Yet another problem with Nextcloud Office/Collabora

Aephir · February 19, 2022, 1:48pm

Document failed loading
Failed to load Nextcloud Office - please try again later

I am running a collabora/code docker container. I can “access” it via browser (see the OK when navigating to either https:/local.ip or FQDN).

I see this issue popping up a lot when searching. I’ve of course tried numerous of the “solutions” found around the forum (e.g., this and this), as well as numerous different nginx configs I’ve found.

I’m on Nextcloud v23.0.2 (but had same issue on v.23.0.2), Nextcloud Office v 5.0.2. In my docker-compose.yaml, I have:

version: '3.7'
services:
  collabora:
    image: collabora/code:latest
    container_name: collabora
    restart: unless-stopped
    environment:
      # - extra_params=o:ssl.enable=false
      - extra_params=--o:ssl.enable=true
      - domain=${COLLABORA_DOMAIN}
      - password=${COLLABORA_PASSWORD}
      - username=${COLLABORA_USERNAME}
      - dictionaries="en_US da"
    ports:
      - "9980:9980"
    volumes:
      - ./appdata/collabora:/config

and in the .env:

COLLABORA_USERNAME=admin
COLLABORA_PASSWORD=password
COLLABORA_DOMAIN=nextcloud\\.my\\.domain

where nextcloud\\.my\\.domain is my fqdn to access nextcloud (double backlash escaped, as explained in all the examples I found).

In Nextcloud, under Admin-> Nextcloud Office, I have for the URL:

https://admin:password@collabora.my.domain

and it says Collabora Online server is reachable. (I have also tried with local IP:port instead of FQDN, which also says “online” if I check “disable certificate verification”).

However, this has never worked with any of the nginx configs I have found online (e.g. this on collaboraonline.com), only if I used a minimal nginx config:

server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	server_name collabora.my.domain;

	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
		include /config/nginx/proxy.conf;
		proxy_pass https://10.0.30.21:9980;
	}
}

with ssl.conf:

### Mozilla Recommendations
# generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;


### Linuxserver.io Defaults

# Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;

# Diffie-Hellman Parameters
ssl_dhparam /config/nginx/dhparams.pem;

# Enable TLS 1.3 early data
ssl_early_data on;

# HSTS, remove # from the line below to enable HSTS
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# Optional additional headers
#add_header Cache-Control "no-transform" always;
#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
#add_header Permissions-Policy "interest-cohort=()";
#add_header Referrer-Policy "same-origin" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-UA-Compatible "IE=Edge" always;
#add_header X-XSS-Protection "1; mode=block" always;

and proxy.conf:

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Proxy Connection Settings
proxy_buffers 32 4k;
proxy_connect_timeout 240;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect  http://  $scheme://;
proxy_send_timeout 240;

# Proxy Cache and Cookie Settings
proxy_cache_bypass $cookie_session;
#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps
proxy_no_cache $cookie_session;

# Proxy Header Settings
proxy_set_header Connection $connection_upgrade;
proxy_set_header Early-Data $ssl_early_data;
proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Real-IP $remote_addr;

After starting collabora container, if I try opening a document in Nextcloud, a docker logs collabora shows (this is everything after Ready to accept connections on port 9980.):

