WOPI requests - nextcloud office

James_O_Stanworth · August 14, 2023, 9:23am

I’m running NC 27.0.1 and have configured NCoffice as a docker container.
If I specify an allow list for WOPI requests I can create but not edit a file. Without the allow list I can open and edit the file.

My allow list is 172.17.0.1/16
Based on the docker container’s ip:

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:fc:37:66 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.85/24 brd 192.168.2.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fefc:3766/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:57:02:86:1f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever

I think I must be missing something simple here?

wwe · August 15, 2023, 8:03pm

it’s not very clear how your system is configured, please add more details.

I understand you are running separated CODE container. in this case you can see where the request comes from and review if your allow list match. it could happen the request goes through the internet and incoming request seems to come from your internet public IP.

James_O_Stanworth · September 27, 2023, 3:56am

Sorry for the delayed response

in this case you can see where the request comes from and review if your allow list match.

Isn’t this what I’m doing above (i.e., using the docker container IP)?
If In input the docker IP as 172.17.0.1/16
Then it shows the server as reachable:

However, when I go to create a document I can name it (it is saved), but then it will not open and shows the following error:

How should I find the correct link to input?

wwe · September 27, 2023, 5:39am

no this just a container ip config - the request does not necessarily comes from internal IP, it could even go out into the internet and return back showing public IP as origin. you should check (detailed) logs from your reverse proxy and look at the request. please review Nextcloud Collabora integration

James_O_Stanworth · September 28, 2023, 6:13am

Thanks. Sorry I missed your helpful Wiki before

Following the troubleshooting first steps I see:
(1) Client side browser URL https://[my-family-name].cloud/status.php

|installed|true|
| — | — |
|maintenance|false|
|needsDbUpgrade|false|
|version|“27.0.1.2”|
|versionstring|“27.0.1”|
|edition|“”|
|productname|“Nextcloud”|
|extendedSupport|false|

(2) https://[my family name].cloud/hosting/discovery – note if I input as https://office. … I get a did not connect potential security acccess error from Firefox

Otherwise I see an XML document as sample of which is:

The error for (2) is a potential problem?

Turning to the server side there also problems:

(3). running curl shows

curl https://office.[family-name].cloud/hosting/discovery
curl: (60) SSL: no alternative certificate subject name matches target host name ‘office.[family-name].cloud’
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

without the leading office. I get a long list of file types

(4) Similarly:

curl https://cloud.[family-name].cloud/status.php
curl: (60) SSL: no alternative certificate subject name matches target host name ‘cloud.[family-name].cloud’
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Sorry - but I’m not clear from your Wiki whether this is the output I can expect? Do the next steps correct, what I assume to be, certificate / SSL errors? Alternatively, is there something to fix before I move on?

Thanks!

wwe · September 28, 2023, 6:19am

this means you didn’t provide valid TLS certificate for your Collabora system. Both NC and Collabora must use same protocol which means https:// in real life.

successful connections without warnings for each mentioned direction.

I would start there…

James_O_Stanworth · October 5, 2023, 1:53am

Since I use Let’s Encrypt certs then I think my problem is the same as Using self-signed certs.

Am I on the right track here? If so, I need to figure out what needs customizing.

nextcloud:
    image: linuxserver/nextcloud
    container_name: nextcloud
    hostname: nextcloud
    environment:
        - PUID=$PUID8
        - PGID=$PGID
        - TZ=${TZ}
    volumes:
        - $USERDIR/nextcloud/config:/config
        - $USERDIR/nextcloud/data:/data
        - $USERDIR/Docs:/var/hda/files/Docs
        - $USERDIR/Pictures:/var/hda/files/Pictures
        - $USERDIR/Music:/var/hda/files/Music
    networks:
        - default
        - t2_proxy
    ports:
        - $NEXTCLOUD_PORTS:443 #for LAN use only            
    depends_on:
        - "mariadb"
    labels:
        - "traefik.enable=true"
        ## TCP Routers
        - "traefik.tcp.routers.nextcloud-tcp.entrypoints=https"
        - "traefik.tcp.routers.nextcloud-tcp.rule=HostSNI(`nextcloud.$DOMAINNAME`)"
        - "traefik.tcp.routers.nextcloud-tcp.tls=true"
        - "traefik.tcp.routers.nextcloud-tcp.tls.passthrough=true"
        ## TCP Services
        - "traefik.tcp.routers.nextcloud-tcp.service=nextcloud-tcp-svc"
        - "traefik.tcp.services.nextcloud-tcp-svc.loadbalancer.server.port=443"
    restart: unless-stopped

   .....


  onlyoffice-documentserver:
    container_name: onlyoffice-documentserver
    image: onlyoffice/documentserver
    environment:
      - TZ=${TZ}
      - FORCE_SSL=true
      - CERT_FOLDER=/certs/
      - /app/onlyoffice/DocumentServer/data/certs/onlyoffice.pem:/certs/cert1.pem
      # Comment strings below to disable the JSON Web Token validation.
      - JWT_ENABLED=true
      - JWT_SECRET=${PW3}
      - JWT_HEADER=Authorization
      - JWT_IN_BODY=true
    stdin_open: true 
    tty: true
    networks:
        - default
        - t2_proxy
    restart: always
    volumes:
       - $USERDIR/onlyoffice/data:/var/www/onlyoffice/Data/
       - $USERDIR/onlyoffice/data/certs:/var/www/onlyoffice/Data/onlyoffice/documentserver
       - $USERDIR/onlyoffice/log:/var/log/onlyoffice
       - $USERDIR/onlyoffice/cache:/var/lib/onlyoffice/documentserver/App_Data/cache/files
       - $USERDIR/onlyoffice/example:/var/www/onlyoffice/documentserver-example/public/files
       - $USERDIR/onlyoffice/fonts:/usr/share/fonts
    labels:
       - "traefik.enable=true"
       ## TCP Routers
       - "traefik.tcp.routers.onlyoffice-tcp.entrypoints=https"
       - "traefik.tcp.routers.onlyoffice-tcp.rule=HostSNI(`onlyoffice.$DOMAINNAME`)"
       - "traefik.tcp.routers.onlyoffice-tcp.tls=true"
       - "traefik.tcp.routers.onlyoffice-tcp.tls.passthrough=true"
       ## TCP Services
       - "traefik.tcp.routers.onlyoffice-tcp.service=onlyoffice-tcp-svc"
       - "traefik.tcp.services.onlyoffice-tcp-svc.loadbalancer.server.port=443"

wwe · October 5, 2023, 8:29pm

I can’t say if there is something special with linuxserver image - please reach out to their support.

for “official” docker images take a look at this post Docker - nextcloud oder linuxserver/nextcloud - #6 by wwe

from your post I’m wondering why do you use :443 as .loadbalancer.server.port - I would expect plain http behind treafik reverse proxy.