search

nextcloud / richdocuments

📑 Collabora Online for Nextcloud
https://nextcloud.com/collaboraonline
355 stars 116 forks source link

Latest Nextcloud/Collabora cannot open documents. #21

Closed CodeMouse92 closed 5 years ago

CodeMouse92 commented 7 years ago

I just upgraded my Nextcloud server from 10.3 to 11.0.1, by way of 11.0. All went well, and then I updated the Collabora Office app and pulled down the latest Collabora docker...all following Nextcloud's official instructions.

Now I can't open files in Collabora Office.

Steps to reproduce

  1. Ensure Collabora, Nextcloud, and the Collabora app are up to date. Also ensure Documents is NOT enabled.
  2. Try to open an .odt file via the web interface.

Expected behaviour

The document should open.

Actual behaviour

On Nextcloud, I get ""Well, this is embarrassing, we cannot connect to your document. Please try again." This is true of any file I open, even a newly created one.

On the docker logs for Collabora (sudo docker logs th3d0ck3rpr0c3ssid), I see multiple copies of the following (with an actual token instead of [SCRUBBED], of course):

wsd-00026-0029 01:21:19.366410 [ client_req_hdl ] WRN  WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:255
wsd-00026-0030 01:21:20.182984 [ client_ws_0019 ] ERR  Unknown resource: /lool/https://nextcloud.mousepawmedia.net/index.php/apps/richdocuments/wopi/files/1694_ock4jvyh706l%3Faccess_token=[SCRUBBED]&access_token_ttl=0&permission=edit/ws| wsd/LOOLWSD.cpp:1223

Server configuration

Operating system:Ubuntu 16.04 LTS 64-bit Server

Web server: LAMP

Database: mysql Ver 14.14 Distrib 5.7.17, for Linux (x86_64)

PHP version: PHP 5.6.30-1+deb.sury.org~xenial+1 (cli)

Nextcloud version: 11.0.1

Updated from an older Nextcloud/ownCloud or fresh install: Updated from 11.0, which itself was a manual update from 10.3.

Where did you install Nextcloud from: Manual install from .ZIP originally, automatic updates to 10.3. (Everything worked to this point.) Manual upgrade from .zip for 10.3 -> 11.0.0. Automatic upgrade tool for 11.0.0 -> 11.0.1.

Signing status:

Signing status ``` No errors have been found. ```

List of activated apps:

App list ``` Enabled: - activity: 2.4.1 - admin_audit: 1.1.0 - apporder: 0.3.3 - comments: 1.1.0 - dav: 1.1.1 - federatedfilesharing: 1.1.1 - files: 1.6.1 - files_accesscontrol: 1.1.2 - files_pdfviewer: 1.0.1 - files_sharing: 1.1.1 - files_texteditor: 2.2 - files_trashbin: 1.1.0 - files_versions: 1.4.0 - files_videoplayer: 1.0.0 - firstrunwizard: 2.0 - gallery: 16.0.0 - logreader: 2.0.0 - lookup_server_connector: 1.0.0 - nextcloud_announcements: 1.0 - notifications: 1.0.1 - password_policy: 1.1.0 - provisioning_api: 1.1.0 - richdocuments: 1.1.25 - serverinfo: 1.1.1 - sharebymail: 1.0.1 - survey_client: 0.1.5 - systemtags: 1.1.3 - theming: 1.1.1 - twofactor_backupcodes: 1.0.0 - updatenotification: 1.1.1 - user_ldap: 1.1.1 - workflowengine: 1.1.1 Disabled: - bookmarks - encryption - external - federation - files_automatedtagging - files_external - files_retention - templateeditor - user_external - user_saml ```

The content of config/config.php:

Config report ``` { "system": { "instanceid": "ock4jvyh706l", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "nextcloud.mousepawmedia.net" ], "datadirectory": "\/opt\/nextcloud\/data", "overwrite.cli.url": "https:\/\/nextcloud.mousepawmedia.net", "dbtype": "mysql", "version": "11.0.1.2", "dbname": "nextcloud", "dbhost": "localhost", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "logtimezone": "UTC", "installed": true, "memcache.local": "\\OC\\Memcache\\APCu", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory", "mail_from_address": "hawksnest", "mail_smtpmode": "smtp", "mail_domain": "mousepawgames.com", "mail_smtpauth": 1, "mail_smtpauthtype": "LOGIN", "mail_smtphost": "gator3102.hostgator.com", "mail_smtpport": "465", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "mail_smtpsecure": "ssl", "appstore.experimental.enabled": true, "loglevel": 2, "updater.secret": "***REMOVED SENSITIVE VALUE***" } } ```