wsd-00001-00049 2022-02-19 13:33:49.085671 +0000 [ websrv_poll ] ERR  Skipping the token [--co-image-logo=url('/core/img/logo/logo.png?v=0')] since it has more than one '=' pair| wsd/FileServerUtil.cpp:156
wsd-00001-00051 2022-02-19 13:33:49.645343 +0000 [ docbroker_001 ] WRN  Waking up dead poll thread [HttpSynReqPoll], started: false, finished: false| ./net/Socket.hpp:722
wsd-00001-00051 2022-02-19 13:33:49.645425 +0000 [ docbroker_001 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00051 2022-02-19 13:33:49.645470 +0000 [ docbroker_001 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00051 2022-02-19 13:33:49.645492 +0000 [ docbroker_001 ] ERR  #29: Socket read returned -1 (EPIPE: Broken pipe)| ./net/Socket.hpp:1125
wsd-00001-00051 2022-02-19 13:33:49.645534 +0000 [ docbroker_001 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00051 2022-02-19 13:33:49.645567 +0000 [ docbroker_001 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00051 2022-02-19 13:33:49.645606 +0000 [ docbroker_001 ] ERR  #29: Socket write returned -1 (EPIPE: Broken pipe)| ./net/Socket.hpp:1398
wsd-00001-00051 2022-02-19 13:33:49.645642 +0000 [ docbroker_001 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00051 2022-02-19 13:33:49.645669 +0000 [ docbroker_001 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00051 2022-02-19 13:33:49.645692 +0000 [ docbroker_001 ] ERR  #29: Socket write returned -1 (EPIPE: Broken pipe)| ./net/Socket.hpp:1398
wsd-00001-00051 2022-02-19 13:33:49.645761 +0000 [ docbroker_001 ] ERR  WOPI::CheckFileInfo failed for URI [https://next.aephir.net/index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj?access_token=a2n6SPD8RsI35It4tLo3Q0CkNkFGKWAD&access_token_ttl=0]: 0 . Headers: 	Body: []| wsd/Storage.cpp:690
wsd-00001-00051 2022-02-19 13:33:49.645881 +0000 [ docbroker_001 ] ERR  loading document exception: WOPI::CheckFileInfo failed: | wsd/DocumentBroker.cpp:2014
wsd-00001-00051 2022-02-19 13:33:49.645931 +0000 [ docbroker_001 ] ERR  Failed to add session to [/index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj] with URI [https://next.aephir.net/index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj?access_token=a2n6SPD8RsI35It4tLo3Q0CkNkFGKWAD&access_token_ttl=0]: WOPI::CheckFileInfo failed: | wsd/DocumentBroker.cpp:1976
wsd-00001-00051 2022-02-19 13:33:49.645978 +0000 [ docbroker_001 ] ERR  Storage error while starting session on /index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj for socket #24. Terminating connection. Error: WOPI::CheckFileInfo failed: | wsd/COOLWSD.cpp:3694
wsd-00001-00051 2022-02-19 13:33:49.646216 +0000 [ docbroker_001 ] WRN  Ignoring attempted read from 24| ./net/Socket.hpp:1099
wsd-00001-00051 2022-02-19 13:33:49.646246 +0000 [ docbroker_001 ] ERR  Invalid or unknown session [003] to remove.| wsd/DocumentBroker.cpp:2054
wsd-00001-00049 2022-02-19 13:33:50.062875 +0000 [ websrv_poll ] WRN  DocBroker with docKey [/index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj] that is marked to be destroyed. Rejecting client request.| wsd/COOLWSD.cpp:2281
wsd-00001-00049 2022-02-19 13:33:50.063104 +0000 [ websrv_poll ] ERR  Error while handling Client WS Request: Failed to create DocBroker with docKey [/index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj].| wsd/COOLWSD.cpp:3724
wsd-00001-00049 2022-02-19 13:33:50.063145 +0000 [ websrv_poll ] ERR  #28: Socket write returned -1 (ENOENT: No such file or directory)| ./net/Socket.hpp:1398
wsd-00001-00049 2022-02-19 13:33:50.063184 +0000 [ websrv_poll ] ERR  #28: Socket write returned -1 (ENOENT: No such file or directory)| ./net/Socket.hpp:1398
wsd-00001-00049 2022-02-19 13:33:50.063216 +0000 [ websrv_poll ] WRN  Socket #28 is shutting down but 64 bytes couldn't be flushed and still remain in the output buffer.| ./net/WebSocketHandler.hpp:795
wsd-00001-00049 2022-02-19 13:33:50.063299 +0000 [ websrv_poll ] ERR  #28: attempted to remove: 1042 which is > size: 0 clamped to 0| ./net/Socket.hpp:1214
wsd-00001-00049 2022-02-19 13:33:50.063344 +0000 [ websrv_poll ] WRN  Ignoring attempted read from 28| ./net/Socket.hpp:1099
wsd-00001-00049 2022-02-19 13:33:50.063414 +0000 [ websrv_poll ] ERR  Socket #28 SSL BIO error: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown (ENOENT: No such file or directory)| ./net/SslSocket.hpp:348
wsd-00001-00049 2022-02-19 13:33:50.063495 +0000 [ websrv_poll ] ERR  Error while handling poll for socket #28 at 0 in websrv_poll: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown| net/Socket.cpp:465
wsd-00001-00049 2022-02-19 13:33:50.932260 +0000 [ websrv_poll ] WRN  DocBroker with docKey [/index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj] that is marked to be destroyed. Rejecting client request.| wsd/COOLWSD.cpp:2281
wsd-00001-00049 2022-02-19 13:33:50.932528 +0000 [ websrv_poll ] ERR  Error while handling Client WS Request: Failed to create DocBroker with docKey [/index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj].| wsd/COOLWSD.cpp:3724
wsd-00001-00049 2022-02-19 13:33:50.932585 +0000 [ websrv_poll ] ERR  #28: Socket write returned -1 (ENOENT: No such file or directory)| ./net/Socket.hpp:1398
