Cannot open doc files with the collaboration service (OnlyOffice)

[jvillafanez]

Describe the bug

Opening office files with OnlyOffice (and likely other apps such as Collabora and office365) isn't possible. This happens with the current master (commit d200dfc03fa61a6e85a29038dc199f6f46f2a474). It was working before (probably around May, 24th)

Steps to reproduce

1. Upload a ".docx" file (any office file should do)
2. Click on the file to open it with OnlyOffice (or Collabora)

Expected behavior

The file is opened and can be edited

Actual behavior

The file can't be opened

Setup

Please describe how you started the server and provide a list of relevant environment variables or configuration files.

Relevant docker-compose yaml file below

```console --- version: "3.7" services: ocis: #image: owncloud/ocis:4 image: go-dlv-mount2 networks: ocis-net: ports: - "9999:9999" entrypoint: - /bin/sh command: ["-c", "ocis init || true; ocis server"] environment: OCIS_CONFIG_DIR: /etc/ocis/ OCIS_URL: https://ocis.${DOMAIN:-owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-warning} #OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info} OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}" PROXY_TLS: "false" # do not use SSL between Traefik and oCIS GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers WEB_OIDC_CLIENT_ID: ${OCIS_OIDC_CLIENT_ID:-web} PROXY_USER_OIDC_CLAIM: "preferred_username" PROXY_USER_CS3_CLAIM: "username" GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false" #GRAPH_USERNAME_MATCH: "none" # INSECURE: needed if oCIS / Traefik is using self generated certificates OCIS_INSECURE: "true" # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" # fulltext search SEARCH_EXTRACTOR_TYPE: tika SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://tika:9998 FRONTEND_FULL_TEXT_SEARCH_ENABLED: "true" # make the registry available to the app provider containers MICRO_REGISTRY: "nats-js-kv" MICRO_REGISTRY_ADDRESS: "127.0.0.1:9233" NATS_NATS_HOST: "0.0.0.0" NATS_NATS_PORT: "9233" OCIS_RUNTIME_HOST: "ocis" volumes: - ocis-config:/etc/ocis - ocis-data:/var/lib/ocis - ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml - ./ocis:/usr/bin/ocis labels: - "traefik.enable=true" - "traefik.http.routers.ocis.entrypoints=https" - "traefik.http.routers.ocis.rule=Host(`ocis.${DOMAIN:-owncloud.test}`)" - "traefik.http.routers.ocis.tls.certresolver=http" - "traefik.http.routers.ocis.service=ocis" - "traefik.http.services.ocis.loadbalancer.server.port=9200" - "traefik.http.routers.ocis.middlewares=ocis@docker" - "traefik.http.middlewares.ocis.compress=true" logging: driver: "local" restart: always ocis-appprovider-onlyoffice: image: go-dlv-mount2 networks: ocis-net: entrypoint: - /usr/bin/ocis command: app-provider server environment: OCIS_CONFIG_DIR: /etc/ocis/ # use the internal service name of the gateway REVA_GATEWAY: ${REVA_GATEWAY:-com.owncloud.api.gateway} APP_PROVIDER_GRPC_ADDR: 0.0.0.0:9164 # configure the service name to avoid collision with onlyoffice APP_PROVIDER_SERVICE_NAME: app-provider-onlyoffice # use the internal service name APP_PROVIDER_EXTERNAL_ADDR: com.owncloud.api.app-provider-onlyoffice APP_PROVIDER_DRIVER: wopi APP_PROVIDER_WOPI_APP_NAME: OnlyOffice APP_PROVIDER_WOPI_APP_ICON_URI: https://onlyoffice.${DOMAIN:-owncloud.test}/favicon.ico APP_PROVIDER_WOPI_APP_URL: https://onlyoffice.${DOMAIN:-owncloud.test} APP_PROVIDER_WOPI_INSECURE: "${INSECURE:-false}" APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: https://wopiserver.${DOMAIN:-owncloud.test} APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: https://ocis.