Closed DaijoubuKun closed 1 year ago
Raudius
commented
1 year ago Hi,
Have you added the trusted server in the sharing settings?
<hostname>/index.php/settings/admin/sharing#ocFederationSettings
Also you can check the documentation for setting up federation sharing for more details: https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/federated_cloud_sharing_configuration.html https://github.com/nextcloud/richdocuments#federated-editing--global-scale
DaijoubuKun
commented
1 year ago Yes, I have added both servers as trusted servers in settings/admin/sharing, and all options under the Federated Cloud Sharing are enabled. I did follow the steps on nextcloud for federated sharing, just to be safe I just removed the share and added it back again just in case some setting was different when the share was originally created.
As for the last link where it talks about setting rules in coolwsd.xml under the frame_ancestors section. I did have in there https://* as instructed, I even tried changing it to list every domain I use Collabora (2 nextcloud instances as well as a seafile server) for, as well as the domain I use for the docker instance, and still no success. I'm always meet with that same error.
maxxer
commented
1 year ago I never tried before, today I needed to open an Office document online and ran into this issue.
The file is in a directory shared from a remote NC to our local installation. I can work with downloaded files on the client, but today I tried opening them in our instance and I just get Document loading failed - Failed to load Nextcloud Office - please try again later.
I didn't have the remote installation as trusted, so I added to settings, but still same error. I even restarted php-fpm.
I managed to bypass the trusted remote check by skipping the if at apps/richdocuments/lib/Service/FederationService.php:106:
if (false && !$this->isTrustedRemote($remote)) {
throw new \Exception('Unable to determine collabora URL of remote server ' . $remote . ' - Remote is not a trusted server');
}Despite this, I still get an error. In nextcloud.log:
{
"reqId": "cFPHG8H2YobUc3N5rwUa",
"level": 0,
"time": "2022-10-05T12:09:06+00:00",
"remoteAddr": "188.12.x.x",
"user": "d798d148-0e35-1032-8087",
"app": "no app in context",
"method": "GET",
"url": "/nc/apps/files/ajax/getstoragestats?dir=%2FDOCUMENTI%20IT",
"message": "mount at /d798d148-0e35-1032-8087/files/DOCUMENTI IT/ has no provider set, performing full setup",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36",
"version": "24.0.5.1",
"data": []
}I also tried commenting out those lines, as well as the next block down
$remoteCollabora = $this->cache->get('richdocuments_remote/' . $remote);
if ($remoteCollabora !== null) {
return $remoteCollabora;
}Also with no success, but I did come across something interesting. Just to make sure this wasn't a Firefox thing (because of my security extensions), I also tried this in Google Chrome. In Firefox's console I got:
Content Security Policy: The page’s settings blocked the loading of a resource at https://brotherServer.com/index.php/apps/richdocuments/remote?shareToken=i0BCTTtTOzDuZ7j&remoteServer=https://myServer.net/&remoteServerToken=ZukpIJ3MOHhbIpJq387qK99oGi5LrfLz&filePath=testingagain.docx (“frame-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://myServer.net/apps/files/?dir=/TEST-share3&fileid=1735664 (“frame-ancestors”). And in Chrome I get:
Refused to frame 'https://brotherServer.com/' because it violates the following Content Security Policy directive: "frame-src 'self' https://office.myServer.net".and https://office.MyServer.net is where the docker instance is. So it looks like this might have something to do with the Content Security Policy, which I know a lot of new browser versions are very strict on this type of thing, and in the past I've had nothing but headaches getting this stuff working.
DaijoubuKun
commented
1 year ago I just realized I missed something. This is a little backwards as I've trying to open files on both servers in different ways. Here is a log from my brother's server when I tried to open a file shared to my server while on my server... wow, this can get confusing.