wsd-00001-00049 2022-02-19 13:33:50.932636 +0000 [ websrv_poll ] ERR  #28: Socket write returned -1 (ENOENT: No such file or directory)| ./net/Socket.hpp:1398
wsd-00001-00049 2022-02-19 13:33:50.932687 +0000 [ websrv_poll ] WRN  Socket #28 is shutting down but 64 bytes couldn't be flushed and still remain in the output buffer.| ./net/WebSocketHandler.hpp:795
wsd-00001-00049 2022-02-19 13:33:50.932735 +0000 [ websrv_poll ] ERR  #28: attempted to remove: 1042 which is > size: 0 clamped to 0| ./net/Socket.hpp:1214
wsd-00001-00049 2022-02-19 13:33:50.932781 +0000 [ websrv_poll ] WRN  Ignoring attempted read from 28| ./net/Socket.hpp:1099
wsd-00001-00049 2022-02-19 13:33:50.932833 +0000 [ websrv_poll ] ERR  Socket #28 SSL BIO error: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown (ENOENT: No such file or directory)| ./net/SslSocket.hpp:348
wsd-00001-00049 2022-02-19 13:33:50.932892 +0000 [ websrv_poll ] ERR  Error while handling poll for socket #28 at 0 in websrv_poll: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown| net/Socket.cpp:465
wsd-00001-00044 2022-02-19 13:33:51.646688 +0000 [ prisoner_poll ] WRN  Prisoner connection disconnected but without valid socket.| wsd/COOLWSD.cpp:2368
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00045-00045 2022-02-19 13:33:52.664936 +0000 [ forkit ] ERR  Failed to unmount [/opt/cool/child-roots/AxyNjf9de8Z3w9Lu/tmp]| common/JailUtil.cpp:70
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00045-00045 2022-02-19 13:33:52.681502 +0000 [ forkit ] ERR  Failed to unmount [/opt/cool/child-roots/AxyNjf9de8Z3w9Lu/lo]| common/JailUtil.cpp:70
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00045-00045 2022-02-19 13:33:52.696575 +0000 [ forkit ] ERR  Failed to unmount [/opt/cool/child-roots/AxyNjf9de8Z3w9Lu]| common/JailUtil.cpp:70
wsd-00001-00059 2022-02-19 13:33:53.943662 +0000 [ docbroker_002 ] WRN  Waking up dead poll thread [HttpSynReqPoll], started: false, finished: false| ./net/Socket.hpp:722
wsd-00001-00059 2022-02-19 13:33:53.943769 +0000 [ docbroker_002 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00059 2022-02-19 13:33:53.943819 +0000 [ docbroker_002 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00059 2022-02-19 13:33:53.943848 +0000 [ docbroker_002 ] ERR  #29: Socket read returned -1 (EPIPE: Broken pipe)| ./net/Socket.hpp:1125
wsd-00001-00059 2022-02-19 13:33:53.943888 +0000 [ docbroker_002 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00059 2022-02-19 13:33:53.943922 +0000 [ docbroker_002 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00059 2022-02-19 13:33:53.943949 +0000 [ docbroker_002 ] ERR  #29: Socket write returned -1 (EPIPE: Broken pipe)| ./net/Socket.hpp:1398
wsd-00001-00059 2022-02-19 13:33:53.943981 +0000 [ docbroker_002 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00059 2022-02-19 13:33:53.944015 +0000 [ docbroker_002 ] ERR  Socket #29 SSL error: SYSCALL (5) (EPIPE: Broken pipe)| ./net/SslSocket.hpp:279
wsd-00001-00059 2022-02-19 13:33:53.944045 +0000 [ docbroker_002 ] ERR  #29: Socket write returned -1 (EPIPE: Broken pipe)| ./net/Socket.hpp:1398
wsd-00001-00059 2022-02-19 13:33:53.944132 +0000 [ docbroker_002 ] ERR  WOPI::CheckFileInfo failed for URI [https://next.aephir.net/index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj?access_token=a2n6SPD8RsI35It4tLo3Q0CkNkFGKWAD&access_token_ttl=0&permission=edit]: 0 . Headers: 	Body: []| wsd/Storage.cpp:690
wsd-00001-00059 2022-02-19 13:33:53.944252 +0000 [ docbroker_002 ] ERR  loading document exception: WOPI::CheckFileInfo failed: | wsd/DocumentBroker.cpp:2014
wsd-00001-00059 2022-02-19 13:33:53.944304 +0000 [ docbroker_002 ] ERR  Failed to add session to [/index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj] with URI [https://next.aephir.net/index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj?access_token=a2n6SPD8RsI35It4tLo3Q0CkNkFGKWAD&access_token_ttl=0&permission=edit]: WOPI::CheckFileInfo failed: | wsd/DocumentBroker.cpp:1976
wsd-00001-00059 2022-02-19 13:33:53.944356 +0000 [ docbroker_002 ] ERR  Storage error while starting session on /index.php/apps/richdocuments/wopi/files/82229_oc3z0uht4lmj for socket #20. Terminating connection. Error: WOPI::CheckFileInfo failed: | wsd/COOLWSD.cpp:3694
wsd-00001-00059 2022-02-19 13:33:53.944614 +0000 [ docbroker_002 ] WRN  Ignoring attempted read from 20| ./net/Socket.hpp:1099
wsd-00001-00059 2022-02-19 13:33:53.944652 +0000 [ docbroker_002 ] ERR  Invalid or unknown session [007] to remove.| wsd/DocumentBroker.cpp:2054
wsd-00001-00044 2022-02-19 13:33:55.945066 +0000 [ prisoner_poll ] WRN  Prisoner connection disconnected but without valid socket.| wsd/COOLWSD.cpp:2368
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00045-00045 2022-02-19 13:33:56.960611 +0000 [ forkit ] ERR  Failed to unmount [/opt/cool/child-roots/46wnvuGrG4FB9Gut/tmp]| common/JailUtil.cpp:70
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00045-00045 2022-02-19 13:33:56.976126 +0000 [ forkit ] ERR  Failed to unmount [/opt/cool/child-roots/46wnvuGrG4FB9Gut/lo]| common/JailUtil.cpp:70
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00045-00045 2022-02-19 13:33:56.989634 +0000 [ forkit ] ERR  Failed to unmount [/opt/cool/child-roots/46wnvuGrG4FB9Gut]| common/JailUtil.cpp:70