${DOMAIN:-owncloud.test} # share the registry with the ocis container #MICRO_REGISTRY: "mdns" MICRO_REGISTRY: "nats-js-kv" MICRO_REGISTRY_ADDRESS: "ocis:9233" volumes: - ocis-config:/etc/ocis - ./ocis:/usr/bin/ocis logging: driver: "local" restart: always depends_on: ocis: condition: service_started onlyoffice: condition: service_healthy wopiserver: image: go-dlv-mount2 networks: ocis-net: ports: - "9304:9304" depends_on: onlyoffice: condition: service_healthy command: ['/usr/bin/ocis', 'collaboration', 'server'] environment: COLLABORATION_GRPC_ADDR: 0.0.0.0:9301 COLLABORATION_HTTP_ADDR: 0.0.0.0:9300 MICRO_REGISTRY: "nats-js-kv" MICRO_REGISTRY_ADDRESS: "ocis:9233" COLLABORATION_WOPI_WOPISRC: http://wopiserver:9300 COLLABORATION_WOPI_SECRET: Brotato COLLABORATION_APP_NAME: "OnlyOffice" COLLABORATION_APP_ADDR: https://${ONLYOFFICE_DOMAIN:-onlyoffice.jp.solidgear.prv} COLLABORATION_APP_INSECURE: "${INSECURE:-true}" COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}" COLLABORATION_DEBUG_ADDR: 0.0.0.0:9304 COLLABORATION_DEBUG_PPROF: "true" COLLABORATION_DEBUG_ZPAGES: "true" COLLABORATION_LOG_LEVEL: debug OCIS_RUNTIME_HOST: "ocis" OCIS_CONFIG_DIR: /etc/ocis/ volumes: - ocis-config:/etc/ocis - ./ocis:/usr/bin/ocis labels: - "traefik.enable=true" - "traefik.http.routers.wopiserver.entrypoints=https" - "traefik.http.routers.wopiserver.rule=Host(`wopiserver.${DOMAIN:-owncloud.test}`)" - "traefik.http.routers.wopiserver.tls.certresolver=http" - "traefik.http.routers.wopiserver.service=wopiserver" - "traefik.http.services.wopiserver.loadbalancer.server.port=9300" logging: driver: "local" restart: always onlyoffice: image: onlyoffice/documentserver:7.3.3 networks: ocis-net: environment: WOPI_ENABLED: "true" USE_UNAUTHORIZED_STORAGE: "${INSECURE:-true}" # self signed certificates labels: - "traefik.enable=true" - "traefik.http.routers.onlyoffice.entrypoints=https" - "traefik.http.routers.onlyoffice.rule=Host(`${ONLYOFFICE_DOMAIN:-onlyoffice.jp.solidgear.prv}`)" - "traefik.http.routers.onlyoffice.tls.certresolver=http" - "traefik.http.routers.onlyoffice.service=onlyoffice" - "traefik.http.services.onlyoffice.loadbalancer.server.port=80" # websockets can't be opend when this is ommitted - "traefik.http.middlewares.onlyoffice.headers.customrequestheaders.X-Forwarded-Proto=https" - "traefik.http.routers.onlyoffice.middlewares=onlyoffice" logging: driver: "local" restart: always healthcheck: test: ["CMD", "curl", "-f", "http://localhost/hosting/discovery"] volumes: certs: ocis-config: ocis-data: wopi-recovery: #portainer_data: #keycloak_postgres_data: networks: ocis-net: ```

Additional context

Relevant logs:

traefik-1                      | {"ClientAddr":"10.0.2.28:46722","ClientHost":"10.0.2.28","ClientPort":"46722","ClientUsername":"-","DownstreamContentSize":690,"DownstreamStatus":207,"Duration":14953100,"GzipRatio":0.014492753623188406,"OriginContentSize":10,"OriginDuration":14713177,"OriginStatus":207,"Overhead":239923,"RequestAddr":"ocis.jp.solidgear.prv","RequestContentSize":568,"RequestCount":216,"RequestHost":"ocis.jp.solidgear.prv","RequestMethod":"PROPFIND","RequestPath":"/remote.php/dav/spaces/d22362d2-e19b-4018-82a1-fa4e0ba46045%24d160ff69-23c9-40c2-9a65-2932d45a0402/Document.docx","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"ocis@docker","ServiceAddr":"172.19.0.3:9200","ServiceName":"ocis@docker","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"172.19.0.3:9200","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2024-06-04T14:54:19.847778595Z","StartUTC":"2024-06-04T14:54:19.847778595Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_X-Request-Id":"c030ee43-6ef1-46f9-a9bb-f27fb58ad9f5","entryPointName":"https","level":"info","msg":"","origin_X-Request-Id":"c030ee43-6ef1-46f9-a9bb-f27fb58ad9f5","request_X-Request-Id":"c030ee43-6ef1-46f9-a9bb-f27fb58ad9f5","time":"2024-06-04T14:54:19Z"}