Are you using external storage, if yes which one: NO

Are you using encryption: NO

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

LDAP config ``` +-------------------------------+--------------------------------------------------------------------------------------+ | Configuration | | +-------------------------------+--------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | | | hasPagedResultSupport | | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | ou=Users, dc=ldap, dc=mousepawmedia, dc=net | | ldapBaseGroups | ou=Groups, dc=ldap, dc=mousepawmedia, dc=net | | ldapBaseUsers | ou=Users, dc=ldap, dc=mousepawmedia, dc=net | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 0 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | | | ldapExpertUsernameAttr | | | ldapGroupDisplayName | cn | | ldapGroupFilter | | | ldapGroupFilterGroups | | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | | | ldapGroupMemberAssocAttr | uniqueMember | | ldapHost | localhost | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(|(objectclass=posixAccount))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 1 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserDisplayName | cn | | ldapUserDisplayName2 | sn | | ldapUserFilter | (|(objectclass=posixAccount)) | | ldapUserFilterGroups | | | ldapUserFilterMode | 0 | | ldapUserFilterObjectclass | posixAccount | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 0 | | useMemberOfToDetectMembership | 1 | +-------------------------------+--------------------------------------------------------------------------------------+ ```

Client configuration

Browser: Vivaldi

Operating system: Ubuntu 16.04 LTS 64-bit

Logs

Web server error log

Web server error log ``` [Wed Feb 01 17:02:02.195599 2017] [authz_core:error] [pid 2326] [client 192.168.254.15:40636] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata [Wed Feb 01 17:02:09.377073 2017] [authz_core:error] [pid 3984] [client 192.168.254.15:40642] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata [Wed Feb 01 17:07:58.118941 2017] [authz_core:error] [pid 4055] [client 192.168.254.15:40858] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata [Wed Feb 01 17:08:15.404360 2017] [authz_core:error] [pid 2328] [client 192.168.254.15:40872] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata [Wed Feb 01 17:14:04.886810 2017] [proxy:warn] [pid 4013] [client 192.168.254.15:41004] AH01144: No protocol handler was valid for the URL /lool/adminws. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Wed Feb 01 17:14:52.350296 2017] [authz_core:error] [pid 4013] [client 192.168.254.15:41036] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata [Wed Feb 01 17:14:56.437057 2017] [authz_core:error] [pid 2329] [client 192.168.254.15:41030] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata [Wed Feb 01 17:20:35.390297 2017] [authz_core:error] [pid 2330] [client 192.168.254.15:41166] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata [Wed Feb 01 17:20:39.853842 2017] [authz_core:error] [pid 2326] [client 192.168.254.15:41168] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata ```

Nextcloud log (data/nextcloud.log)

Nextcloud log ``` {"reqId":"WJJs6H8AAQEAAHAN2LAAAAAF","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:04+00:00","method":"GET","url":"\/ocs\/v2.php\/apps\/notifications\/api\/v2\/notifications","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"} {"reqId":"WJJtA38AAQEAAHAyPKUAAAAK","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:31+00:00","method":"GET","url":"\/index.php\/settings\/apps\/list?category=organization","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"} {"reqId":"WJJtE38AAQEAAHAzOwYAAAAL","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:47+00:00","method":"GET","url":"\/index.php\/settings\/apps\/list?category=social","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"} {"reqId":"WJJtFX8AAQEAAHDCcyIAAAAI","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:50+00:00","method":"GET","url":"\/index.php\/settings\/apps\/list?category=enabled","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"} {"reqId":"WJJtGn8AAQEAAHALfPQAAAAB","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:55+00:00","method":"GET","url":"\/index.php","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"} {"reqId":"WJJtHX8AAQEAAHAO39gAAAAH","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:57+00:00","method":"GET","url":"\/index.php","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"} {"reqId":"WJKCqX8AAQEAABZfU8EAAAAE","remoteAddr":"192.168.254.15","app":"core","message":"Login failed: 'b99b5cd8-35af-1036-9f7c-e1f2a57c2622' (Remote IP: '192.168.254.15')","level":2,"time":"2017-02-02T00:51:54+00:00","method":"POST","url":"\/index.php\/login\/confirm","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"} {"reqId":"WJKGJn8AAQEAAA@up48AAAAL","remoteAddr":"192.168.254.15","app":"core","message":"Login failed: 'b99b5cd8-35af-1036-9f7c-e1f2a57c2622' (Remote IP: '192.168.254.15')","level":2,"time":"2017-02-02T01:06:49+00:00","method":"POST","url":"\/index.php\/login\/confirm","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"} ```
CodeMouse92 commented 7 years ago

