nextcloud / all-in-one

📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance.
https://hub.docker.com/r/nextcloud/all-in-one
GNU Affero General Public License v3.0
5.68k stars 660 forks source link

Collabora office not working after updating AIO to v4.0.1 and Nextcloud Hub 3 (25.0.2). #1629

Closed apoorv569 closed 1 year ago

apoorv569 commented 1 year ago

How to use GitHub

Steps to reproduce

  1. Update the mastercontainer by using the web UI running at port 8080
  2. Update all other containers by web UI
  3. Visit your Nextcloud URL and try opening the sample document under "Documents/Welcome to Nextcloud Hub.docx"

Expected behavior

The document should open in collabora office.

Actual behavior

Document doesn't open and I get this error,

2022-12-29_19-54

Host OS

Host OS is Ubuntu 22.04 LTS

Nextcloud AIO version

v4.0.1

Current channel

Latest

Other valuable info

szaimen commented 1 year ago

Hi, can you for a test delete all elements from the wopi allowlist in your office admin settings?

apoorv569 commented 1 year ago

Hi, can you for a test delete all elements from the wopi allowlist in your office admin settings?

Hi, sorry I am not sure where this allowlist is? Can you tell me where can I find this?

szaimen commented 1 year ago

Yes, go to https://yourdomain.com/settings/admin/richdocuments and empty this field: image

Afterwards check if opening documents works again.

apoorv569 commented 1 year ago

Yes, go to https://yourdomain.com/settings/admin/richdocuments and empty this field: image

Afterwards check if opening documents works again.

Ok, I cleared this field and its working now. Thanks.

Can you briefly tell me what WOPI is?

szaimen commented 1 year ago

Ok, I cleared this field and its working now. Thanks.

This will unfortunatley only work until the next restart of your containers. You will need to find out which ip-addres you need to add to the list additionally.

Do you maybe run a reverse proxy? Can you share the ip-address of your reverse proxy?

apoorv569 commented 1 year ago

Ok, I cleared this field and its working now. Thanks.

This will unfortunatley only work until the next restart of your containers. You will need to find out which ip-addres you need to add to the list additionally.

Do you maybe run a reverse proxy? Can you share the ip-address of your reverse proxy?

Yes, I do have a reverse proxy. I am not sure about sharing the IP.

szaimen commented 1 year ago

Yes, I do have a reverse proxy. I am not sure about sharing the IP.

All right, can you try to add the ip-address of the reverse proxy to the wopi allowlist and check if office still works afterwards?

szaimen commented 1 year ago

For me most important to know is if the ip-address that you enter in the wopi allowlist field with which it works is a public or private ip-address. Can you share your findings on that? :)

apoorv569 commented 1 year ago

For me most important to know is if the ip-address that you enter in the wopi allowlist field with which it works is a public or private ip-address. Can you share your findings on that? :)

Ok, so my setup is like this, I have rented a VPS on which I have Wireguard VPN and NPM (NginxProxyManager) installed and at home I have another instance of NPM installed in a VM on my Proxmox server and is connected to Wireguard VPN.

The NPM on VPS redirect the domains to the NPM at my home which then redirects the same domain to their respective LAN IPs.

Also I am using Cloudflare for nameserver so I have the VPS IP proxied by Cloudflare as well.

Now in Nextcloud WOPI allow list I tried entering my local IP as well as the IP of the VPS and also tried the IP of Cloudflare (which should not work, but I tried anyway) none of these helped.

szaimen commented 1 year ago

You could also check the collabora logs for ip-addresses and try to use that in the wopi allowlist. As I said most important for me is to find out if it is an internal ip-address or rather a public one that is needed to get entered here.

apoorv569 commented 1 year ago

You could also check the collabora logs for ip-addresses and try to use that in the wopi allowlist. As I said most important for me is to find out if it is an internal ip-address or rather a public one that is needed to get entered here.

I am not seeing any IP in the logs, but there is this,

 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\

BTW Collabora was working fine before updating v25 and I did not add anything to the WOPI allow list. Did something changed in the new release?

szaimen commented 1 year ago

BTW Collabora was working fine before updating v25. Did something changed in the new release?

yes, entries into the wopi allowlist were added which means that all ip-addresses that are not in the list will not be able to connect anymore. This is due to security improvements.

szaimen commented 1 year ago

Can you check if 0.0.0.0/0 makes it work?

szaimen commented 1 year ago

Since we add all private ip-addresses to the list with https://github.com/nextcloud/all-in-one/blob/c21087d6d02ec279647b1f42402197e27a3de479/Containers/nextcloud/entrypoint.sh#L448, I highly suspect that you would need to add some public ip-address here. However I don't know which one. So one way which should solve this is adding 0.0.0.0/0. However this will allow all hosts again and is a security concern.

apoorv569 commented 1 year ago

Can you check if 0.0.0.0/0 makes it work?

Yes this works.

apoorv569 commented 1 year ago

Since we add all private ip-addresses to the list with

https://github.com/nextcloud/all-in-one/blob/c21087d6d02ec279647b1f42402197e27a3de479/Containers/nextcloud/entrypoint.sh#L448 , I highly suspect that you would need to add some public ip-address here. However I don't know which one. So one way which should solve this is adding 0.0.0.0/0. However this will allow all hosts again and is a security concern.

Yes, I do understand this. I would not want to use this. Not sure which IP it needs.

szaimen commented 1 year ago

Yes, I do understand this. I would not want to use this. Not sure which IP it needs.

yeah, sorry I cannot help you debugging this but I will at least add it to the documentation in https://github.com/nextcloud/all-in-one/discussions/1358

apoorv569 commented 1 year ago

Yes, I do understand this. I would not want to use this. Not sure which IP it needs.

yeah, sorry I cannot help you debugging this but I will at least add it to the documentation in #1358

I see. Well at least I know where the problem is. I will check and post here if I find a solution.