{
"reqId":"XOXpOurR1N7yRrGnAipl",
"level":3,
"time":"2022-10-05T18:05:51+00:00",
"remoteAddr":"IP",
"user":"david",
"app":"richdocuments",
"method":"GET",
"url":"/index.php/apps/richdocuments/remote?shareToken=i0BCTTtTOzDuZ7j&remoteServer=https://myServer.net/&remoteServerToken=eD9EePG6Bt8dCnH5GtqsPcjwuyKm8trs&filePath=testingagain.docx",
"message":"Invalid remote file details for eD9EePG6Bt8dCnH5GtqsPcjwuyKm8trs",
"userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",
"version":"24.0.5.1",
"exception":
{
"Exception":"Exception",
"Message":"Invalid remote file details for eD9EePG6Bt8dCnH5GtqsPcjwuyKm8trs",
"Code":0,
"Trace":
[
{
"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
"line":225,"function":"remote",
"class":"OCA\\Richdocuments\\Controller\\DocumentController",
"type":"->"
},
{
"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
"line":133,
"function":"executeController",
"class":"OC\\AppFramework\\Http\\Dispatcher",
"type":"->"
},
{
"file":"/var/www/nextcloud/lib/private/AppFramework/App.php",
"line":172,
"function":"dispatch",
"class":"OC\\AppFramework\\Http\\Dispatcher",
"type":"->"
},
{
"file":"/var/www/nextcloud/lib/private/Route/Router.php",
"line":298,
"function":"main",
"class":"OC\\AppFramework\\App",
"type":"::"
},
{
"file":"/var/www/nextcloud/lib/base.php",
"line":1030,
"function":"match",
"class":"OC\\Route\\Router","type":"->"
},
{
"file":"/var/www/nextcloud/index.php",
"line":36,
"function":"handleRequest",
"class":"OC",
"type":"::"
}
],
"File":"/var/www/nextcloud/apps/richdocuments/lib/Controller/DocumentController.php",
"Line":367,
"CustomMessage":"--"
},
"id":"633dcd29b6916"
}Is part of the reason I just can't open the file on the remote server? That doesn't make sense when I can open other files just fine, but I thought I would toss this in with hopes that it can help us figure this out. Thanks,
DaijoubuKun
commented
1 year ago So I have a bit of an update, and so far things seem to be working fine... but I think I'll need to do some more testing as well as have my brother go in and try from his machine.
So, first thing. On my side where I have the docker running Collabora (I think I might still have some tweaks for it, but I'm leaving it alone for right now), I had to add an option for my Apache config for the reverse proxy. You must add
ProxyAddHeaders On
Otherwise the browser's Content Security Policies will block the iframe from loading. I also added this to my nextcloud proxy just to be on the safe side. (oh, and I'm sure I didn't mention here that I had a reverse proxy, either it slipped my mind or I put it in another of the many help threads I have going through out the interwebs, sorry if that caused confusion).
The other thing as stated before from @maxxer is there is an issue with the trusted hosts. I found the best fix for now is not to comment out the lines stated in nextcloud/apps/richdocuments/lib/Service/FederationService.php, but to add a new line right under public function isTrustedRemote($domainWithPort) { and put in return true;
This solved me a lot of headache since I still can't figure out why my trusted hosts are not trusted.
I would like to leave this ticket open because there does seem to be a couple problems, like the trusted hosts not working, as well as maybe something missing in documentation (not just here, but other places). In the mean time while I text this out over the next few weeks, I'm going to create a full write up on how to get this all going in case someone in the future runs into this.
maxxer
commented
1 year ago I'm still unable to make it work, neither with your suggested workaround about isTrustedRemote.
About the ProxyAddHeaders, the README reports:
Note: Due to our content security policy we cannot open a document on a remote instance without reloading the page to allow Nextcloud embedding the remote Collabora Online instance in a frame.
Could it be related? The plugin requires the update of coolwsd.xml, how did you manage it inside the Docker container?
Can you recap your setup? Thank you
DaijoubuKun
commented
1 year ago Sure, my setup is as follows:
My Nextcloud server and CODE docker are running on the same system, but they are behind an Apache proxy setup. My brother's setup is just a nextcloud server not behind any type of proxy. On both my nextcloud and my brother's system I still have the isTrustedRemote fix listed in my previous comment.