Since I have tried pretty much everything a I could find with a search engine (or on these forums), I’d really appreciate if anyone has any pointers. Preferably, I’d just want to use local IP instead of FQDN, but mostly, I’d just want to find a working config.

kevdog · February 19, 2022, 5:09pm

Ok – can you explain your setup more just to make sure I have a handle on your situation

Here is what I’m surmising based on your post:

You have one host running your nextcloud installation.
You have a second host running nginx and a docker version of collabora. I’m surmising on this host there is no firewall blocking access to either port 80/443 and 9980.

Does the URL collabora.my.domain have the assigned IP address of 10.0.30.21?

Your running collabora with the ssl.enable=true parameter.

So I think what is happening is probably a conflict → You have TLS connection from the client to your nextcloud. Nextcloud is attempting to establish a TLS connection between itself and your nginx reverse proxy, and then nginx is trying to establish an encrypted connection to collabora. You’ll need 3 sets of certs here I believe (one for nextcloud, one for nginx, and one for collabora container).

To dumb things down a bit I would start easy and build up as you go.
Order I might try things:

Nextcloud which then connects directly to collabora docker instance over http to port 9980. (I’ve totally removed the reverse proxy in this situation).
Add reverse proxy. Nextcloud to nginx over port 80 and then proxy_pass http to collabora docker
Add SSL certificates to nginx reverse proxy → Nextcloud to nginx over port 433 then proxy_pass http to collabora docker.