FIXED! There were changes in Collabora CODE 2.0 updates 2. The following changes have to be made in the Apache proxy configuration for Collabora.

  1. Change AllowEncodedSlashes On to AllowEncodedSlashes NoDecode

  2. Change ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws to ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

This information needs to be updated on Nextcloud's instructions.

nephilim75 commented 7 years ago

Hello

great news. But do you know how to get it fixed for nginx users?

    ### Collabora
    # static files
    location ^~ /loleaflet {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # websockets, download, presentation and image upload
    location ^~ /lool {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
    }

Kind regards //neph

CodeMouse92 commented 7 years ago

I don't know, directly. I've never used nginx.

However, I do know the breakdown of the changes to Apache2's configuration. If you can figure out the equivalents, you can solve the rest.

  1. The websocket proxy now must have the nocanon option turned on for Apache2 mod_proxy. From the docs...

Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional nocanon keyword suppresses this and passes the URL path "raw" to the backend. Note that this keyword may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy.

You would need to find the nginx equivalent of this behavior for your websocket proxy.

2) On Apache2, we need to use the AllowEncodedSlashes NoDecode option. For info on the nginx equivalent behavior, see this StackOverflow question.

I hope that helps, and all the best! Please post the solution here if you find it.

dwaynehulsman commented 7 years ago

I have the same issue on Caddy but haven't been able to figure out how to resolve this issue yet.

proxy /loleaflet https://127.0.0.1:9980 {   
            proxy_header Host $http_host
        transparent
        websocket
    }

    proxy /hosting/discovery https://127.0.0.1:9980 {
                proxy_header Host $http_host
        transparent
        websocket
        }

    proxy /lool https://127.0.0.1:9980 {
                proxy_header Upgrade $http_upgrade
        proxy_header Connection "upgrade"
            proxy_header Host $http_host
        transparent
        websocket
        }
CodeMouse92 commented 7 years ago

I did a bit of research, and both Apache2 changes relate to the same principle - the new version of Collabora requires slashes to NOT be encoded. Take a look at this nginx bug report. Still doing some digging.

CodeMouse92 commented 7 years ago

Collabora just posted the updated nginx configuration instructions. These should work, so cross check them with yours.

server {
    listen       443 ssl;
    server_name  collabora.example.com;

    ssl_certificate /path/to/ssl_certificate;
    ssl_certificate_key /path/to/ssl_certificate_key;

    # static files
    location ^~ /loleaflet {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Main websocket
    location ~ /lool/(.*)/ws$ {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ^~ /lool {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }
}
nephilim75 commented 7 years ago

I found this as well but it is not working neither.

CodeMouse92 commented 7 years ago

@nephilim75, what's your new configuration file look like?

pezi commented 7 years ago

I have the same problem - this is the nginx configuration file of my VM with a public IP. The reverse proxy points to the docker container running inside an other VM via private IP.

server {
    listen myip:443;

    server_name  office.my.domain;

    ssl_certificate /etc/letsencrypt/live/office.my.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/office.my.domain/privkey.pem;

   location ^~ /loleaflet {
        proxy_pass https://192.168.123.200:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://192.168.123.200:9980;
        proxy_set_header Host $http_host;

    }

    # Main websocket
    location ~ /lool/(.*)/ws$ {
        proxy_pass https://192.168.123.200:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_pass https://192.168.123.200:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ^~ /lool {
        proxy_pass https://192.168.123.200:9980;
        proxy_set_header Host $http_host;
    }

