search

CollaboraOnline / online

Collabora Online is a collaborative online office suite based on LibreOffice technology. This is also the source for the Collabora Office apps for iOS and Android.
https://collaboraonline.com
Other
1.78k stars 681 forks source link

Collabora Docker doesnt open documents (no error logs) #7063

Open warioishere opened 1 year ago

warioishere commented 1 year ago

Hi there, I want to setup a standallone collabora code server via docker deployment. Allthough I am trying to follow documentation as good as possible, I dont get it to work. Ive almost spend a week now with this, trying different settings all arround the coolwsd.xml but some infos first:

I have two nextcloud Servers

One is with own IP and NAT [cloud.mydomain.com] One is running behind an Nginx Proxy Manager (privatecloud.mydomain.com]

both run with NC27.0.2

all machines are full VMs, no LXC Containers

both Nextclouds beside of this problem are working fine. Both work with integrated code server app without problems.

now i have another server running the latest docker version of Collabora Online Server to be my office server this one is also behind a Nginx Proxy Manager

Nginx Proxy Manager is set with http://internalip:9980/ NPM does the SSL Termination websocket activated cert from Letsencrypt

Nginx Advanced Settings according to newest documentation are:

# static files
 location ^~ /browser {
 proxy_pass $forward_scheme://$server:$port;
 proxy_set_header Host $http_host;
 }

 # WOPI discovery URL
 location ^~ /hosting/discovery {
 proxy_pass $forward_scheme://$server:$port;
 proxy_set_header Host $http_host;
 }

 # Capabilities
 location ^~ /hosting/capabilities {
 proxy_pass $forward_scheme://$server:$port;
 proxy_set_header Host $http_host;
 }

 # main websocket
 location ~ ^/cool/(.*)/ws$ {
 proxy_pass $forward_scheme://$server:$port;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "Upgrade";
 proxy_set_header Host $http_host;
 proxy_read_timeout 36000s;
 }

 # download, presentation and image upload
 location ~ ^/(c|l)ool {
 proxy_pass $forward_scheme://$server:$port;
 proxy_set_header Host $http_host;
 }

 # Admin Console websocket
 location ^~ /cool/adminws {
 proxy_pass $forward_scheme://$server:$port;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "Upgrade";
 proxy_set_header Host $http_host;
 proxy_read_timeout 36000s;
 }

I installed docker.io and run

docker run -t -d -p 9980:9980 -e "aliasgroup1=https://cloud\.mydomain\.com:443" -e "aliasgroup2=https://privatecloud\.mydomain\.com:443" -e "server_name=office.mydomain.com:8890" --name=COLLABORAOFFICE --restart always --privileged collabora/code

I changed everything tried all combinations or also tried no backslashes, different ports of the officeserver with 443, without any port and etc

[office.mydomain.com]states OK internally from LAN and also externally from WAN Both nextclouds are giving a green hook saying the server is reachable

docker logs officeserver says absolute nothing:

frk-00033-00033 2023-08-10 12:20:07.283533 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:524
frk-00033-00033 2023-08-10 12:20:07.828614 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:524
frk-00033-00033 2023-08-10 12:20:08.571945 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:524
wsd-00001-00038 2023-08-10 12:26:46.654639 +0000 [ websrv_poll ] ERR  unknown UI default's component UITheme| wsd/FileServerUtil.cpp:99
frk-00033-00033 2023-08-10 12:26:46.950289 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:524
frk-00033-00033 2023-08-10 12:26:47.379342 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:524
frk-00033-00033 2023-08-10 12:26:47.915089 +0000 [ forkit ] WRN  The systemplate directory [/opt/cool/systemplate] is read-only, and at least [/opt/cool/systemplate//etc/hosts] is out-of-date. Will have to copy sysTemplate to jails. To restore optimal performance, make sure the files in [/opt/cool/systemplate/etc] are up-to-date.| common/JailUtil.cpp:524
root@office:~#

as far as I read those template problems are to be ignored

nextcloudlogs also say nothing which points me out to the problem and nextcloud logs are absolutly empty also on highes loglevel on both machines

my firewall logs all traffic. I dont see anything thats blocks anything. Every machine can connect each other properly.

When trying to open document browser network analysis also doesnt gimme a clue, see on attached picture

netzwerkanalyse

I dont have any clue anymore where to look at or what to do. I installed mutliple times and always run into the same problem. Always Nextcloud office cannot be opend, pls try again later.

