Unauthorized WOPI Host with Nextcloud 16 on custom port

mlazzarotto · June 13, 2019, 5:56pm

Hi there, I’m running Nextcloud 16.0.1.1 on a Ubuntu Server 18.04.2 with Apache 2.4.29 and PHP 7.2.19.
Nextcloud has been installed with the zip file (everything manual) and to install Collabora I followed the official guide (with docker).

My Nextcloud is published on https://nextcloud.mydomain.it:4433 while Collabora is published on https://office.mydomain.it:4343. Both with valid SSL certs.

When I set up Collabora, following the guide, I used the following command:
docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=office\\.mydomain\\.it\\:4433' --restart always --cap-add MKNOD collabora/code

I don’t know if it’s right, if not please correct me.

The following is the Apache virtualhost:

<VirtualHost *:4343>
ServerName office.mydomain.it:4343

# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /etc/ssl/office/certificate.crt
SSLCertificateChainFile /etc/ssl/office/ca_bundle.crt
SSLCertificateKeyFile /etc/ssl/private/office/private.key

SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on

# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool https://127.0.0.1:9980/lool
ProxyPassReverse    /lool https://127.0.0.1:9980/lool

# Endpoint with information about availability of various features
ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
</VirtualHost>

Obviously on both the firewall and the ports.conf I allowed the port 4343.

This is my problem:
when I try to open any OpenOffice document, Nextcloud loads for 10 seconds and then returns this error:

While, when I create an empty document I get an error about Unauthorized WOPI Host

I also tried to browse the log files, but there isn’t much to see.
Also, if I browse to https://office.mydomain.it:4343 I get this page

and if I browse to https://office.mydomain.it:4343/lool/adminws in the log file I can see the following error:

[Thu Jun 13 19:52:47.584092 2019] [proxy:warn] [pid 32203] [client 93.66.196.110:50565] AH01144: No protocol handler was valid for the URL /lool/adminws (scheme 'wss'). If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

PS: these are the modules activated in Apache:

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 dav_module (shared)
 dav_svn_module (shared)
 authz_svn_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cache_module (shared)
 cache_disk_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 proxy_module (shared)
 proxy_ajp_module (shared)
 proxy_balancer_module (shared)
 proxy_fcgi_module (shared)
 proxy_http_module (shared)
 proxy_wstunnel_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_shm_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)

ralfi · June 14, 2019, 10:17am

Hi mlazzarotto,

the ProxyPassMatch definition for the main websocket should be set to ws://127.0.0.1:9980/… and NOT to wss://127.0.0.1:9980/…

Please post a little bit of the results from the request https://office…:4343/hosting/discovery

You should start your collabora container with the --o:ssl.enable=false string if you have for example a proper letsencrypt cert for your apache vhost domain.

Last but no least you have to modify sections “Network Settings” and “Backend storage” in your collabora loolwsd.xml file. Please set also the SSL encryption to disable in the SSL settings if you start with “–o:ssl.enable=false”.

First of all set the debug level to 3 in your nextcloud config.php AND the log level to “debug” and file “enable=true” in your collabora loolwsd.xml config. Please beware that you have a custom volume for your config file befor doing this , for example start your collabora docker image with “-v /etc/loolwsd/loolwsd.xml:/etc/loolwsd/loolwsd.xml”

mlazzarotto · June 14, 2019, 1:52pm

the ProxyPassMatch definition for the main websocket should be set to ws://127.0.0.1:9980/… and NOT to wss://127.0.0.1:9980/…

Ok, done.

Please post a little bit of the results from the request https://office…:4343/hosting/discovery

https://pastebin.com/eEUBwPPQ

You should start your collabora container with the --o:ssl.enable=false

but, how? I typed

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=office\\.mydomain\\.it\\:4433' --o:ssl.enable=false --restart always --cap-add MKNOD collabora/code

but it returns error as it doesn’t like --o

you have to modify sections “Network Settings” and “Backend storage”

I’m sorry, but I don’t know where to start:

First of all set the debug level to 3 in your nextcloud config.php AND the log level to “debug” and file “enable=true”

Done that, still Collabora’s not logging to file. However, when I try to edit a document I get this errors:
this with ssl enabled

and this with ssl disabled

for example start your collabora docker image with “-v /etc/loolwsd/loolwsd.xml:/etc/loolwsd/loolwsd.xml”

ok, done

ralfi · June 14, 2019, 5:36pm

Hi Marco,

i think we are only a few steps away from success…

First of all, the setting for disable ssl as start ENV in your office docker image is
-e “extra_params=–o:ssl.enable=false” Dont forget to disable ssl in loolwsd.xml

Then means the “domain” string NOT your collabora (your office…) docker container rather your nextcloud container. This parameter - and also the string in your loolwsd.xml - allows your nextcloud instance to communicate with your collabora container as wopi backend / frontend. You should set your nextcloud cdocker container in your start syntax or modify the line in your loolwsd.xml

As you can see in your net section from loolwsd.xml there are a few netmask settings to allow connection. Your first screenshot tells you that your connection comes from ::ffff:172.17.0.1 which is not in the list of the allowed adresses. Please add this address.

Finaly you have to set these strings in your netxcloud config.php

‘trusted_proxies’ => [‘172.17.0.1’],
‘overwritehost’ => ‘https://nextcloud.FQDN’,
‘overwriteprotocol’ => ‘https’,

And i think you must restart your collabora docker container, nextcloud should only need a browser reload. FYI tomorrow morning i go a few days to vancancy and will look here again at two weeks.

Ralfi

aalaesar · June 19, 2019, 11:19am

Hi there @mlazzarotto
from what I see on your docker command…

… the issue here is: the domain environment variable is not explicit enought
what it seems to mean : run collabora as this domain
what it meens for the container: this domain is allowed to use collabora (white list type)
hense the wopi client not allowed error : the nextcloud.mydomain.it is not in the “white list”

=> you need to put here the domain of the “client website” ( in your case nextcloud)

so its more like : docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=nextcloud\\.mydomain\\.it' --restart always --cap-add MKNOD collabora/code

and you should be good (i’m not sure if the tcp port is needed thought )

Hope this helps !

Regards.

N.B.: in fact domain is just a perl regex, so you can allow a lot of domains to use the same collabora instance (like 'domain=.*\\.mydomain\\.it|.*\\.mydomain\\.com' to allow all clients under mydomain.it and mydomain.com )

rbm · February 17, 2021, 6:33pm

run without port
simply

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=office\\.mydomain\\.it' --restart always --cap-add MKNOD collabora/code

After that

<VirtualHost *:4343>
ServerName office.mydomain.it:4343
......

Domain need for check certificate, in my opinion.
Domain is one, ports are different.
There is important only domainName