search

CollaboraOnline / online

Collabora Online is a collaborative online office suite based on LibreOffice technology. This is also the source for the Collabora Office apps for iOS and Android.
https://collaboraonline.com
Other
1.77k stars 679 forks source link

Collabora Code is not openiong files in Nextcloud. #3271

Closed w202mg closed 2 years ago

w202mg commented 2 years ago

Hey guys, I was waiting for the release of 6.4.11 because a very similar bug was reported in #3199 (the only difference was that I'm using nginx instead of HAProxy) but after updating today still see the same behavior. Collabora online is accepting my CODE server incl. certificate check.

Describe the bug Collabora Code is not opening the files in Nextcloud instance. After trying to open a file errors are appearing in loolwsd stutus.

To Reproduce Open a file in NC

Expected behavior File is opening in NC.

Actual behavior Files are not opening.

Screenshots image image

Desktop

Nextcloud 22.1.1
Nginx 1.18.0-0
Linux Mint 20.1
Collabora Online 4.2.3
Collabor Code 6.4.11-3
PHP 7.4
No docker in use

Additional context loolwsd status:

WRN  Failed to verify the certificate of [cloud.XXX.net]| ./net/SslSocket.hpp:196
ERR  Socket #27 SSL BIO error: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown (0: Success)| ./net/SslSocket.hpp:330
ERR  Error while handling poll for socket #27 in HttpSynReqPoll: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown| net/Socket.cpp:423
ERR  WOPI::CheckFileInfo failed for URI [https://cloud.XXX.net/index.php/apps/richdocuments/wopi/files/1351_ocfhv9kwyxj6?access_token=NXcBvZ1wTIdAdcTSmg9xLHXAwk9S>
ERR  loading document exception: WOPI::CheckFileInfo failed: | wsd/DocumentBroker.cpp:1926
ERR  Failed to add session to [/index.php/apps/richdocuments/wopi/files/1351_ocfhv9kwyxj6] with URI [https://cloud.XXX.net/index.php/apps/richdocuments/wopi/files>
ERR  Storage error while starting session on /index.php/apps/richdocuments/wopi/files/1351_ocfhv9kwyxj6 for socket #24. Terminating connection. Error: WOPI::CheckFileI>
WRN  Ignoring attempted read from 24| ./net/Socket.hpp:1021
ERR  Invalid or unknown session [008] to remove.| wsd/DocumentBroker.cpp:1969
WRN  Prisoner connection disconnected but without valid socket.| wsd/LOOLWSD.cpp:2248

Nextcloud log: Warning Host 127.0.0.1 was not connected to because it violates local access rules

Nginx conf:

server {
    listen 4443 ssl http2;
    listen [::]:4443 ssl http2;

    # modify this three lines with your own domain:
    server_name office.XXX.net;
    ssl_certificate /etc/letsencrypt/live/office.XXX.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/office.XXX.net/privkey.pem;
    ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
    # static files
    location ^~ /loleaflet {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Capabilities
    location ^~ /hosting/capabilities {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/lool/(.*)/ws$ {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/lool {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }
}

Here is the WOPI part of nano /etc/loolwsd/loolwsd.xml

<wopi allow="true" desc="Allow/deny wopi storage. Mutually exclusive with webdav.">
<host allow="true">office.XXX.net</host>
<host allow="true">cloud.XXX.net</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
<host allow="true" desc="Regex pattern of hostname to allow or deny.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
                    <host allow="true" desc="Regex pattern of hostname to allow or deny.">[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
                        <host allow="false" desc="Regex pattern of hostname to allow or deny.">192\.168\.1\.1</host>
                        <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
                        <reuse_cookies default="false" desc="When enabled, cookies from the browser will be captured and set on WOPI requests." type="bool">false</reuse_cookies>
                        <locking desc="Locking settings">
                                <refresh default="900" desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int">900</refresh>
                        </locking>
                </wopi>

…and the SSL part:

  <ssl desc="SSL settings">
            <enable default="true" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." type="bool">true</enable>
            <termination default="true" desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool">false</termination>
            <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/fullchain.pem</cert_file_path>
            <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/privkey.pem</key_file_path>
            <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/cert.pem</ca_file_path>
            <cipher_list default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" desc="List of OpenSSL ciphers to accept"/>
            <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
                    <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
                    <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"/>
                    <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
                            <pin/>
                    </pins>
            </hpkp>
    </ssl>

/etc/hosts

127.0.0.1       localhost
127.0.1.1       XXX
127.0.0.1       meet.XXX.net
127.0.0.1       office.XXX.net

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Collabora online is accepting my CODE server incl. certificate check.

w202mg commented 2 years ago

Just fixed it... has to add Nextcloud domain cloud.XXX.net to /etc/hosts 127.0.0.1 cloud.XXX.net