search

nextcloud / richdocuments

📑 Collabora Online for Nextcloud
https://nextcloud.com/collaboraonline
355 stars 116 forks source link

WOPI allow list needs to be empty #3856

Closed bes1002t closed 1 month ago

bes1002t commented 3 months ago

Describe the bug Documents won't open, if the WOPI allow list is not empty. A clear documentation of the issue is posted here: https://help.nextcloud.com/t/security-setting-for-nextcloud-office/151613/11 Please also clarify the security implications of the empty list.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Administration Settings'
  2. In the Navigation Bar, go to 'Office'
  3. Check 'Allow list for WOPI requests'

Expected behavior Enter localhost and documents could be edited in browser

Current behavior Document editing only works in browser, if the WOPI requests list is empty

Client details:

Server details

Operating system: Debian Bookworm Web server: Nginx Database: Mysql PHP version: 8.3.9 Nextcloud version: Nextcloud Hub 8 (29.0.3) Version of Collabora Online 24.4.402 BUILT-IN CODE Server

XueSheng-GIT commented 3 months ago

I don't see why WOPI needs to be empty. I assume there's a configuration issue with the CODE server. Maybe double check the documentation.

https://sdk.collaboraonline.com/docs/installation/Configuration.html https://sdk.collaboraonline.com/docs/How_to_integrate.html

bes1002t commented 2 months ago

I'm using the built in CODE server. Either there needs to be a nextcloud config update on my server, or something else is broken. However, I'm not aware of any additional required config which is needed with the Built-In CODE server. And I'm not the only one with this problem, as explained in the thread I linked in the initial post.

I've updated my initial post and aded the information, that I use the Built-In CODE Server.

juliusknorr commented 1 month ago

It is not the wopi address. It is an allow list to limit which servers can send requests to the wopi endpoints of Nextcloud, which would be recommended to set to the incoming IP that your Collabora server has. How to configure might depend on your network and reverse proxy constellation.

If the IP/subnet you try to enter does not work you can check the logs at warning level (2) to see which IP Nextcloud is actually seeing as the source.

You will see a message like this showing up that will help you configure it properly:

WOPI request denied from 192.168.178.10 as it does not match the configured ranges: 192.168.1.0/24

bes1002t commented 1 month ago

It is not the wopi address. It is an allow list to limit which servers can send requests to the wopi endpoints of Nextcloud, which would be recommended to set to the incoming IP that your Collabora server has. How to configure might depend on your network and reverse proxy constellation.

Sorry you are right, I update the description.

If the IP/subnet you try to enter does not work you can check the logs at warning level (2) to see which IP Nextcloud is actually seeing as the source.

You will see a message like this showing up that will help you configure it properly:

WOPI request denied from 192.168.178.10 as it does not match the configured ranges: 192.168.1.0/24

It shows the users public IP that tries to access the file, not the IP of the nextcloud or built in code server. I can not configure all IP addresses that want to access files in my cloud. So the only valid way is to keep the allow list empty.