Include some form of authentication

[sirtoobii]

A few days ago, I've setup Collabora Online and connected it with my Nextcloud 15 instance. All is working well and I'm very impressed that even editing on mobile is possible!

However, I'm concerned about security of the whole setup. There is litteraly no information about this topic available. All what i found was a Post on the Nextcloud forums, sadly with no answer.

To dig a big deeper, I've created a Post on /r/selfhosted, however we didn't figure out a (working) solution.

In my opinion there are three possible approaches:

• Tunnel all traffic somehow through php so you can allow certain ip's. (this more hypothetical)
• Integrate the nextcloud session-auth in Collabora Online (probably out of scope)
• Add support for HTTP-Auth (Currently you can specify user:pass@office.domain.com, however since requests are mainly made from the client this is not really usable in its current state)

What are your thoughts?

[thebearon]

Collabora Online is already set up to only allow connection from certain WOPI hosts, the option is in the configuration file under \<storage>/\<wopi>.

[sirtoobii]

@thebearon Yes I already know about this configuration parameters. However they provide at most "security by obscurity". The check if its a valid WOPI host the GET parameter WOPISrc is passed in the request. I've also tried to restrict the ip's for the /hosting/discovery/ request. This works as long you use Nextcloud online to open a document. If you use the app instead, a new request is made with the client (obviously with his public ip)

[mzamot]

This is concerning to me too. Many of the Collabora endpoints are opened by anyone with the url. Just trying to open many of the links exposed by /hosting/discovery leads to a vereign webpage that I feel can b exploited.

[mzamot]

For example, open your collabora server discovery xml page: https:///hosting/discovery and grab any of the url's present there, e.g.

<app name="application/vnd.ms-powerpoint"><action ext="pot" name="edit" urlsrc="https://<host>/loleaflet/<id>/loleaflet.html?"/></app>

Open that https:///loleaflet//loleaflet.html? and you will see a Vereign website, kinda similar to the view of Libreoffice. To that URL you can pass parameters at the end, like WOPISrc. That doesn't seems safe to me. There's no authentication happening anywhere. There are no hardening guides anywhere. As @sirtoobii this is as most "security by obscurity".

It would be a good feature to allow Nextcloud to run on the frontend, and connect to a Collabora running without external connectivity.

[mzamot]

Even running API requests to the LibreOffice API is not restricted using all the official documentation:

[mzamot@raziel ~]$ curl -F "data=@test.txt" -F "format=pdf" https://<host>/lool/convert-to > out.pdf
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  7776  100  7477  100   299  12420    496 --:--:-- --:--:-- --:--:-- 12895

If I try denying public access to the API using the reverse proxy, well Collabora stops working.

[juliushaertl]

The convert-to endpoint can and should actually be limited by configuring a set of trusted hosts in the loolwsd.xml config of collabora.

Open that https:///loleaflet//loleaflet.html? and you will see a Vereign website, kinda similar to the view of Libreoffice. To that URL you can pass parameters at the end, like WOPISrc.

Same goes for the trusted storage backends, so the links from discovery are cannot open any file except from the trusted sources (the Nextcloud host)

[juliushaertl]

It would be a good feature to allow Nextcloud to run on the frontend, and connect to a Collabora running without external connectivity.

This is not going to work, since the web frontend needs to communicate with Collabora via websockets and we cannot proxy those though Nextcloud.

[ben423423n32j14e]

+1 for basic auth please.

I'd like to be able to protect the apache virtual host with basic auth and have that specified in the NextCloud URL for Collabora.

[sirtoobii]

@ben423423n32j14e This already works to some extent. You can specfiy user:password@yourhost.com. However this makes the integration into to the nextcloud-mobile app unusable.

[ben423423n32j14e]

Then lets get support added into the mobile app. Basic auth is a fantastic tool that can be used to shield the Collabora server behind Apache. No login? No access to the Collabora server!

[simonspa]

[mzamot@raziel ~]$ curl -F "data=@test.txt" -F "format=pdf" https:///lool/convert-to > out.pdf

Make sure to forward the requesting IP to coolwsd, e.g. in nginx:

    proxy_set_header   X-Real-IP          $remote_addr;
    proxy_set_header   X-Forwarded-Proto  $scheme;
    proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;

so that coolwsd can compare that against the allowed IPs for convert-to in your coolwsd config (https://github.com/CollaboraOnline/online/blob/master/coolwsd.xml.in#L120-L134)

(Just adding this here because I had the same issue - thanks for @juliushaertl to point out my mistake!