59:51.226333 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:555
frk-00027-00027 2024-08-15 15:59:51.233998 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:555
frk-00027-00027 2024-08-15 15:59:59.330233 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:555
frk-00027-00027 2024-08-15 16:00:03.533105 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:555
sh: 1: /usr/bin/coolmount: Operation not permitted
sh: 1: /usr/bin/coolmount: Operation not permitted
sh: 1: /usr/bin/coolmount: Operation not permitted
2 Likes

I get these messages too, and I found the following explanation on GitHub:

https://github.com/CollaboraOnline/online/issues/779#issuecomment-740250110

Apparently, you can get rid of the messages by running the container in privileged mode, which, if I understand it correctly, should also result in better performance.

However, I’m not going to do that, because the performance is good enough for what I’m doing with it. I mean, documents open instantly, I can edit things without issues, and generally I don’t experience any problems with it except for these warnings in the logs, so I just ignore them.

I am not a heavy user of Collabora online though, so your mileage may vary :slight_smile:

Thank you. In my case, documents load around 5 seconds. What can I do to decrease loading time? Load of the LXC container with Docker is near 0. When new document is loading, load average is around 10% in a very small period of time.

Not sure to be honest. I mean I can fiddle my way through on how to get things working but I’m by no means an expert on the inner workings of Collabora, or when it comes to Docker.

Nevertheless, a few (very general) thoughts.

  • Maybe it has something to do with the fact that the Docker container is running in a Linux container, where I’m no expert either, but I know that this can bring its own challenges.

  • Otherwise, I don’t know, the general performance of your Nextcloud and the HW specs of your system can of course also have an impact.

  • …or the general performance of your storage, like whether it is running on spinning rust or solid state, or on a (slow) network storage.

Otherwise, maybe just try running it in privileged mode, although, to be honest, I doubt you’ll go from 5 seconds to one second, by just doing that… I could be wrong though.

2 Likes

I most likely found, why my first configuration didn’t work. I named “nextcloud” the LXC container(192.168.1.17) where Collabora and Nextcloud were started. Next, I added these DNS records:
nextcloud.example.com → 192.168.1.201(NGINX)
collabora-office.example.com → 192.168.1.201(NGINX)

PVE automatically added this record to /etc/hosts in LXC container.


When Nextcloud was sending requests to Collabora, everything worked properly - requests were proxied by Nginx, terminated from HTTPS to HTTP and received by Collabora. To the other side, when Collabora was trying to send request to Nextcloud, was sending https requests not by Nginx, but directly to the Nextcloud which was listening to the HTTP requests.
I didn’t think through the naming properly and that led to an error.

@bb77 and @ernolf Thank you so much for your help.

2 Likes

As I said, It’s always DNS :smiley:

:smiley: .

1 Like