Collabora office not working after updating AIO to v4.0.1 and Nextcloud Hub 3 (25.0.2).

[apoorv569]

How to use GitHub

• Please use the 👍 reaction to show that you are affected by the same issue.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

Steps to reproduce

1. Update the mastercontainer by using the web UI running at port 8080
2. Update all other containers by web UI
3. Visit your Nextcloud URL and try opening the sample document under "Documents/Welcome to Nextcloud Hub.docx"

Expected behavior

The document should open in collabora office.

Actual behavior

Document doesn't open and I get this error,

Host OS

Host OS is Ubuntu 22.04 LTS

Nextcloud AIO version

v4.0.1

Current channel

Latest

Other valuable info

[szaimen]

Hi, can you for a test delete all elements from the wopi allowlist in your office admin settings?

[apoorv569]

Hi, can you for a test delete all elements from the wopi allowlist in your office admin settings?

Hi, sorry I am not sure where this allowlist is? Can you tell me where can I find this?

[szaimen]

Yes, go to https://yourdomain.com/settings/admin/richdocuments and empty this field:

Afterwards check if opening documents works again.

[apoorv569]

Yes, go to https://yourdomain.com/settings/admin/richdocuments and empty this field:

Afterwards check if opening documents works again.

Ok, I cleared this field and its working now. Thanks.

Can you briefly tell me what WOPI is?

[szaimen]

Ok, I cleared this field and its working now. Thanks.

This will unfortunatley only work until the next restart of your containers. You will need to find out which ip-addres you need to add to the list additionally.

Do you maybe run a reverse proxy? Can you share the ip-address of your reverse proxy?

[apoorv569]

Ok, I cleared this field and its working now. Thanks.

This will unfortunatley only work until the next restart of your containers. You will need to find out which ip-addres you need to add to the list additionally.

Do you maybe run a reverse proxy? Can you share the ip-address of your reverse proxy?

Yes, I do have a reverse proxy. I am not sure about sharing the IP.

[szaimen]

Yes, I do have a reverse proxy. I am not sure about sharing the IP.

All right, can you try to add the ip-address of the reverse proxy to the wopi allowlist and check if office still works afterwards?

[szaimen]

For me most important to know is if the ip-address that you enter in the wopi allowlist field with which it works is a public or private ip-address. Can you share your findings on that? :)

[apoorv569]

For me most important to know is if the ip-address that you enter in the wopi allowlist field with which it works is a public or private ip-address. Can you share your findings on that? :)

Ok, so my setup is like this, I have rented a VPS on which I have Wireguard VPN and NPM (NginxProxyManager) installed and at home I have another instance of NPM installed in a VM on my Proxmox server and is connected to Wireguard VPN.

The NPM on VPS redirect the domains to the NPM at my home which then redirects the same domain to their respective LAN IPs.

Also I am using Cloudflare for nameserver so I have the VPS IP proxied by Cloudflare as well.

Now in Nextcloud WOPI allow list I tried entering my local IP as well as the IP of the VPS and also tried the IP of Cloudflare (which should not work, but I tried anyway) none of these helped.

[szaimen]

You could also check the collabora logs for ip-addresses and try to use that in the wopi allowlist. As I said most important for me is to find out if it is an internal ip-address or rather a public one that is needed to get entered here.

[apoorv569]

You could also check the collabora logs for ip-addresses and try to use that in the wopi allowlist. As I said most important for me is to find out if it is an internal ip-address or rather a public one that is needed to get entered here.

I am not seeing any IP in the logs, but there is this,

 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\

BTW Collabora was working fine before updating v25 and I did not add anything to the WOPI allow list. Did something changed in the new release?

[szaimen]

BTW Collabora was working fine before updating v25. Did something changed in the new release?

yes, entries into the wopi allowlist were added which means that all ip-addresses that are not in the list will not be able to connect anymore. This is due to security improvements.

[szaimen]

Can you check if 0.0.0.0/0 makes it work?

[szaimen]

Since we add all private ip-addresses to the list with https://github.com/nextcloud/all-in-one/blob/c21087d6d02ec279647b1f42402197e27a3de479/Containers/nextcloud/entrypoint.sh#L448, I highly suspect that you would need to add some public ip-address here. However I don't know which one. So one way which should solve this is adding 0.0.0.0/0. However this will allow all hosts again and is a security concern.

[apoorv569]

Can you check if 0.0.0.0/0 makes it work?

Yes this works.

[apoorv569]

Since we add all private ip-addresses to the list with

https://github.com/nextcloud/all-in-one/blob/c21087d6d02ec279647b1f42402197e27a3de479/Containers/nextcloud/entrypoint.sh#L448 , I highly suspect that you would need to add some public ip-address here. However I don't know which one. So one way which should solve this is adding 0.0.0.0/0. However this will allow all hosts again and is a security concern.

Yes, I do understand this. I would not want to use this. Not sure which IP it needs.

[szaimen]

Yes, I do understand this. I would not want to use this. Not sure which IP it needs.

yeah, sorry I cannot help you debugging this but I will at least add it to the documentation in https://github.com/nextcloud/all-in-one/discussions/1358

[apoorv569]

Yes, I do understand this. I would not want to use this. Not sure which IP it needs.

yeah, sorry I cannot help you debugging this but I will at least add it to the documentation in #1358

I see. Well at least I know where the problem is. I will check and post here if I find a solution.