In my Apache Proxy config I have the following important lines (I took out all the things like how I like my logs formatted and SSL config)
ProxyPass / https://10.0.0.162/ nocanon
ProxyPassReverse / https://10.0.0.162/
ProxyTimeout 120
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyEngine on
ProxyAddHeaders On
ProxyPreserveHost On
ProxyTimeout 1200
AddDefaultCharset UTF-8As you can see I do have SSL within the proxy, so on my nextcloud server I'm using a self signed cert. If you are not doing this you do not need to use the SSLProxy options and change the ProxyPass URL to http://
Then I have another virtualhost for the CODE docker. Like my nextcloud server, it is using SSL with a self signed cert. This came default with the docker instance (https://sdk.collaboraonline.com/docs/installation/CODE_Docker_image.html)
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
ProxyTimeout 120
# keep the host
AllowEncodedSlashes NoDecode
ProxyPreserveHost On
ProxyAddHeaders On
# static html, js, images, etc. served from coolwsd
# browser is the client part of LibreOffice Online
ProxyPass /browser https://10.0.0.162:9980/browser retry=0
ProxyPassReverse /browser https://10.0.0.162:9980/browser
# WOPI discovery URL
ProxyPass /hosting/discovery https://10.0.0.162:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://10.0.0.162:9980/hosting/discovery
# Endpoint with information about availability of various features
ProxyPass /hosting/capabilities https://10.0.0.162:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities https://10.0.0.162:9980/hosting/capabilities
# Main websocket
ProxyPassMatch "/cool/(.*)/ws$" wss://10.0.0.162:9980/cool/$1/ws nocanon
# Admin Console websocket
ProxyPass /cool/adminws wss://10.0.0.162:9980/cool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /cool https://10.0.0.162:9980/cool
ProxyPassReverse /cool https://10.0.0.162:9980/cool
# Compatibility with integrations that use the /lool/convert-to endpoint
ProxyPass /lool https://10.0.0.162:9980/cool
ProxyPassReverse /lool https://10.0.0.162:9980/coolNow for the fun part. Getting the docker instance to actually work. As said before, the frame_ancestors option must be set to https://* but after looking at the code in the docker instance, there are NO options you can pass to it in the command line to make it work. So I have to do a little bit of a work around.
Start the docker instance using the options you need. For example...
docker run -t -d -p 9980:9980 \
-e "aliasgroup1=https://nextcloud.myServer" \
-e "aliasgroup2=https://office.myServer" \
-e "aliasgroup3=https://photos.brotherServer" \
--restart always --cap-add MKNOD collabora/codeIn this example, I'm not sure I need "https://office.myServer" as it technically should work using the same domain as your nextcloud server, but I just created a second subdomain to be safe.
Now, here is the fun part. After a few minutes (depending on your server) the docker instance should be up and running. I'll give some instructions on what is done, then a code block that should help simplify everything, just make sure you get your docker container ID.
First, get the docker container id with docker ps
Copy the config file to your computer. Edit it to have https://* in the
docker cp DockerID:/etc/coolwsd/coolwsd.xml coolwsd.xml
sed -i 's/><\/frame_ancestors>/>https:\/\/\*<\/frame_ancestors>/g' coolwsd.xml
chmod 666 coolwsd.xml
docker cp coolwsd.xml DockerID:/etc/coolwsd/coolwsd.xmlOnce all that is done, double check in your nextcloud settings that you are pointing to the correct Collabora server. Go to Settings -> Administration -> Nextcloud Office. Put the URL in there of your server. No in my system's example, it would be https://office.myServer Be sure to do this on any nextcloud server you want to use the Collabora server. If the docker instance is running correctly you should get a green check mark that it is working.
juliushaertl
commented
1 year ago I would like to leave this ticket open because there does seem to be a couple problems, like the trusted hosts not working, as well as maybe something missing in documentation (not just here, but other places). In the mean time while I text this out over the next few weeks, I'm going to create a full write up on how to get this all going in case someone in the future runs into this.
There is some additional documentation in https://github.com/nextcloud/richdocuments/blob/master/docs/federated-editing.md
For the case where the trusted hosts are not accepted for remote editing that is the case by default, as in previous times hosts may have been added to the list automatically so we pick to deny all there by default.
Quoting the docs for quick reference:
By default, trusted hosts of Nextcloud will not be allowed for federated editing. This can be enabled through the following app config value:
occ config:app:set richdocuments federation_use_trusted_domains --value="yes"
Besides that you can also work around using the trusted hosts by configuring a dedicated allow list. You can also see this work in our integration tests with the following set of configuration:
https://github.com/nextcloud/richdocuments/blob/master/tests/run-integration.sh#L52-L54
If you have any suggestions how we could ease the setup process in that regard, I'd be glad to hear and maybe extend the documentation accordingly.
I have 2 nextcloud servers, one at my brother's house and one at mine. I have a folder with several documents shared to my brother's NC. Trying to open things like images and PDF files work fine, but not when opening with Collabora Office.