}
nephilim75 commented 7 years ago

Here is mine:

configuration ``` upstream php-handler { server 127.0.0.1:9000; #server unix:/var/run/php5-fpm.sock; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 443 ssl; listen [::]:443 ssl; server_name sub.domain.com; ssl_certificate /etc/letsencrypt/live/sub.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/sub.domain.com/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/letsencrypt/live/sub.domain.com/dhparam.pem; # modern configuration. tweak to your needs. ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this # topic first. # add_header Strict-Transport-Security "max-age=15768000; # includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; # Path to the root of your installation root /var/www/nextcloud/; location = /robots.txt { allow all; log_not_found off; access_log off; } # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json # last; location = /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } location /.well-known/acme-challenge { } # set max upload size client_max_body_size 512M; fastcgi_buffers 64 4K; # Disable gzip to avoid the removal of the ETag header gzip off; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; location / { rewrite ^ /index.php$uri; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) { include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; } location ~ ^/(?:updater|ocs-provider)(?:$|/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~* \.(?:css|js)$ { try_files $uri /index.php$uri$is_args$args; add_header Cache-Control "public, max-age=7200"; # Add headers to serve security related headers (It is intended to # have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into # this topic first. # add_header Strict-Transport-Security "max-age=15768000; # includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Optional: Don't log access to assets access_log off; } location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ { try_files $uri /index.php$uri$is_args$args; # Optional: Don't log access to other assets access_log off; } # Spreed WebRTC location ^~ /webrtc { proxy_pass http://127.0.0.1:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_buffering on; proxy_ignore_client_abort off; proxy_redirect off; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; } # Collabora Online # static files location ^~ /loleaflet { proxy_pass https://localhost:9980; proxy_set_header Host $http_host; } # WOPI discovery URL location ^~ /hosting/discovery { proxy_pass https://localhost:9980; proxy_set_header Host $http_host; } # Main websocket location ~ /lool/(.*)/ws$ { proxy_pass https://localhost:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_read_timeout 36000s; } # Admin Console websocket location ^~ /lool/adminws { proxy_pass https://localhost:9980; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $http_host; proxy_read_timeout 36000s; } # download, presentation and image upload location ^~ /lool { proxy_pass https://localhost:9980; proxy_set_header Host $http_host; } } ```


Kind regards //neph

milan475 commented 7 years ago

I'm having the same issue using the above nginx configuration:

screen shot 2017-02-13 at 18 56 24

screen shot 2017-02-13 at 18 57 07

ttr commented 7 years ago

@milan475 You probably using aufs (and/or old kernel) in docker which possibly will not work - it's failing to set up privileged caps. I've get rid of this issue by updating kernel to 4.7 and storage driver to overlay

methuselah-0 commented 7 years ago

Im having the same issues with the updated nginx configuration "Well, this is embarrassing, we cannot connect to your document.". Im using overlay2 storage driver for docker on Debian Testing, php7. The docker logs are:

wsd-00027-0028 13:26:16.769784 [ client_req_hdl ] WRN WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:255 wsd-00027-0029 13:26:21.269433 [ client_ws_0005 ] ERR ClientRequestHandler::handleClientRequest: BadRequestException: Invalid or unknown request.| wsd/LOOLWSD.cpp:1240

There was a supposed temporary "solution" here but it didn't work for me.

Alright, I seem to have figured out some voodoo that works on my end.

Run the Docker image as normal
Keep trying to open docs on Nextcloud...
Click "OK" on "Well, this is embarrassing, we cannot connect to your document. Please try again."
Click "OK" on "Service is unavailable. Please try again later and report to your administrator if the issue persists."
Keeping going back to step 3 until you finally get "Failed to load the document. Please ensure the file type is supported and not corrupted, and try again."
Click "OK" and exit to Files.
Restart Docker itself (the service, not just the image).
Profit.

Why this works, I have no idea but it has worked three times in a row for me. I hope it'll help someone else and, ultimately, I hope it provides a clue needed to address the problem.

It's not a real "Solution" but I'll mark this as solved for now.