I thing I really had a hard time with was making the actual collabora container use a TLS connection – I think I may have had it at one time, however the TLS connection between the reverse proxy and collabora seemed to always break. I ended up terminating the TLS connection at the reverse proxy and just did a plain unencrypted connection to the collabora container.

Snippets of my docker-compose file for collabora have this:

services:
  collabora:
    image: collabora/code:21.11.1.4.1

    expose:
      - 9980
    cap_add:
      - MKNOD
    environment:
      - username=admin
      - password=dockercol
      - domain=nextcloud\.domain\.com|test\.domain\.com|nc\.domain\.com
      - DONT_GEN_SSL_CERT=1
      - server_name=loolwsd.domain.com
      - "extra_params=--o:ssl.enable=false --o:ssl.termination=true"

Hopefully that will help
Alternative to expose would be ports: 9980:9980 as you have in your config
The username/password is not needed – I believe its just to log into the collabora admin console which is located at <collabora_URL_OR_IP_address>:9980/hosting/discovery

Domain refers to the domains which the collabora will accept connections from. So in most circumstances its going to be the nextcloud URL which in your situation will be nextcloud\.my\.domain.

wwe · February 19, 2022, 8:50pm

I’m pretty confident you need need only one backslash (or maybe not at all). I inject the variable using .env file so I can’t for sure what is the right format using plain docker-compose file. Most likely you pick up the recommendation to escape dots form docker (without compose) tutorials… maybe you can double check using docker inspect `. I see following block in my working installation (at least with NC22.2+collabora/code:21.11.1.4.1)

            "Env": [
                "domain=nc.<mydomain>|dev-nc.<mydomain>",
                "dictionaries=de_DE en_US es_ES ru",
                "VIRTUAL_PROTO=http",
                "VIRTUAL_PORT=9980",
                "VIRTUAL_HOST=collabora.<mydomain>",
                "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:user_interface.mode=classic --o:logging.level=warning --o:net.proto=IPv4",
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "LC_CTYPE=C.UTF-8"
            ],

sounds weird for me as well - you don’t need to pass any credencials… take a look at this post, there is pretty good description f my setup: Docker Compose for Nextcloud + Collabora + Traefik? - #2 by wwe

Aephir · February 27, 2022, 4:26pm

Hi, sorry for the delay, we took a spontaneous “going-crazy-from-covid-lockdown” trip.

@kevdog, correct:

Machine 1: TrueNAS (FreeBSD) with nextcloud running in jail with own IP.
Machine 2: Ubuntu server w. Docker; linuxserver/swag (nginx + let’s encrypt)) and collabora/code containers.

collabora.my.domain directs via nginx to 10.0.30.21:9980 (collabora container).
next.my.domaindirects vi nginx to 10.0.30.67:80 (nextcloud jail)

I had to add ports to your example to see anything at 10.0.30.21:9980 (expose alone didn’t do this). But if then adding http://10.0.30.21:9980 in “Nextcloud Office” settings (circumventing nginx), the result is the same: "Document loading failed … " With the "extra_params=--o:ssl.enable=false --o:ssl.termination=true" line under environment.

I’m not sure I understand the - server_name=loolwsd.domain.com. Shouldn’t this be - server_name=collabora.my.domain? Or should this be local IP to try without nginx?

@wwe I tried stitching something together from the post you linked to (see details) but the result is exactly the same as initially described (using https://collabora.my.domain in “Nextcloud Office” settings, where I see the OK when navigating to https://collabora.my.domain)

  collabora:
    image: collabora/code
    container_name: collabora
    restart: unless-stopped
    ports:
      - 9980:9980
    expose:
      - "9980"
    environment:
      - domain=${COLLABORA_DOMAIN}
      - 'dictionaries=en_US, da'
      - VIRTUAL_PROTO=http
      - VIRTUAL_PORT=9980
      - VIRTUAL_HOST=${COLLABORA_FQDN}
      - "extra_params=--o:ssl.enable=false  --o:ssl.termination=true"
    cap_add:
      - MKNOD
    tty: true

with no more backlash escaped periods in the .env file, otherwise as shown in the first post (you were right, it doesn’t seem to matter).

