Requesting address is denied

[pwFoo]

Have a running Collabora with nextcloud, but if I load file list I get the following error messege for each word / excel document in list.

wsd-00029-00040 2018-12-13 14:45:46.879437 [ websrv_poll ] ERR  Requesting address is denied: ::ffff:172.17.0.8| wsd/LOOLWSD.cpp:1851
wsd-00029-00040 2018-12-13 14:45:46.903576 [ websrv_poll ] ERR  Requesting address is denied: ::ffff:172.17.0.8| wsd/LOOLWSD.cpp:1851

172.17.0.8 is the current nextcloud container ip address which should be allowed. So how can I allow it?

    <storage desc="Backend storage">
        <filesystem allow="false" />
        <wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true">
            <host desc="Regex pattern of hostname to allow or deny." allow="true">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="false">192\.168\.1\.1</host>
            <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
        </wopi>
        <webdav desc="Allow/deny webdav storage. Mutually exclusive with wopi." allow="false">
            <host desc="Hostname to allow" allow="false">office</host>
        </webdav>
    </storage>

connected from nextcloud container to collabora container looks good.

$ docker exec -ti nextcloud_app_1 curl http://office:9980
OK

So I think I need to allow the nextcloud container by hostname or ip (subnet)? How to do with docker compose environment?

[funkypenguin]

I note the same issue when accessing collabora from a nextcloud container in Docker swarm. I updated storage.wopi.host to include the following (for ipv6-enabled hosts):

<host desc="Regex pattern of hostname to allow or deny." allow="true">::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host desc="Regex pattern of hostname to allow or deny." allow="true">::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host desc="Regex pattern of hostname to allow or deny." allow="true">::ffff:172\.3[01\.[0-9]{1,3}\.[0-9]{1,3}</host>

... but I still get requesting address denied. What's the right way to fix this?

Thanks! D

[timar]

It's not about the WOPI host. There is another setting, net.post_allow.host.Basically it is for the thumbnail generation.

[pwFoo]

@timar Could you give an example how to allow it? I'm new with collabora and don't know how to set that / multiple options by env variable to the docker container. At the moment I set ssl.enable to false because of a container to container connection without encryption.

[pwFoo]

Tried for example that extra_params:

extra_params: '--o:ssl.enable=false --o:net.post_allow.host=172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3} --o:net.post_allow.host=172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3} --o:net.post_allow.host=172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}'

The ssl.enable=false should work, because without the connection fails earlier...

[timar]

I did not try, but probably you can pass only one --o:net.post_allow.host. Edit your regex carefully, and you can also use | character to separate your regexes.

[gtinjr]

I am getting the same error when proxying the requests through traefik and disabling ssl on the docker image. I read through the issues and tried the parameters suggested here but I haven't been successful. Here is the error: wsd-00031-00041 2018-12-27 20:21:25.091316 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.16.253.40| wsd/LOOLWSD.cpp:1971

The docker parameters command line: sudo docker run -t -d -p 9980:9980 -e extra_params='--o:ssl.enable=false --o:net.post_allow.host=172\.16\.[0-9]{1,3}\.[0-9]{1,3} --o:storage.wopi.host=172\.16\.[0-9]{1,3}\.[0-9]{1,3} --o:ssl.termination=true' --cap-add MKNOD --restart always collabora/code

loolwsd.xml has the ip pattern allowed: <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>

I am using the latest docker image from hub.docker.com. It should be 4.0.0.2

[timar]

::ffff:172.16.253.40 is an IPv6 address, and you allowed IPv4 addresses. The 172.16.[0-9]{1,3}.[0-9]{1,3} regex won't match ::ffff:172.16.253.40.

