Closed sirtoobii closed 5 years ago
Collabora Online is already set up to only allow connection from certain WOPI hosts, the option is in the configuration file under \<storage>/\<wopi>.
@thebearon Yes I already know about this configuration parameters. However they provide at most "security by obscurity". The check if its a valid WOPI host the GET parameter WOPISrc
is passed in the request.
I've also tried to restrict the ip's for the /hosting/discovery/ request. This works as long you use Nextcloud online to open a document. If you use the app instead, a new request is made with the client (obviously with his public ip)
This is concerning to me too. Many of the Collabora endpoints are opened by anyone with the url. Just trying to open many of the links exposed by /hosting/discovery leads to a vereign webpage that I feel can b exploited.
For example, open your collabora server discovery xml page:
https://
<app name="application/vnd.ms-powerpoint"><action ext="pot" name="edit" urlsrc="https://<host>/loleaflet/<id>/loleaflet.html?"/></app>
Open that https://
It would be a good feature to allow Nextcloud to run on the frontend, and connect to a Collabora running without external connectivity.
Even running API requests to the LibreOffice API is not restricted using all the official documentation:
[mzamot@raziel ~]$ curl -F "data=@test.txt" -F "format=pdf" https://<host>/lool/convert-to > out.pdf
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7776 100 7477 100 299 12420 496 --:--:-- --:--:-- --:--:-- 12895
If I try denying public access to the API using the reverse proxy, well Collabora stops working.
The convert-to endpoint can and should actually be limited by configuring a set of trusted hosts in the loolwsd.xml
config of collabora.
Open that https:///loleaflet//loleaflet.html? and you will see a Vereign website, kinda similar to the view of Libreoffice. To that URL you can pass parameters at the end, like WOPISrc.
Same goes for the trusted storage backends, so the links from discovery are cannot open any file except from the trusted sources (the Nextcloud host)
It would be a good feature to allow Nextcloud to run on the frontend, and connect to a Collabora running without external connectivity.
This is not going to work, since the web frontend needs to communicate with Collabora via websockets and we cannot proxy those though Nextcloud.
+1 for basic auth please.
I'd like to be able to protect the apache virtual host with basic auth and have that specified in the NextCloud URL for Collabora.
@ben423423n32j14e This already works to some extent. You can specfiy user:password@yourhost.com
. However this makes the integration into to the nextcloud-mobile app unusable.
Then lets get support added into the mobile app. Basic auth is a fantastic tool that can be used to shield the Collabora server behind Apache. No login? No access to the Collabora server!
[mzamot@raziel ~]$ curl -F "data=@test.txt" -F "format=pdf" https://
/lool/convert-to > out.pdf
Make sure to forward the requesting IP to coolwsd
, e.g. in nginx:
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
so that coolwsd
can compare that against the allowed IPs for convert-to
in your coolwsd
config (https://github.com/CollaboraOnline/online/blob/master/coolwsd.xml.in#L120-L134)
(Just adding this here because I had the same issue - thanks for @juliushaertl to point out my mistake!
A few days ago, I've setup Collabora Online and connected it with my Nextcloud 15 instance. All is working well and I'm very impressed that even editing on mobile is possible!
However, I'm concerned about security of the whole setup. There is litteraly no information about this topic available. All what i found was a Post on the Nextcloud forums, sadly with no answer.
To dig a big deeper, I've created a Post on /r/selfhosted, however we didn't figure out a (working) solution.
In my opinion there are three possible approaches:
What are your thoughts?