To clarify, Whether I use my docker image, the built in CODE server, or even the Demo server, this process always fails. After much searching and testing, I have found 2 things. First is that there is no way to start the docker image with "frame_ancestors" set to anything. Which is fine, I can edit the config and put it back in docker and it reloads. The second is I'm getting on error on my brother's side (when he tries to open a document) saying:
Exception: Unable to determine collabora URL of remote server https://nextcloud.myServer.net - Remote is not a trusted serverI made sure both servers are there in NC Settings -> Sharing and they both show green icons next to them. I also added both to the trusted_domains in config.php
To Reproduce Steps to reproduce the behavior:
Expected behavior I expect to be able to edit the document since it is shared and does have the correct permissions to be edited.
Client details:
Server details
Operating system: Debian 11 Bullseye Web server: Apache 2.4.X Database: MariaDB 10.3 PHP version: 7.4.X Nextcloud version: 25.0.5.1 Version of the richdocuments app 6.2.0 Version of Collabora Online 22.05.5.4
Logs
#### Nextcloud log (data/nextcloud.log) ``` { "reqId":"jCrwl7UZ72iWMZn3VlfC", "level":3, "time":"2022-09-30T21:31:10+00:00", "remoteAddr":"MyIP", "user":"david", "app":"richdocuments", "method":"GET", "url":"/index.php/apps/richdocuments/index?fileId=222561&requesttoken=Imu1Ngdp35Eo3I9iiuaTFSsu8GG2m7fwsMh4FoWKS5I%3D%3ASF%2FZAUIIh%2F9gu8YT26DUfkVl3zjD98Wb2rowXerGB9s%3D&path=%2FTEST-share%2Ftestfile.docx", "message":"Unable to determine collabora URL of remote server https://nextcloud.myServer.net - Remote is not a trusted server", "userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0", "version":"24.0.5.1", "exception": { "Exception":"Exception" ,"Message":"Unable to determine collabora URL of remote server https://nextcloud.myServer.net - Remote is not a trusted server", "Code":0, "Trace": [ { "file":"/var/www/nextcloud/apps/richdocuments/lib/Service/FederationService.php", "line":220, "function":"getRemoteCollaboraURL", "class":"OCA\\Richdocuments\\Service\\FederationService", "type":"->" }, { "file":"/var/www/nextcloud/apps/richdocuments/lib/Controller/DocumentController.php", "line":162, "function":"getRemoteRedirectURL", "class":"OCA\\Richdocuments\\Service\\FederationService", "type":"->" }, { "file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php", "line":225, "function":"index", "class":"OCA\\Richdocuments\\Controller\\DocumentController", "type":"->" }, { "file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php", "line":133, "function":"executeController", "class":"OC\\AppFramework\\Http\\Dispatcher", "type":"->" }, { "file":"/var/www/nextcloud/lib/private/AppFramework/App.php"," line":172," function":"dispatch", "class":"OC\\AppFramework\\Http\\Dispatcher", "type":"->" }, { "file":"/var/www/nextcloud/lib/private/Route/Router.php", "line":298, "function":"main", "class":"OC\\AppFramework\\App", "type":"::" }, { "file":"/var/www/nextcloud/lib/base.php", "line":1030, "function":"match", "class":"OC\\Route\\Router", "type":"->" }, { "file":"/var/www/nextcloud/index.php", "line":36, "function":"handleRequest", "class":"OC", "type":"::" } ], "File":"/var/www/nextcloud/apps/richdocuments/lib/Service/FederationService.php", "Line":107, "CustomMessage":"--" } } ``` #### Browser log ``` GEThttps://photos.brotherServer.com/index.php/apps/theming/image/background [HTTP/1.1 404 Not Found 223ms] FAILED [Office.vue:198](webpack:///richdocuments/src/view/Office.vue) loadingTimeout Office.vue:198 (Async: setTimeout handler) n Office.vue:197 u runtime.js:288 _invoke runtime.js:262 _ runtime.js:84 z collabora.js:48 i collabora.js:48 H collabora.js:48 H collabora.js:48 load Office.vue:190 t Office.vue:184 u runtime.js:288 _invoke runtime.js:262 _ runtime.js:84 z collabora.js:48 i collabora.js:48 (Async: promise callback) z collabora.js:48 i collabora.js:48 (Async: promise callback) z collabora.js:48 i collabora.js:48 H collabora.js:48 H collabora.js:48 mounted Office.vue:162 VueJS 19 o Viewer.vue:345 u runtime.js:288 _invoke runtime.js:262 _ runtime.js:84 Ka Download.vue:19 a Download.vue:19 (Async: promise callback) Ka Download.vue:19 a Download.vue:19 Xa Download.vue:19 Xa Download.vue:19 openFile Viewer.vue:436 file Viewer.vue:193 VueJS 5 ```