[gtinjr]

Thx, I got it working by changing the pattern to an ipv4 mapped ipv6 address pattern. I also had to add the domain parameter. Even though it is working I still get the error message in the logs. I am not sure why.

new docker command: sudo docker run -t -d -p 9980:9980 -e 'domain=cloud\\.example\\.com' -e extra_params='--o:ssl.enable=false --o:net.post_allow.host=\:\:ffff\:172\.16\.[0-9]{1,3}\.[0-9]{1,3} --o:storage.wopi.host=\:\:ffff\:172\.16\.[0-9]{1,3}\.[0-9]{1,3} --o:ssl.termination=true' --cap-add MKNOD --restart always collabora/code

Error: wsd-00031-00031 2018-12-28 00:46:51.201584 [ loolwsd ] INF WSD initialization complete: setting log-level to [warning] as configured.| wsd/LOOLWSD.cpp:3179 wsd-00031-00041 2018-12-28 00:50:16.790039 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.16.253.40| wsd/LOOLWSD.cpp:1971 wsd-00031-00041 2018-12-28 00:50:18.765730 [ websrv_poll ] WRN WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:610

[pwFoo]

Files not opened. Have to check why... Only see...

Could anyone share a working compose / stack nextcloud with collabora?

[funkypenguin]

Here’s how I ended up setting mine up:

https://geek-cookbook.funkypenguin.co.nz/recipes/collabora-online/

D

-- Sent from my mobile device

On 5/01/2019, at 10:22 AM, pwFoo notifications@github.com wrote:

Files not opened. Have to check why... Only see...

Could anyone share a working compose / stack nextcloud with collabora?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[mhow2]

Today, I installed the official collabora/code container and an apache reverse proxy with a valid certificate. I got the same issue. What is the official fix for it ?

[Hubhubhurra]

The problem with ::ffff:172 comes from merging IPv6 and IPv4. Disable IPv6 with echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 and for future echo net.ipv6.conf.all.disable_ipv6 = 1 > /etc/sysctl.d/01-disable-ipv6.conf than restart the dockercotainer and all works fine.

with regards

[kevdogg]

_wsd-00028-00039 2019-02-14 06:34:49.520306 [ websrvpoll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:197

I did the IPv6 trick however honestly didn't know where I should use these commands --- I have freebsd install of nextcloud in a jail and a vm running ubuntu which is running docker and the container. I tried the IPv6 command on the Ubuntu VM and same thing occured.

I even tried with following config:sudo docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=nextcloud\.domain\.com' -e "username=admin" -e "password=dockercol" -e extra_params='--o:net.proto=IPv4' --restart always --cap-add MKNOD collabora/code

I received this error: __wsd-00028-00039 2019-02-14 06:34:49.520306 [ websrvpoll ] ERR Requesting address is denied: 172.17.0.1| wsd/LOOLWSD.cpp:197

I also tried adding both the ipv6 and ipv4 variant of the 172.17.0.1 and got a similar error.

I modified the config file and basically added the following: storage.filesystem.wopi section

::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}

net.post_allow section

::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}

Note nothing ever worked!!! Similar post here: https://help.nextcloud.com/t/requesting-address-is-denied-172-17-0-1-wsd-loolwsd-cpp-1971/44179/15

HELP!!

de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru 1 4 https://app.vereign.com true 3600 30 300 0 0 8000 0 0 100 60 900 loleaflet.html true debug /var/log/loolwsd.log never timestamp true 10 days 10 true false false false false false all any 192\.168\.[0-9]{1,3}\.[0-9]{1,3} 10\.0\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3} 127\.0\.0\.1 ::ffff:127\.0\.0\.1 ::1 ::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3} ::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3} false false /etc/loolwsd/cert.pem /etc/loolwsd/key.pem /etc/loolwsd/ca-chain.cert.pem 1000 true true nextcloud\.gohilton\.com 10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} 172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3} 172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3} 172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3} 192\.168\.[0-9]{1,3}\.[0-9]{1,3} 192\.168\.1\.1 0 nextcloud\.gohilton\.com true true false admin dockercol

[kevdogg]

The problem with ::ffff:172 comes from merging IPv6 and IPv4. Disable IPv6 with echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 and for future echo net.ipv6.conf.all.disable_ipv6 = 1 > /etc/sysctl.d/01-disable-ipv6.conf than restart the dockercotainer and all works fine.

