search

CollaboraOnline / online

Collabora Online is a collaborative online office suite based on LibreOffice technology. This is also the source for the Collabora Office apps for iOS and Android.
https://collaboraonline.com
Other
1.86k stars 704 forks source link

Docker ENV variables: - "extra_params=--o:ssl.enable=false --o:ssl.termination=true" don't make it into loolwsd.xml #894

Closed kevdogg closed 3 years ago

kevdogg commented 3 years ago

I've seen this bug reported on some other forums (ie Nextcloud - https://help.nextcloud.com/t/bad-gateway-for-collabora-with-nextcloud-deployed-via-docker-compose/67781/17) however I was hoping for some clarification.

I'm working with docker version 19.03.14, build 5eb3275d40 and the collabora/code:latest latest image. Here is my docker-compose.yml for full reference however I would direct attention to the line that states:

  • "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
  collabora:
    restart: unless-stopped
    image: collabora/code:latest
    container_name: collabora
    networks:
      - net
    cap_add:
      - MKNOD
    environment:
      - TZ=America/Chicago
      - username=admin
      - password=<super dooper password>
      - domain=nextcloud\.domain\.com|test\.domain\.com|nc\.domain\.com
      - DONT_GEN_SSL_CERT=1
      - server_name=loolwsd.domain.com
      - "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
#      - extra_params=--o:ssl.enable=false --o:ssl.termination=false
##      - extra_params=--o:ssl.enable=true
#      - extra_params="--o:ssl.enable=false"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.collabora.rule=Host(`loolwsd.domain.com`)"
      - "traefik.http.routers.collabora.entrypoints=web,websecure"
      - "traefik.http.routers.collabora.tls=true"
      - "traefik.http.routers.collabora.tls.options=intermediate@file"
      - "traefik.http.routers.collabora.tls.certresolver=le"
      - "traefik.http.routers.collabora.tls.domains[0].main=loolwsd.domain.com"
      - "traefik.http.routers.collabora.tls.domains[0].sans=loolwsd.domain.com"
      - "traefik.http.services.collabora.loadbalancer.server.port=9980"
      - "traefik.docker.network=net"
      - "traefik.http.routers.collabora.middlewares=collabora-headers"
      - "traefik.http.middlewares.collabora-headers.headers.customRequestHeaders.X-Forwarded-Proto=https"

If I shell into the container and examine loolwsd.xml I see the following which isn't in accordance with the env variables that were set. 

  <ssl desc="SSL settings">
        <enable type="bool" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable>
        <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination>

Is there a way to change the settings within loolwsd.xml through command line arguments or env variable of do I need to mount this file as a host volume and do it that way (which gets a little messy since the lool UIDs and GIDs inside the container can change -- as with a recent commit)?

timar commented 3 years ago

@kevdogg: the extra_params are not written to loolwsd.xml, instead it is used in the command line that invokes loolwsd. Command line parameters override the settings from loolwsd.xml. cf.: https://github.com/CollaboraOnline/online/blob/master/docker/from-packages/scripts/start-collabora-online.sh#L55

So I don't think it's a bug.

ShadowJonathan commented 3 years ago

@timar i digress, this is definitely a bug, documentation details that you could just use this environment variable to stop SSL from propping up, and this is the expectation that it creates.

Please re-open this issue, and make this a proper priority, as it is making multiple dynamic configuration options stumble, such as that example traefik configuration up there.

mmeeks commented 3 years ago

Hi Jonathan, my expectation is that the command-line bits should override the loolwsd.xml if you pass them in - so they should just work; are they not working ? if so that is a bug.

ShadowJonathan commented 3 years ago

They are not working, it is a bug.

thebearon commented 3 years ago

I tested the extra parameter "extra_params=--o:ssl.enable=false --o:ssl.termination=true" in a regular docker container setup, and the container worked correctly. If something is not working for you, it is unrelated to those parameters.

kevdogg commented 3 years ago

@thebearon I run my container with "extra_params=--o:ssl.enable=false --o:ssl.termination=true" and things work with my setup.

I'm aware than an nginx proxy runs inside the container. It would be great however to know what these flags actually mean in terms of how the internal reverse proxy configures itself. I'm asking this question since I'm aware this issue has been raised numerous times in the past. I think a lot of the confusion and questions regarding this issue could be solved by better documentation. I'd even volunteer to write part of the documentation, however I need more information.

ShadowJonathan commented 3 years ago

My docker-compose file is the following, and it does not work for me;

version: "2"

services:
  app:
    image: nextcloud:20
    restart: always
    labels:
      - "traefik.enable=true"

      - "traefik.http.routers.nextcloud.tls=true"
      - "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
      - "traefik.http.routers.nextcloud.entrypoints=https"
      - "traefik.http.routers.nextcloud.rule=Host(`[REDACTED]`)"
    volumes:
      - /app/data/nextcloud:/var/www/html
    networks:
      - "proxy"

  collabora:
    image: collabora/code
    restart: unless-stopped
    # ports:
    #   - "127.0.0.1:9980:9980"
    labels:
      - "traefik.enable=true"