I also tried asking about setting the nginx equivalents of the nocanon and AllowEncodedSlashes options on #nginx freenode but to no avail.

kuchlbauer1 commented 7 years ago

Hi! I'm encountering "Access denied" error when trying to exit a shared document (NC 11.0.2 on Ubuntu 16.04 LTS). Where can I find the "'Apache proxy configuration for Collabora" mentioned by TO to change the Setting there? Sorry, I'm quite new to Linux... Any help appreciated, thanks!! Ben

methuselah-0 commented 7 years ago

kuchlbauer1 You mean this? https://www.collaboraoffice.com/code/ https://www.collaboraoffice.com/community-en/code-2-0-updates-2/

kuchlbauer1 commented 7 years ago

Thanks, methuselah-0,

I added the proxy as explained in your links, but to no avail. I'm not using docker though, just a plain Ubuntu 16.04 LTS with NextCloud installed and Collabora AddOn enabled. When I try to edit a document in NC, it still says "Access denied". :-/ Would I have to use docker to make it work? Thanks!

methuselah-0 commented 7 years ago

kuchlbauer1 yes, either Docker or install from source. You can check out linuxbabe's tutorial for it, it's pretty neat and for Ubuntu and apache. https://www.linuxbabe.com/cloud-storage/integrate-collabora-online-server-nextcloud-ubuntu-16-04

kuchlbauer1 commented 7 years ago

Dear methuselah-0, thanks for the link, that seems to be a feasible way to do it. I will try that, the instructions seem to be very detailed :-) Thanks!

joekerna commented 7 years ago

I tried linuxbabe's instructions and still get the error mentioned above. I'm using Nginx. Has anyone had success using their Apache setup?

methuselah-0 commented 7 years ago

joekerna I'm using nginx and it works for me. In a separate subdomain.conf file in the server block I have location statements like this which works. Then in the Collabora Online App page in the admin section of the cloud I have in the url bar: https://subdomain.mydomain.tld:9980 which works for me. You could perhaps also check that you have added your collabora domain in loolwsd.xml for allowed domains.

joekerna commented 7 years ago

I forgot the port in my url in the admin section. Now I get

Access forbidden

That's a new error I can search for...

joekerna commented 7 years ago

@methuselah-0 I've added my domain to loolwsd.xml inside my docker. Sadly the problem persists

methuselah-0 commented 7 years ago

joekerna: sorry I got confused with your post and kuchlbauer1 who isn't using the docker version. I couldn't make it work with nginx for docker so I switched to installing lool from source instead which has the added benefit of not being limited to 10 documents. However, if you want to try and fix your config I think CodeMouse92's post earlier on this page gave the correct hints about solving it. The second mofication to the conf-file was about using apache's NoDecode option in nginx and my attempt at it looked something like below but it didn't work for me, possibly because of not setting the nocanon option: location ^~ /loleaflet {
if ($request_uri ~ "/path/(.)") {
proxy_pass http://localhost:9980/$1;
proxy_set_header Host $http_host;
}
} It really might be better to just switch to apache or building from source (which I did) instead of sinking a lot of time into this docker version.

joekerna commented 7 years ago

I've switched to Apache and built if from source... I still can't open documents. I think I'll have to give up...

methuselah-0 commented 7 years ago

joekerna, did you build libreoffice online, or the docker collabora image? You might wanna see the full guide provided here: https://help.nextcloud.com/t/howto-install-onlineoffice-on-ubuntu-debian-no-docker-no-limitation/8958 Or I made my own install script that works with nginx, here: https://github.com/methuselah-0/nextcloud-suite.sh

gabor-udvari commented 7 years ago

@joekerna, if you get an Access Forbidden page, there is most probably an unhandeld exception in the background. You can get it displayed like in #37. For me the exception was the following:

Message: cURL error 60: SSL certificate problem: unable to get local issuer certificate

I am using Let's Encrypt certs, so I needed to download the root certs and update my store. Richard Bairwells's blogpost has the commands. The Access Forbidden error with Apache is now solved for me.

felixhummel commented 7 years ago

@nephilim75

Here is what worked for me (based on https://stackoverflow.com/a/20514632):

  location / {
    include proxy.conf;
    proxy_pass http://127.0.0.1:9980/;
  }
  location ^~ /lool {
    proxy_pass http://127.0.0.1:9980$request_uri;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
  }

Note the http://127.0.0.1:9980$request_uri for /lool.

ferdiga commented 6 years ago

I just upgraded the nextcloud collabora app to 2.0.13 and nextcloud couldn't open any files in collabora. restart of nextcloud and collabora server didn't solve the problem.