with regards

I made these changes within the container itself by passing a statement like this:

sudo docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --sysctl net.ipv6.conf.default.disable_ipv6=1 -t -d -p 127.0.0.1:9980:9980 -e 'domain=nextcloud\\.domainname\\.com' --name="jax" -e "username=admin" -e "password=dockercol" --restart always --cap-add MKNOD collabora/code

Still received following error: wsd-00028-00039 2019-02-14 13:31:10.619489 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1971

[janLo]

The --o: override method here is a bit strange. I had only success by providing an explicit index to the option:

--o:net.post_allow.host[0]=::ffff:172.18.[0-9]+.[0-9]+

I couldnt find out though if this overrides the first entry of the xml config file or prepends one. The code there is quite messy.

[melroy89]

The problem with ::ffff:172 comes from merging IPv6 and IPv4. Disable IPv6 with echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 and for future echo net.ipv6.conf.all.disable_ipv6 = 1 > /etc/sysctl.d/01-disable-ipv6.conf than restart the dockercotainer and all works fine.

with regards

More info: https://askubuntu.com/questions/41543/how-to-dynamically-enable-and-disable-ipv6-on-an-interface

Although I still think, this is a workaround!

[melroy89]

--o:net.post_allow.host[0]=::ffff:172.18.[0-9]+.[0-9]+

In my was it was: Requesting address is denied: ::ffff:172.17.0.1. So notice t he 172.17 instead of 172.18 ><

Edit: Still I can't open files. This Collabora Online really drives me nuts. Now I'm getting:

wsd-00029-00044 2019-02-22 23:01:50.128503 [ docbroker_001 ] WRN  Client session [0002] not found to forward message: o281 statusindicatorstart:| wsd/DocumentBroker.cpp:1778
wsd-00029-00044 2019-02-22 23:01:50.128552 [ docbroker_001 ] WRN  Client session [0002] not found to forward message: o282 statusindicatorfinish:| wsd/DocumentBroker.cpp:1778
wsd-00029-00044 2019-02-22 23:01:50.128572 [ docbroker_001 ] WRN  Client session [0002] not found to forward message: o283 signaturestatus: 0| wsd/DocumentBroker.cpp:1778
wsd-00029-00045 2019-02-22 23:01:50.257571 [ docbroker_002 ] WRN  Client session [0003] not found to forward message: o286 statusindicatorstart:| wsd/DocumentBroker.cpp:1778
wsd-00029-00045 2019-02-22 23:01:50.257696 [ docbroker_002 ] WRN  Client session [0003] not found to forward message: o287 statusindicatorfinish:| wsd/DocumentBroker.cpp:1778
wsd-00029-00045 2019-02-22 23:01:50.257793 [ docbroker_002 ] WRN  Client session [0003] not found to forward message: o288 signaturestatus: 0| wsd/DocumentBroker.cpp:1778
wsd-00029-00045 2019-02-22 23:01:50.257892 [ docbroker_002 ] WRN  Client session [0003] not found to forward message: o289 cellformula: Human League* ‎– (Keep Feeling) Fascination | wsd/DocumentBroker.cpp:1778
wsd-00029-00045 2019-02-22 23:01:50.257962 [ docbroker_002 ] WRN  Client session [0003] not found to forward message: o290 celladdress: D11| wsd/DocumentBroker.cpp:1778
wsd-00029-00045 2019-02-22 23:01:50.258063 [ docbroker_002 ] WRN  Client session [0003] not found to forward message: o291 cellcursor: 7590, 2550, 8999, 254, 3, 10| wsd/DocumentBroker.cpp:1778

[pwFoo]

The snippet fixes the error message, but still can't open a document?

--o:net.post_allow.host[0]=::ffff:172.[0-9]+.[0-9]+.[0-9]+

Loading icon forever, no error message with collabora or nextcloud container logs and reverse proxy too. Any idea?