If trying https://collabora.my.domain/hosting/discovery, it just displays a blank page (I briefly see the xml flashing when reloading the page, but only for a fraction of a second). Unless I set the server_name to something that is different from collabora.my.domain or 10.0.30.21:9980, in which case I can see the xml just fine.

It could also be because I don’t really know Traefik, and my nginx setup is wrong (not sure how to translate the Traefik config to nginx)?

wwe · February 27, 2022, 9:58pm

maybe you are confused with

      - domain=${COLLABORA_DOMAINS}
      - VIRTUAL_HOST=${COLLABORA_FQDN}

VIRTUAL_HOST - this the domain where you host Collabora (must be public FQDN to make it work from outside of the LAN, and issue correct LE certificate)
domain - is the host authorized to use this Collabora service (your Nextcloud FQDN), can be pipe(|) -separated list of valid URLs

# fqdn of Collaboa conatainer
COLLABORA_FQDN=collabora.<mydomain>
COLLABORA_DOMAINS=nc.<mydomain>|dev-nc.<mydomain>|nc23.<mydomain>

your need to add this variables to Docker .env file!

Aephir · February 28, 2022, 8:48am

Oops, forgot to mention, but I did add that to the .env file. It looks like this:

COLLABORA_USERNAME=admin
COLLABORA_PASSWORD=password
COLLABORA_DOMAIN=next.my.domain
COLLABORA_FQDN=collabora.my.domain

where next.my.domain is where I access my Nextcloud instance, and collabora.my.domain is where I can access collabora (just a page showing the OK if I navigate to it, the same as navigating to the internal IP of the container).

wwe · February 28, 2022, 9:16am

maybe you address it right, I noticed a difference in your examples:

I’m using ${COLLABORA_DOMAINS} (with trailing “S”). Maybe you can verify the variables inside of the docker container with docker inspect…

this is bad… you must see the XML all the time using you production FQDN (you add to NC config and your client can access). maybe you find a hint using browser developer tools (F12) - I feel “network tab” is most useful.

kevdog · March 2, 2022, 2:01am

Hey – seems like you would be close but alas things not working.

Can I ask you about your environmental variables? In my working docker container, I don’t have some of the env variables.

Mine looks like this:

 collabora:
    restart: unless-stopped
    image: collabora/code:21.11.1.4.1
    container_name: collabora
    networks:
      - net
    expose:
      - 9980
    cap_add:
      - MKNOD
    environment:
      - TZ=America/Chicago
      - username=admin
      - password=****
      - domain=nextcloud\.domain\.com|nc\.domain\.com
      - DONT_GEN_SSL_CERT=1
      - server_name= loolwsd.domain.com
      - "extra_params=--o:ssl.enable=false --o:ssl.termination=true"

I don’t really care if you include ports or expose – Just only include one or the other - not the other. Ports exposes the container to the host, where as expose only exposes the container to other containers on the same docker network.

You said you’re using SWAG/Nginx for your reverse proxy. Nice combination. I use it for another project – just not this project as I’m using traefik. Either nginx or traefik should work, so honestly it’s not a question of one being better than the other.

You haven’t posted any logs from nginx so I’m wondering if that’s configured correctly. Anyway you could post logs from the SWAG container?

wwe · March 2, 2022, 8:39pm

often there is no big difference between include and expose e.g. for backend database, but in case of Collabora (WOPI) there is fundamental difference - each involved endpoint system needs to talk to others: client to both Collabora and Nextcloud, Collabora to Nextcloud and Nextcloud to Collabora.

every resource in this simplified drawing must be accessible as is (internal/external; hostname/IP)

kevdog · March 3, 2022, 12:14am

You’re drawning although informative doesn’t have the reverse proxy or docker network. Assuming collabora and the reverse proxy are on the same docker network, you really only need the expose line (well actually you don’t since expose is the default value). Whether you need expose or ports…it’s really going to depend on the setup

KH

wwe · March 3, 2022, 9:14pm

I agree, given the fact item within “srv” are containers sharing the same docker network expose is good choice. In this sample you only need to include ports on reverse proxy and hide both applications within docker.

Collabora_SplitBrain