CODE yields http ressources although using ssl.termination=true

[nursoda]

Describe the bug

Due to resource URLs delivered with http:// proto, I cannot use CODE without TLS in the backend (behind a terminating reverse-proxy).

To Reproduce

Server setup

• Minimal setup on one single Arch Linux machine: NGINX, PHP-FPM, Nextcloud and CODE (as Docker collabora/code latest).
• HSTS Preload is activated for my domain.
• I access the document server via reverse-proxy using its cloud server domain:
  • Nextcloud: https://MYDOMAIN/apps/files etc
  • CODE: https://MYDOMAIN/lool/(.*)/ws etc.
• This setup works 100% fine as long as I stick to Docker image defaults concerning SSL and use "1. SSL on both ends" in the proposed NGINX reverse proxy config.

Collabora Configuration

• To minimize computation, I want to use "2. SSL terminates at the proxy" instead and changed my NGINX config accordingly.
• I stop and rm the CODE container and re-run it with -e 'extra_params=--o:ssl.enable=false ssl.termination=true"'.

Expected behavior

• CODE should work just as it did using SSL on both ends. The assumption for that is ssl.termination=true does make sure that URLs in ressources are written as https:// although the server itself runs without SSL. I deduct that from the comment within /etc/loolwsd/loolwsd.xml (from the container):

Connection via proxy where loolwsd acts as working via https, but actually uses http

Actual behavior

• Issuing ps ax I see the proper extra_params:

  /usr/bin/loolwsd --version --o:sys_template_path=/opt/lool/systemplate --o:child_root_path=/opt/lool/child-roots --o:file_server_root_path=/usr/share/loolwsd --o:logging.color=false --o:user_interface.mode=notebookbar --o:ssl.enable=false ssl.termination=true

• I also get "OK" for curl http://localhost:9980 within the container and on the host, and a green check mark within my Nextcloud page /settings/admin/richdocuments – so that part works as expected.
• But opening any document in Nextcloud yields a "white screen" (except for the Nextcloud menu bar) in Firefox and Chrome.

Additional context / Possible cause

• The browser's JS console (here: Chrome) shows

Mixed Content: The page at 'https://MYSERVER/apps/files/?dir=/&fileid=6' was loaded over HTTPS, but requested an insecure form action 'http://MYSERVER/loleaflet/…/loleaflet.html? WOPISrc=https%3A%2F%MYSERVER%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F… &title=test.odt&lang=de&closebutton=1&revisionhistory=1'. This request has been blocked; the content must be served over HTTPS.

• The cause seems to be, that /hosting/discovery yields http://…-URLs that due to the ssl.termination=true parameter really should be https://…-URLs like http://MYSERVER/loleaflet/…

Complete listing of https://MYSERVER/hosting/discovery

• As far as I can see this is NOT Docker specific as the only thing the container does in that respect is to pass the extra_params to loolwsd.

[nursoda]

I found the solution myself as I re-read the SSL configuration documentation again. It would have been helpful to have an example there… So the solution is:

• wrong: -e 'extra_params=--o:ssl.enable=false' -e 'extra_params=--o:ssl.termination=true"'
• wrong: -e 'extra_params=--o:ssl.enable=false ssl.termination=true"'
• correct: -e 'extra_params=--o:ssl.enable=false --o:ssl.termination=true"'

In case anyone else stumbles upon this, I leave the description as it was.

[wethinkagile]

Would be great having someone proof-reading this and put into README. E.g. in above example I spotted a couple of extra ", which are probably not necessary.

[mike-lloyd03]

I'm having this same problem and I have my environment variables set up the same as yours. I've confirmed these are being passed to the web server with ps. But I still get the "mixed active content" error and Collabora fails to load. I might just set up TLS between code and Nextcloud just to get this working but that seems like a pain. Is there a quick way to do that?

ps aux output:

UID          PID    PPID  C STIME TTY          TIME CMD
cool           1       0  0 22:29 ?        00:00:05 /usr/bin/coolwsd --version --o:sys_template_path=/opt/cool/systemplate --o:child_root_path=/opt/cool/child-roots --o:file_server_root_path=/usr/share/coolwsd --o:logging.color=false --o:ssl.termination=true --o:ssl.enable=false

Relevant sections of docker compose file:

app:                                        
  image: nextcloud:22-apache                
  hostname: HOSTNAME               
  restart: unless-stopped                   
  ports:                                    
    - 8082:80                               
  volumes:                                  
    - /etc/localtime:/etc/localtime:ro      
    - /mnt/data/nextcloud/data:/var/www/html
  environment:                              
    - POSTGRES_HOST=db                      
    - REDIS_HOST=redis                      
  env_file:                                 
    - .env                                  
  depends_on:                               
    - db                                    
    - redis                                 
  networks:                                 
    - proxy-tier                            
    - default                               
    - code                                  

code:                                                             
  image: collabora/code:21.11.1.4.1                               
  restart: unless-stopped                                         
  networks:                                                       
    - default                                                     
    - code                                                        
  env_file:                                                       
    - .env                                                        
  ports:                                                          
    - 9980:9980                                                   
  volumes:                                                        
    - /etc/localtime:/etc/localtime:ro                            
  depends_on:                                                     
    - app                                                         
  cap_add:                                                        
    - MKNOD                                                       
  environment:                                                    
    - "extra_params=--o:ssl.termination=true --o:ssl.enable=false"

[wethinkagile]

I came to the same conclusion, disliked the error handling of the setup the most.