[melroy89]

I also tried different Nginx reverse proxy configs like: https://raw.githubusercontent.com/LibreOffice/online/master/etc/nginx/loolwsd.conf

Getting:

wsd-00015-00023 2019-02-25 17:03:15.610821 [ websrv_poll ] WRN  client - server version mismatch, disabling browser cache.| wsd/FileServer.cpp:279                                                         
wsd-00015-00023 2019-02-25 17:03:15.750901 [ websrv_poll ] WRN  FileServerRequestHandler: File not found: Invalid URI request: [/loleaflet/8a61a5302/branding.js].| wsd/FileServer.cpp:425                 
wsd-00015-00023 2019-02-25 17:03:15.949821 [ websrv_poll ] WRN  FileServerRequestHandler: File not found: Invalid URI request: [/loleaflet/8a61a5302/branding.js].| wsd/FileServer.cpp:425                 
wsd-00015-00023 2019-02-25 17:03:16.676578 [ websrv_poll ] WRN  client - server version mismatch, disabling browser cache.| wsd/FileServer.cpp:279                                                         
wsd-00015-00023 2019-02-25 17:03:16.800043 [ websrv_poll ] WRN  FileServerRequestHandler: File not found: Invalid URI request: [/loleaflet/8a61a5302/branding.js].| wsd/FileServer.cpp:425                 
wsd-00015-00023 2019-02-25 17:03:16.982456 [ websrv_poll ] WRN  FileServerRequestHandler: File not found: Invalid URI request: [/loleaflet/8a61a5302/branding.js].| wsd/FileServer.cpp:425                 
wsd-00015-00023 2019-02-25 17:05:59.125728 [ websrv_poll ] ERR  Requesting address is denied: ::ffff:172.20.0.1| wsd/LOOLWSD.cpp:1966                                                                      
wsd-00015-00023 2019-02-25 17:06:02.130269 [ websrv_poll ] ERR  Requesting address is denied: ::ffff:172.20.0.1| wsd/LOOLWSD.cpp:1966                                                                      

Really there is no good install guide.

[PipeItToDevNull]

I too am awaiting a proper fix or instruction on this issue. The ipv6 trick did not work for me.

[melroy89]

In my case I even suspect the Nextcloud Content Security Policy (CSP), but I have no clue anymore... I gave up.

[kevdogg]

In my case I even suspect the Nextcloud Content Security Policy (CSP), but I have no clue anymore... I gave up.

I think you didn't configure your loolwsd.xml file properly for the WOPI host. Why don't you open a help request here: https://help.nextcloud.com/c/support/collabora. I'm pretty sure you're problem is fixable.

[pwFoo]

Here is my actual compose file, but documents not open. Just loading spinner and no failed calls.

version: '3.2'

services:
  db:
    image: mariadb:latest
    network_mode: bridge
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_DATABASE=<DB>
      - MYSQL_ROOT_PASSWORD=<ROOT-PW>
      - MYSQL_USER=<USER>
      - MYSQL_PASSWORD=<PW>

  app:
    image: nextcloud:stable-apache
    network_mode: bridge
    volumes:
      - nextcloud:/var/www/html
    environment:
      - MYSQL_HOST=db
      - MYSQL_DB=<DB>
      - MYSQL_USER=<USER>
      - MYSQL_PASSWORD=<PW>
      - VIRTUAL_HOST=<DOMAIN> # custom reverse proxy
      - VIRTUAL_PORT=80 # custom reverse proxy
      - CADDY_PROXY_OPTS=websocket # custom reverse proxy
    depends_on:
      - db
      - collabora
    links:
      - db:db
      - collabora:office

  cron:
    image: nextcloud:stable-apache
    volumes:
      - nextcloud:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - db
    links:
      - db:db

  collabora:
    image: collabora/code
    network_mode: bridge
    cap_add:                                                                                                                                                                                                  
    - MKNOD
    environment:
      domain: office
      server_name: office
#      extra_params: '--o:ssl.enable=false --o:net.post_allow.host=\:\:ffff\:172\.1[6-7]\.[0-9]{1,3}\.[0-9]{1,3} --o:storage.wopi.host=\:\:ffff\:172\.1[6-7]\.[0-9]{1,3}\.[0-9]{1,3} --o:ssl.termination=true'
      extra_params: '--o:ssl.enable=false --o:net.post_allow.host= --o:net.post_allow.host[0]=::ffff:172.[0-9]+.[0-9]+.[0-9]+' 

volumes:
  db:
  nextcloud:

[dmytrobazeliuk-devops]

same problem

[dmytrobazeliuk-devops]

wsd-00029-00039 2019-03-16 13:53:29.587683 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1978 wsd-00029-00039 2019-03-16 13:53:29.627371 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1978 wsd-00029-00039 2019-03-16 13:53:29.658028 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1978 wsd-00029-00039 2019-03-16 13:53:29.718302 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1978 wsd-00029-00039 2019-03-16 13:53:31.450725 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1978 wsd-00029-00039 2019-03-16 13:53:31.477725 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1978 wsd-00029-00039 2019-03-16 13:53:31.513833 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1978 wsd-00029-00039 2019-03-16 13:53:31.715323 [ websrv_poll ] ERR Requesting address is denied: ::ffff:172.17.0.1| wsd/LOOLWSD.cpp:1978

[Brakelmann]

Same issue here! After my latest Coolabora update, document editing stopped working. I rely on IPv6 as my provider does carrier grade NAT so disabling IPV6 is no option. I spent a whole weekend to get this solved without success.

Hopefully there will be a solution soon.

[ghost]

Same issue.

https://github.com/nextcloud/richdocuments/issues/450

[kousu]

@mhow2 , would you share your configs? I set up Collabora behind an nginx reverse proxy, so that it's connecting over IPv4 over 127.0.0.1 -- and I know I did it right because it was working before I upgraded Collabora just today. I'm not seeing "Requesting address is denied:" but the other symptoms are all the same.

I'm seeing (https://github.com/nextcloud/richdocuments/issues/450#issuecomment-475748347) /hosting/discovery get downloaded, but my browser not try to make any websocket connections as followups. Is /hosting/discovery supposed to provide a websocket endpoint maybe?

[FatCyclone]

I finaly got it working (Partially)

Context : I'm behind my reverse proxy, jwilder's container and the let's encrypt companion. I'm using this parameters : --o:ssl.enable=false --o:ssl.termination=true --o:storage.wopi.host=\:\:ffff\:172\.17\.[0-9]{1,3}\.[0-9]{1,3} --o:net.post_allow.host=\:\:ffff\:172\.17\.[0-9]{1,3}\.[0-9]{1,3}

Hope it helps. Good luck.

EDIT : Don't forget to restart collabora/code container once it's built. EDIT 2: I tried only with this --o:ssl.enable=false --o:ssl.termination=true and some files work, and other files gave me the same error. EDIT 3 : When I enable the regex again and trying to load the same file, it never loads.

[victor-0807]

docker run -d --name collabora --restart unless-stopped \ -p 9980:9980 \ -e extra_params='--o:ssl.enable=false --o:net.post_allow.host[0]=::ffff:10.20.30.[0-9]+' \ -e username=admin \ -e password=your_password \ --cap-add MKNOD \ collabora/code:4.0.3.1

[ooshkamils515]

I had a similar issue with onlyoffice, I was able to fix by doing the following:

sudo docker network create --ipv6 --subnet=2001:db8:85a3::8a2e:370:7334/80 office (pick anything for subnet)

sudo docker run -t -d -p 127.0.0.1:9980:9980 --network=office -e 'domain=site\.nextcloud\.com' --restart always --cap-add MKNOD collabora/code

This way you can leave the host system ipv6 enabled.

[pwFoo]

I have still problems to use collabora with nextcloud. Open documents fails.