I added the office server host

<server_name desc="External hostname:port of the server running coolwsd. If empty, it's derived from the request (please set it if this doesn't work). May be specified when behind a reverse-proxy or when the hostname is not reachable directly." type="string" default="">office.yourdevice.ch:9980</server_name>`

I tried to add the nextcloudserver IPs and hostnames to relevant parts of the xml:

<post_allow desc="Allow/deny client IP address for POST(REST)." allow="true">     
        <host desc="The IPv4 private 192.168 block as plain IPv4 dotted decimal addresses.">192\.168\.[0-9]{1,3}\.[0-9]{1,3 </host>
        <host desc="The IPv4 private 172.16 block as plain IPv4 dotted decimal addresses.">172\.16\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="Domain cloud.yourdevice.ch">^cloud\.mydomain\.ch$</host>
        <host desc="IP for cloud.yourdevice.ch">^172\.16\.1\.18$</host>
        <host desc="Domain privatecloud.yourdevice.ch">^privatecloud\.mydomain\.com$</host>
        <host desc="IP for privatecloud.yourdevice.ch">^172\.16\.1\.14$</host>
        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="The IPv4 loopback (localhost) address.">127\.0\.0\.1</host>
        <host desc="Ditto, but as IPv4-mapped IPv6 address">::ffff:127\.0\.0\.1</host>
        <host desc="The IPv6 loopback (localhost) address.">::1</host>
        <host desc="The IPv4 private 172.16.0.0/12 subnet part 1.">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="The IPv4 private 172.16.0.0/12 subnet part 2.">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="The IPv4 private 172.16.0.0/12 subnet part 3.">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="The IPv4 private 10.0.0.0/8 subnet (Podman).">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
</post_allow>

I disabled SSL in ssl section:

 <ssl desc="SSL settings">
        <!-- switches from https:// + wss:// to http:// + ws:// -->
        <enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
        <!-- SSL off-load can be done in a proxy, if so disable SSL, and enable termination below in production -->
        <termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="false">true</termination>
        <cert_file_path desc="Path to the cert file" relative="false">/etc/coolwsd/cert.pem</cert_file_path>
        <key_file_path desc="Path to the key file" relative="false">/etc/coolwsd/key.pem</key_file_path>
        <ca_file_path desc="Path to the ca file" relative="false">/etc/coolwsd/ca-chain.cert.pem</ca_file_path>
        <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
        <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
            <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
            <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
            <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
            <pin></pin>
            </pins>
        </hpkp>
        <sts desc="Strict-Transport-Security settings, per rfc6797. Subdomains are always included.">
            <enabled desc="Whether or not Strict-Transport-Security is enabled. Enable only when ready for production. Cannot be disabled without resetting the browsers." type="bool" default="false">false</enabled>
            <max_age desc="Strict-Transport-Security max-age directive, in seconds. 0 is allowed; please see rfc6797 for details. Defaults to 1 year." type="int" default="31536000">31536000</max_age>
        </sts>
    </ssl>

I setup host in regex and without regex format:

  <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and       define group to allow multiple host and its aliases" mode="groups">
                <group>
                 <host desc="hostname to allow or deny." allow="true">^https://cloud\.mydomain\.com:443$</host>
                 <host desc="IP for cloud.mydomain.com" allow="true">^172\.16\.1\.18$</host>
                </group>
                <group>
                 <host desc="hostname to allow or deny." allow="true">^https://privatecloud\.mydomain\.com:443$</host>
                 <host desc="IP for privatecloud.mydomain.com" allow="true">^172\.16\.1\.14$</host>
                </group>
   </alias_groups>

I disabled SSL on storage because Nginx does it for me:

<ssl desc="SSL settings">
          <as_scheme type="bool" default="true" desc="When set we exclusively use the WOPI URI's scheme to enable SSL for storage">false</as_scheme>
          <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and coolwsd. When empty this defaults to following the ssl.enable setting">false</enable>
          <cert_file_path desc="Path to the cert file" relative="false"></cert_file_path>
          <key_file_path desc="Path to the key file" relative="false"></key_file_path>
          <ca_file_path desc="Path to the ca file. If this is not empty, then SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified." relative="false"></ca_file_path>
          <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overridden only if absolutely needed."></cipher_list>
</ssl>

This block I left on default aswell, and changed it to the current setting.

It doesnt matter what I do, Icant load a single document on Nextcloud, I really spend long time trying different kind of configs.

Also that nginx Proxy Manager fowards https and enable SSL on Collabora.

I always get the same problem..

my Admin console can be opened, but it says server has restarted, I cannot really entere because it closes after a short time telling the server has restarted, which it didnt.

more info:

from the office machine: curl https://nextcloud.example.com/status.php works

from the nextcloud machines curl https://office.example.com/hosting/capabilities and curl https://office.example.com/hosting/discovery 1 works on both machines too

Wopi access in nextcloud GUI is currently set to 0.0.0.0/0 for debugging Both nextclouds shows green mark. Server is reachable.

maybe some of you experts got a hint for me, I am almost giving up?

warioishere commented 1 year ago

I believe its a websocket problem. As soon as Websocket is loaded in Networkanalysis, the error in the adminconsole appears where it says server restarted, pls reload the page.

but I am too noob to identify whats wrong or whats going on exactly