BTW the IP_RANGES you posted seems wrong,

127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1' 

should be,

127.0.0.1/8,192.168.0.0/16,172.16.0.0/16,10.0.0.0/24,fd00::/8,::1' 

Not sure about the IPv6 address though..

szaimen commented 1 year ago

I just looked at https://en.wikipedia.org/wiki/Private_network and our ip-rages are correct IIRC.

frenicohansen commented 1 year ago

I had the same problem. I just upgraded AIO to v4.0.1 and Collabora suddenly was not working. I have almost the same setup, using nginx reverse proxy and clouflare for dns. When I cleared the WOPI list, Collabora is accessible again, but then in the logs, I got something like this.

2022-12-30T14:34:20.018201104Z wsd-00001-00039 2022-12-30 14:34:20.018103 +0000 [ websrv_poll ] ERR  Poco::Net::DNS::resolve("<my-public-ip>") failed: Host not found: <my-public-ip>| wsd/COOLWSD.cpp:3534
2022-12-30T14:34:20.018264504Z wsd-00001-00039 2022-12-30 14:34:20.018137 +0000 [ websrv_poll ] WRN  convert-to: Requesting address is denied: <my-public-ip>| wsd/COOLWSD.cpp:3540

I then add my public ip, behind the original wopi list. And I am not getting those errors any more, and Collabora still functional. 127.0.0.1/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8,fd00::/8,::1,<my-public-ip>/32

Hope it helps.

SubhashBose commented 1 year ago

My nextcloud server has public ip, but behind standard Cloudflare reverse proxy (not Cloudflare tunnel). After the upgrade office is not working and then figured out this issue.

I added the server's public IP to WOIP whitelist, but still it didn't work. It only works if I whitelist the full list of Cloudflare IPs (https://www.cloudflare.com/ips/).

This is a bit cumbersome, and also I won't remember to update the list later when Cloudflare updates its IP list. Is there a better way to do this?

Also, I don't fully understand how Nextcloud is connecting to Collabora server, I am heavily confused here:

Sorry if my above three questions don't make much sense, but I couldn't find enough documentation to understand how the connection between Nextcloud and hosted Collabora server works, especially for AIO. At least if someone who understands this can answer in Yes/No would also suffice. I am concerned that I am compromising security by adding all public/reverse proxy IPs.

szaimen commented 1 year ago

Hi, please ask for some more documentation on this here: https://github.com/nextcloud/richdocuments/issues since I am not that good informed about this setting and further documentation is missing.

apoorv569 commented 1 year ago

I just looked at https://en.wikipedia.org/wiki/Private_network and our ip-rages are correct IIRC.

Yes, my bad.

Kirk1984 commented 1 year ago

I have a similar issue.

I run AiO behind a caddy reverse proxy. Wopi added my ip adress (dynamic dns) after the inital setup of AiO and everything was working fine. After a router reconnect i got a new ip adress, but the wopi config still has the old adress. Now the collabora container isn't accepting connections because of the new ip adress and collabora expecting the old one.

A reboot also did not resolve the issue.

Do i have to add the ip adress to the wopi config after getting a new ip?

I remember that when i setup collabora manually i added the domain name to loowsd (now coolwsd it seems). That was also running behind a reverse proxy and never had that issue.

szaimen commented 1 year ago

Hi, see https://github.com/nextcloud/all-in-one/discussions/1358

SubhashBose commented 1 year ago

Update: to my previous query https://github.com/nextcloud/all-in-one/issues/1629#issuecomment-1368123915 related to an issue related to Cloudflare proxy or any reverse proxy or dynamic IPs (as another comment above).

I really think that in AIO setup Collabora container should talk to NextCloud container using internal IPs, instead of going through external IP (this is the reason we are required to add reverse proxy IPs and external IPs to the WOIP list). Whitelisting reverse proxy public IP is a security issue.

I guess much of the confusion is arising because of lack of enough documentation for Nextcloud Office WOIP whitelisting. After some hit and try, I found this works best for me.

Run these two commands

sudo docker exec --user root -it nextcloud-aio-collabora bash -c "echo '172.19.0.7 YOUR_DOMAIN.tld' >> /etc/hosts"
sudo docker exec --user www-data -it nextcloud-aio-nextcloud php occ config:app:set richdocuments wopi_allowlist --value "172.19.0.1/24"

The first line makes the Collabora container resolve your domain to the internal IP of the nextcloud container. So that Collabora can now talk directly to NextCloud without going through external IP or reverse proxy. I guess this will also reduce the latency in communication as well.

The second line, simply clears the long list of WOIP, and only enters 172.19.0.1/24 (internal docker IP network). I think this is perfect from the security point of view, because no public-facing IPs are allowed to access the document server, only AIO docker network can access.

I have been using with this configuration for some time, and haven't found any issue so far. The only thing is, I have to run these commands after every docker restart. If AIO maintainers think this has no adverse effect (if any, I would really like to know), then it will be great if this can be added permanently to AIO setup.

However, I thought many like me, who are having trouble with Cloudflare or dynamic IPs, may find this solution useful without compromising security.

szaimen commented 1 year ago

Hi, i am not sure if that really solves the security problem. Maybe you can create an issue here: https://github.com/nextcloud/richdocuments/issues and ask for better doumentation since the one on wopi-allowlist is really lacking. i am locking this issue now.since I dont want to discuss this further.