[ilyesAj]

i solved the problem :

1. download loolwd.xml from the container : docker cp container_name:/etc/loolwsd/loolwsd.xml loolwsd.xml
2. add this line :<host desc="Ditto,as IPv4-mapped IPv6 address">::ffff:172\.17\.0\.1</host> in : <net desc="Network settings"> like this :

in my case the error was on this address : ::ffff:172\.17\.0\.1 it can be another one . refer to your error on collabora

3. grant access to loolwd with : chmod 777 loolwsd.xml
4. upload the file into the container again : docker cp loolwsd.xml container_name:/etc/loolwsd/loolwsd.xml the container will restart automatically that's it , hope it helps

[pwFoo]

I don't think we should manipulate the running docker container to "fix" it. We need a solution without that like environment variable configuration or working default values inside of the docker image (changes to the dockerfile it's based on).

[pwFoo]

Should be possible with environment variables, but looks like it's ignored.

Tried different syntax to add net.host_allow.host, but loolwsd.xml isn't updated with any entry for that... Bug with the docker image?!

[pwFoo]

Documentation looks bad, because there is no working example how to pass extra_params?

[timar]

How to pass extra_params is documented here: https://www.collaboraoffice.com/code/docker/ net.host_allow.host is tricky, because there can be multiple host nodes in loolwsd.xml, but you can pass only one in the command line. You need to construct a regex that matches all addresses you want to allow (use | character to separate addresses, for example).

[ghost]

@timar @pwFoo Should we be required to pass extra parameters, or is this something that should "just work"?

[timar]

@timar @pwFoo Should we be required to pass extra parameters, or is this something that should "just work"?

The WOPI host is allowed by default. It depends on the configuration, whether you need to pass extra parameters, or not.

[ilyesAj]

@timar can you give us an example of how we pass a parameter for net.host_allow.host ? cause in the documentation it said that we have to manipulate the loolwsd.xml in the container and that's obviously not a good thing . every time i restart the docker i have to copy that file . @pwFoo you're right it's not really a fix but it defined where the problem is .

[pwFoo]

@ilyesAj @timar But if I try a simple example (ip address) as net.host_allow.host or net.host_allow.host[0] it is ignored? A working example would bei nice.

[ilyesAj]

@pwFoo for me it is ignored when i run it in docker run with extra option --o:storage.wopi.host=\:\:ffff\:172\.17\.[0-9]{1,3}\.[0-9]{1,3} --o:net.post_allow.host=\:\:ffff\:172\.17\.[0-9]{1,3}\.[0-9]{1,3}

[timar]

AFAIK you don't have to escape :. Shell eats \ so you have to escape it, too. Here is my recent command line, it worked for me. docker run -t -d -p 9980:9980 -e "extra_params=--o:ssl.enable=false --o:net.post_allow.host[0]=::ffff:172\\\.17\\\.0\\\.1 --o:logging.level=information" collabora/code:4.1-snapshot

[kevdogg]

Hasn't this issue been fixed with new rich documents release?

[pwFoo]

I don't know... Short time ago I moved to onlyoffice which works without any trouble. Haven't compared both, but onlyoffice works without problems and doesn't need the cap_add mknod inside of a docker container. So it also works with docker swarm.

[FatCyclone]

Working like a charm with traefik and those parameters :

• Traefik label : traefik.passHostHeader = true
• Env variables : --o:ssl.enable=false --o:ssl.termination=true

[kevdogg]

Just a heads up. With the option ssl.enable=false — you are basically turning off any ssl capabilities of the docker host — which is fine if you are letting the reverse proxy in front of the docker image terminate the ssl connection Once ssl.enable=false, I don’t think the value of ssl.termination matters. I could be true or false since ssl isn’t enabled at all. I encourage you to try and see if the results change with ssl.enable=false and ssl.termination=true/false.

On Dec 9, 2019, at 9:36 AM, FatCyclone notifications@github.com wrote:

Working like a charm with traefik and those parameters :

Traefik label : traefik.passHostHeader = true Env variables : --o:ssl.enable=false --o:ssl.termination=true — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/CollaboraOnline/Docker-CODE/issues/49?email_source=notifications&email_token=ABH75VZPRVH6JSOVSMLPMETQXZQZDA5CNFSM4GKHTIRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGJTLRQ#issuecomment-563295686, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABH75VYRXEABZCRWE3C52ELQXZQZDANCNFSM4GKHTIRA.