      - "traefik.http.routers.collabora.tls=true"
      - "traefik.http.routers.collabora.tls.certresolver=letsencrypt"
      - "traefik.http.routers.collabora.entrypoints=https"
      - "traefik.http.routers.collabora.rule=Host(`[REDACTED]`)"
      - "traefik.http.routers.collabora.service=collabora"

      - "traefik.http.services.collabora.loadbalancer.server.scheme=https"
      - "traefik.http.services.collabora.loadbalancer.server.port=9980"
    networks:
      - "proxy"
    environment:
      - "domain=[REDACTED]"
      - 'dictionaries="en nl"'
      - "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
    cap_add:
      - MKNOD
    tty: true

networks:
  proxy:
    external: true

Doing echo ${extra_params} inside the container (docker-compose exec collabora bash) echoes --o:ssl.enable=false --o:ssl.termination=true, the logs mention none of it, the endpoint is still a https one, this does not work.

ShadowJonathan commented 3 years ago

...oh, never mind, that above works, i just had to remove the part where traefik treats the endpoint like a https one, now it works nicely.

undaunt commented 3 years ago

...oh, never mind, that above works, i just had to remove the part where traefik treats the endpoint like a https one, now it works nicely.

@ShadowJonathan Thanks for pointing out the ssl.termination option, that got mine working. As I am running the Linuxserver.io Nextcloud docker, I simply disabled all SSL in the default nginx site-conf file as below originally to just get Nextcloud working:

server {
    listen 80;
    listen [::]:80;
    server_name _;
#    return 301 https://$host$request_uri;
#}
#server {
#    listen 443 ssl http2;
#    listen [::]:443 ssl http2;
#    server_name _;
#    ssl_certificate /config/keys/cert.crt;
#    ssl_certificate_key /config/keys/cert.key;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.

#    add_header X-Content-Type-Options nosniff;
#    add_header X-XSS-Protection "1; mode=block";
#    add_header X-Robots-Tag none;
#    add_header X-Download-Options noopen;
#    add_header X-Frame-Options "SAMEORIGIN";
#    add_header X-Permitted-Cross-Domain-Policies none;
#    add_header Referrer-Policy no-referrer;
    fastcgi_hide_header X-Powered-By;

After some back and forth testing with further modifying the nginx and traefik options for Nextcloud, and Collabora, I got the following working in concert:

  nextcloud:
    image: linuxserver/nextcloud
    container_name: nextcloud
    restart: always
    networks:
      - $TRAEFIK_NETWORK
    depends_on:
      - redis
      - mariadb
    security_opt:
      - no-new-privileges
    volumes:
      - ${DOCKERDIR}/nextcloud:/config
      - /mnt/zfs/data/nextcloud:/data
    environment:
      - TZ
      - PUID
      - PGID
      - FILE__NEXTCLOUD_DB_NAME:/run/secrets/nextcloud_db_name
      - FILE__NEXTCLOUD_MYSQL_USER:/run/secrets/nextcloud_mysql_user
      - FILE__NEXTCLOUD_MYSQL_PASSWORD:/run/secrets/nextcloud_mysql_password
    secrets:
      - nextcloud_db_name
      - nextcloud_mysql_user
      - nextcloud_mysql_password
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.nextcloud-rtr.entrypoints=https"
      - "traefik.http.routers.nextcloud-rtr.rule=Host(`cloud.$DOMAINNAME`)"
      - "traefik.http.routers.nextcloud-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.nextcloud-rtr.middlewares=nextcloud-caldav@docker,chain-no-auth@file"
      ## Middlewares - Redirect caldav/carddav requests
      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent=true"
      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.regex=^https://(.*)/.well-known/(card|cal)dav"
      - "traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement=https://$${1}/remote.php/dav/"
      ## HTTP Services
      - "traefik.http.routers.nextcloud-rtr.service=nextcloud-svc"
      - "traefik.http.services.nextcloud-svc.loadbalancer.server.port=80"

  collabora:
    image: collabora/code
    container_name: collabora
    restart: unless-stopped
    networks:
      - $TRAEFIK_NETWORK
    security_opt:
      - seccomp:unconfined
    cap_add:
      - MKNOD
      - SYS_CHROOT
      - FOWNER
    ports:
      - 9980:9980
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      - domain=cloud.${DOMAINNAME}
      - server_name=office.${DOMAINNAME}
      - extra_params=--o:ssl.enable=false --o:ssl.termination=true
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.collabora-rtr.entrypoints=https"
      - "traefik.http.routers.collabora-rtr.rule=Host(`office.$DOMAINNAME`)"
      ## Middlewares
      - "traefik.http.routers.collabora-rtr.middlewares=chain-no-auth@file"
      ## HTTP Services
      - "traefik.http.routers.collabora-rtr.service=collabora-svc"
      - "traefik.http.services.collabora-svc.loadbalancer.server.port=9980"

I am also pointing Nextcloud to Collabora CODE at http://collabora:9980, and allowing insecure due to not generating a certificate. This appears to be completely working. Traefik does thing both endpoints are SSL, and in face office.${DOMAINNAME} doesn't load for me in a browser, but I'm not sure if that matters.

I'm also seeing 'invoked from foreign thread' errors in the logs for Collabora. Still need to look into that.