BTW the IP_RANGES you posted seems wrong,

127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1' 

should be,

127.0.0.1/8,192.168.0.0/16,172.16.0.0/16,10.0.0.0/24,fd00::/8,::1' 

Not sure about the IPv6 address though..

[szaimen]

I just looked at https://en.wikipedia.org/wiki/Private_network and our ip-rages are correct IIRC.

[frenicohansen]

I had the same problem. I just upgraded AIO to v4.0.1 and Collabora suddenly was not working. I have almost the same setup, using nginx reverse proxy and clouflare for dns. When I cleared the WOPI list, Collabora is accessible again, but then in the logs, I got something like this.

2022-12-30T14:34:20.018201104Z wsd-00001-00039 2022-12-30 14:34:20.018103 +0000 [ websrv_poll ] ERR  Poco::Net::DNS::resolve("<my-public-ip>") failed: Host not found: <my-public-ip>| wsd/COOLWSD.cpp:3534
2022-12-30T14:34:20.018264504Z wsd-00001-00039 2022-12-30 14:34:20.018137 +0000 [ websrv_poll ] WRN  convert-to: Requesting address is denied: <my-public-ip>| wsd/COOLWSD.cpp:3540

I then add my public ip, behind the original wopi list. And I am not getting those errors any more, and Collabora still functional. 127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1,<my-public-ip>/32

Hope it helps.

[SubhashBose]

My nextcloud server has public ip, but behind standard Cloudflare reverse proxy (not Cloudflare tunnel). After the upgrade office is not working and then figured out this issue.

I added the server's public IP to WOIP whitelist, but still it didn't work. It only works if I whitelist the full list of Cloudflare IPs (https://www.cloudflare.com/ips/).

This is a bit cumbersome, and also I won't remember to update the list later when Cloudflare updates its IP list. Is there a better way to do this?

Also, I don't fully understand how Nextcloud is connecting to Collabora server, I am heavily confused here:

• why it would require Cloudflare's IP, why not it can connect through some internal IP of the server?
• Isn't whitelisting all Cloudflare IPs or my public IP (in case of no reverse proxy) defeating the security purpose WOIP whitelist? as these IPs are reachable by anyone
• If Cloudflare IPs or my public IP (in case of no reverse proxy) has to be added in the WOIP whitelist, isn't it equivalent to keeping the whitelist empty (i.e. allow all IP) ? because anyone connecting to my server will be connecting through those IPs only, all of which are now whitelisted.

Sorry if my above three questions don't make much sense, but I couldn't find enough documentation to understand how the connection between Nextcloud and hosted Collabora server works, especially for AIO. At least if someone who understands this can answer in Yes/No would also suffice. I am concerned that I am compromising security by adding all public/reverse proxy IPs.

[szaimen]

Hi, please ask for some more documentation on this here: https://github.com/nextcloud/richdocuments/issues since I am not that good informed about this setting and further documentation is missing.

[apoorv569]

I just looked at https://en.wikipedia.org/wiki/Private_network and our ip-rages are correct IIRC.

Yes, my bad.

[Kirk1984]

I have a similar issue.

I run AiO behind a caddy reverse proxy. Wopi added my ip adress (dynamic dns) after the inital setup of AiO and everything was working fine. After a router reconnect i got a new ip adress, but the wopi config still has the old adress. Now the collabora container isn't accepting connections because of the new ip adress and collabora expecting the old one.

A reboot also did not resolve the issue.

Do i have to add the ip adress to the wopi config after getting a new ip?

I remember that when i setup collabora manually i added the domain name to loowsd (now coolwsd it seems). That was also running behind a reverse proxy and never had that issue.

[szaimen]

Hi, see https://github.com/nextcloud/all-in-one/discussions/1358

[SubhashBose]

Update: to my previous query https://github.com/nextcloud/all-in-one/issues/1629#issuecomment-1368123915 related to an issue related to Cloudflare proxy or any reverse proxy or dynamic IPs (as another comment above).

I really think that in AIO setup Collabora container should talk to NextCloud container using internal IPs, instead of going through external IP (this is the reason we are required to add reverse proxy IPs and external IPs to the WOIP list). Whitelisting reverse proxy public IP is a security issue.

I guess much of the confusion is arising because of lack of enough documentation for Nextcloud Office WOIP whitelisting. After some hit and try, I found this works best for me.

Run these two commands

sudo docker exec --user root -it nextcloud-aio-collabora bash -c "echo '172.19.0.7 YOUR_DOMAIN.tld' >> /etc/hosts"
sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set richdocuments wopi_allowlist --value "172.19.0.1/24"

The first line makes the Collabora container resolve your domain to the internal IP of the nextcloud container. So that Collabora can now talk directly to NextCloud without going through external IP or reverse proxy. I guess this will also reduce the latency in communication as well.

The second line, simply clears the long list of WOIP, and only enters 172.19.0.1/24 (internal docker IP network). I think this is perfect from the security point of view, because no public-facing IPs are allowed to access the document server, only AIO docker network can access.

I have been using with this configuration for some time, and haven't found any issue so far. The only thing is, I have to run these commands after every docker restart. If AIO maintainers think this has no adverse effect (if any, I would really like to know), then it will be great if this can be added permanently to AIO setup.

However, I thought many like me, who are having trouble with Cloudflare or dynamic IPs, may find this solution useful without compromising security.

[szaimen]

Hi, i am not sure if that really solves the security problem. Maybe you can create an issue here: https://github.com/nextcloud/richdocuments/issues and ask for better doumentation since the one on wopi-allowlist is really lacking. i am locking this issue now.since I dont want to discuss this further.