I found this "crazy" solution here - may be completely irrelevant too.

https://help.nextcloud.com/t/failure-please-ensure-the-file-type-is-supported-and-not-corrupted/8031/3

  1. Run the Docker image as normal
  2. Keep trying to open docs on Nextcloud…
  3. Click “OK” on “Well, this is embarrassing, we cannot connect to your document. Please try again.”
  4. Click “OK” on “Service is unavailable. Please try again later and report to your administrator if the issue persists.”
  5. Keeping going back to step 3 until you finally get “Failed to load the document. Please ensure the file type is supported and not corrupted, and try again.”
  6. Click “OK” and exit to Files.
  7. Restart Docker itself (the service, not just the image).
daylicron commented 5 years ago

I just upgraded the nextcloud collabora app to 2.0.13 and nextcloud couldn't open any files in collabora. restart of nextcloud and collabora server didn't solve the problem.

I found this "crazy" solution here - may be completely irrelevant too.

https://help.nextcloud.com/t/failure-please-ensure-the-file-type-is-supported-and-not-corrupted/8031/3

  1. Run the Docker image as normal
  2. Keep trying to open docs on Nextcloud…
  3. Click “OK” on “Well, this is embarrassing, we cannot connect to your document. Please try again.”
  4. Click “OK” on “Service is unavailable. Please try again later and report to your administrator if the issue persists.”
  5. Keeping going back to step 3 until you finally get “Failed to load the document. Please ensure the file type is supported and not corrupted, and try again.”
  6. Click “OK” and exit to Files.
  7. Restart Docker itself (the service, not just the image).

OMG, thank you so much. I wasted one and a half our on this. Restarting the docker service did the trick!

juliusknorr commented 5 years ago

All issues discussed in here seem to be either related to the server setup or caused by a non-functional docker container. Please head over to the forum for further setup questions, as this is just the issue tracker for the Nextcloud integration of Collabora Online.

hifihedgehog commented 5 years ago

If you check out the forums, many users have been having this issue ongoing for months now. This issue is not resolved and it leaves a bad taste in everyone's mouths. No one has been able to get an answer for this so I am suggesting this remain opened until which time this is resolved.

dagli commented 5 years ago

any progress in this issue?

ttr commented 5 years ago

This is still an issue ? Had this issue close to 2y ago and wipe of docker container and re-checking config did help it. might help to someone so will leave it how it's set up for me:

Docker: collabora/code:latest, with 

env "domain=your\\.nextcloud\\.domain"

port mapping of 127.0.0.1:9980:9980, and capacity added MKNOD Nginx config (taken from nextcloud website and found out that i did miss some things (only configs related to collabora, but have a look into docs to see rest of it):

    # static files
    location ^~ /loleaflet {
        proxy_pass https://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

   # main websocket
   location ~ ^/lool/(.*)/ws$ {
       proxy_pass https://127.0.0.1:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $http_host;
       proxy_read_timeout 36000s;
   }

   # download, presentation and image upload
   location ~ ^/lool {
       proxy_pass https://127.0.0.1:9980;
       proxy_set_header Host $http_host;
   }

   # Admin Console websocket
   location ^~ /lool/adminws {
       proxy_pass https://127.0.0.1:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $http_host;
       proxy_read_timeout 36000s;
   }

and in nextcloud URL is protocol://your.nextcloud.domain (no trailing slash).

Now, if your website is in mixed content (http and https) this possible will cause issues so, please set up https all way.

Hope this will help someone.

fabian727 commented 3 years ago

I had similar problems: I could see the icons of "File" ... but not click them. The document wasn't opened and I hang in a loop of connecting to collabora... this link: https://www.linuxbabe.com/cloud-storage/integrate-collabora-online-server-nextcloud-ubuntu helped me. It is needed to modify /etc/hosts with your.domain.com to the external ip addr of the server (not 127.0.0.1) I think it's worth mentioning in the tutorials...

And yes I know this issue is old

borgue95 commented 1 year ago

I know it's late, but I've encountered the same problem. I've enabled WebSockets in the NGiNX proxy configuration and it work like a charm.

I found this tip in this other thread.