WOPI requests - nextcloud office

šŸ± Features & apps
, ,
1

Iā€™m running NC 27.0.1 and have configured NCoffice as a docker container.
If I specify an allow list for WOPI requests I can create but not edit a file. Without the allow list I can open and edit the file.

My allow list is 172.17.0.1/16
Based on the docker containerā€™s ip:

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:fc:37:66 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.85/24 brd 192.168.2.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fefc:3766/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:57:02:86:1f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever

I think I must be missing something simple here? :crazy_face:

2

itā€™s not very clear how your system is configured, please add more details.

I understand you are running separated CODE container. in this case you can see where the request comes from and review if your allow list match. it could happen the request goes through the internet and incoming request seems to come from your internet public IP.

3

Sorry for the delayed response

in this case you can see where the request comes from and review if your allow list match.

Isnā€™t this what Iā€™m doing above (i.e., using the docker container IP)?
If In input the docker IP as 172.17.0.1/16
Then it shows the server as reachable:

image

However, when I go to create a document I can name it (it is saved), but then it will not open and shows the following error:

image

How should I find the correct link to input?

4

no this just a container ip config - the request does not necessarily comes from internal IP, it could even go out into the internet and return back showing public IP as origin. you should check (detailed) logs from your reverse proxy and look at the request. please review Nextcloud Collabora integration

5

Thanks. Sorry I missed your helpful Wiki before :sweat_smile:

Following the troubleshooting first steps I see:
(1) Client side browser URL https://[my-family-name].cloud/status.php

|installed|true|
| ā€” | ā€” |
|maintenance|false|
|needsDbUpgrade|false|
|version|ā€œ27.0.1.2ā€|
|versionstring|ā€œ27.0.1ā€|
|edition|ā€œā€|
|productname|ā€œNextcloudā€|
|extendedSupport|false|

(2) https://[my family name].cloud/hosting/discovery ā€“ note if I input as https://office. ā€¦ I get a did not connect potential security acccess error from Firefox

Otherwise I see an XML document as sample of which is:

The error for (2) is a potential problem?

Turning to the server side there also problems:

(3). running curl shows

curl https://office.[family-name].cloud/hosting/discovery
curl: (60) SSL: no alternative certificate subject name matches target host name ā€˜office.[family-name].cloudā€™
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

without the leading office. I get a long list of file types

(4) Similarly:

curl https://cloud.[family-name].cloud/status.php
curl: (60) SSL: no alternative certificate subject name matches target host name ā€˜cloud.[family-name].cloudā€™
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Sorry - but Iā€™m not clear from your Wiki whether this is the output I can expect? Do the next steps correct, what I assume to be, certificate / SSL errors? Alternatively, is there something to fix before I move on?

Thanks!

6

this means you didnā€™t provide valid TLS certificate for your Collabora system. Both NC and Collabora must use same protocol which means https:// in real life.

successful connections without warnings for each mentioned direction.

I would start thereā€¦