[FatCyclone]

For SSL Termination setting, it's written in loolwsd.xml :

<termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination>

And you can see an example of config here: https://www.collaboraoffice.com/code/apache-reverse-proxy/

[kevdogg]

You are correct — the default setting is http. However I believe the loolwsd.xml is also nested with the statement appearing under the ssl.enable directive.

The reference you posted is correct. It says use apache as a reverse proxy. This means the encrypted connection terminates at the reverse proxy. Any further communication between the reverse proxy and the docker image is unencrypted and sent in plain text. I don’t believe this is a problem if for example the reverse proxy and docker image is run on the same machine. If the reverse proxy communicates with another computer on the LAN running the docker image, then communication across the LAN is unencrypted.

I played around a lot with the setting on this one. I was able to use the setting ssl.enable=true and ssl.termination false. The actual communication between the reverse proxy and and docker image was encrypted, however this wasn’t a true SSL connection since during the handshake the identity of the docker image was not verified.

I was never able to make ssl.enable = true and ssl.termination = true actually work when the docker image set behind a reverse proxy. I believe this didn’t work because the reverse proxy acted as a MITM where the first SSL connection terminated at the reverse proxy and the second SSL connection terminated at the docker image. This required the reverse proxy to decrypt then re-encrypt the packets during the communication process — the very definition of a reverse proxy. I believe I could serve simple html files with this approach, however I wasn’t sure how to re-encrypt the communication using web sockets which is what nextcloud actually uses mostly for communication between the reverse proxy and docker image. I’m sure there probably is a method how to do this which someone far smarter than me could figure out.

So in a nutshell the only two settings I was able to make work were: ssl.enable = true with ssl.termination= false ssl.enable = false with ssl.termination= true or false.

I’ve only verified these settings on my own machine, so it would be nice if another party could support or refute these findings. I’m reporting my findings after hours of trying to tweak the settings both in the docker image and with the apache virtual host file and with trying to install my LE certs within the docker host or by attempting to use their default certs that were created when ssl.enable=true was turned on.

On Dec 12, 2019, at 1:52 AM, FatCyclone notifications@github.com wrote:

For SSL Termination setting, it's written in loolwsd.xml :

false

And you can see an example of config here: https://www.collaboraoffice.com/code/apache-reverse-proxy/ https://www.collaboraoffice.com/code/apache-reverse-proxy/ — You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/CollaboraOnline/Docker-CODE/issues/49?email_source=notifications&email_token=ABH75V32MCM3ZXSMG452N3TQYHUVDA5CNFSM4GKHTIRKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEGVZBWQ#issuecomment-564891866, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABH75VZDHFHVQQST7YJXFADQYHUVDANCNFSM4GKHTIRA.

[DavidPerezIngeniero]

I'm studying the source code, in order to know how to configure correctly.

https://github.com/LibreOffice/online/blob/master/wsd/LOOLWSD.cpp

    bool allowPostFrom(const std::string &address)
    {
        static bool init = false;
        static Util::RegexListMatcher hosts;
        if (!init)
        {
            const auto& app = Poco::Util::Application::instance();
            // Parse the host allow settings.
            for (size_t i = 0; ; ++i)
            {
                const std::string path = "net.post_allow.host[" + std::to_string(i) + "]";
                const auto host = app.config().getString(path, "");
                if (!host.empty())
                {
                    LOG_INF("Adding trusted POST_ALLOW host: [" << host << "].");
                    hosts.allow(host);
                }
                else if (!app.config().has(path))
                {
                    break;
                }
            }

            init = true;
        }
        return hosts.match(address);
    }

I'm using this:

extra_params: '--o:ssl.enable=false --o:--o:net.post_allow.host[0]=[0-9.]+'

or:

extra_params: '--o:ssl.enable=false --o:--o:net.post_allow.host[0]=::ffff:[0-9.]+'

unsuccessfully, and many other variants.