traefik-1                      | {"ClientAddr":"10.0.2.28:46722","ClientHost":"10.0.2.28","ClientPort":"46722","ClientUsername":"-","DownstreamContentSize":690,"DownstreamStatus":207,"Duration":9862937,"GzipRatio":0.014492753623188406,"OriginContentSize":10,"OriginDuration":9728660,"OriginStatus":207,"Overhead":134277,"RequestAddr":"ocis.jp.solidgear.prv","RequestContentSize":568,"RequestCount":217,"RequestHost":"ocis.jp.solidgear.prv","RequestMethod":"PROPFIND","RequestPath":"/remote.php/dav/spaces/d22362d2-e19b-4018-82a1-fa4e0ba46045%24d160ff69-23c9-40c2-9a65-2932d45a0402/Document.docx","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"ocis@docker","ServiceAddr":"172.19.0.3:9200","ServiceName":"ocis@docker","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"172.19.0.3:9200","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2024-06-04T14:54:19.937549457Z","StartUTC":"2024-06-04T14:54:19.937549457Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_X-Request-Id":"5b7515cf-c83d-4445-90db-67230bcdf83c","entryPointName":"https","level":"info","msg":"","origin_X-Request-Id":"5b7515cf-c83d-4445-90db-67230bcdf83c","request_X-Request-Id":"5b7515cf-c83d-4445-90db-67230bcdf83c","time":"2024-06-04T14:54:19Z"}
wopiserver-1                   | {"level":"debug","service":"collaboration","request-id":"","proto":"HTTP/1.1","method":"GET","status":404,"path":"/wopi/iop/openinapp","duration":0.179115,"bytes":19,"time":"2024-06-04T14:54:20Z","line":"/home/juan/src/ocis/ocis/ocis-pkg/middleware/logger.go:27"}
traefik-1                      | {"ClientAddr":"172.19.0.7:46902","ClientHost":"172.19.0.7","ClientPort":"46902","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":14471434,"OriginContentSize":19,"OriginDuration":14363347,"OriginStatus":404,"Overhead":108087,"RequestAddr":"wopiserver.jp.solidgear.prv","RequestContentSize":0,"RequestCount":219,"RequestHost":"wopiserver.jp.solidgear.prv","RequestMethod":"GET","RequestPath":"/wopi/iop/openinapp?appinturl=https%3A%2F%2Fonlyoffice.jp.solidgear.prv\u0026appname=OnlyOffice\u0026appurl=https%3A%2F%2Fonlyoffice.jp.solidgear.prv%2Fhosting%2Fwopi%2Fword%2Fedit\u0026appviewurl=https%3A%2F%2Fonlyoffice.jp.solidgear.prv%2Fhosting%2Fwopi%2Fword%2Fview\u0026endpoint=d22362d2-e19b-4018-82a1-fa4e0ba46045%24d160ff69-23c9-40c2-9a65-2932d45a0402\u0026fileid=a016b042-a7a8-413a-9ce5-7ed272266629\u0026folderurl=https%3A%2F%2Focis.jp.solidgear.prv%2Ff%2Fd22362d2-e19b-4018-82a1-fa4e0ba46045%24d160ff69-23c9-40c2-9a65-2932d45a0402%2521a016b042-a7a8-413a-9ce5-7ed272266629\u0026userid=d160ff69-23c9-40c2-9a65-2932d45a0402%40https%3A%2F%2Focis.jp.solidgear.prv\u0026username=Admin\u0026viewmode=VIEW_MODE_READ_WRITE","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"wopiserver@docker","ServiceAddr":"172.19.0.8:9300","ServiceName":"wopiserver@docker","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"172.19.0.8:9300","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2024-06-04T14:54:20.070097693Z","StartUTC":"2024-06-04T14:54:20.070097693Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"https","level":"info","msg":"","time":"2024-06-04T14:54:20Z"}
ocis-1                         | {"level":"error","service":"frontend","pkg":"rhttp","traceid":"57a50ac8b15023ac7d7d4794c08c8f36","request-id":"73647bb3-4a07-46e7-96b7-371e11b6dd44","error":"error calling OpenInApp: grpc failed with code CODE_INTERNAL","time":"2024-06-04T14:54:20Z","message":"404 page not found\n"}
ocis-1                         | {"level":"error","service":"frontend","pkg":"rhttp","traceid":"57a50ac8b15023ac7d7d4794c08c8f36","host":"127.0.0.1","method":"POST","uri":"/app/open?file_id=d22362d2-e19b-4018-82a1-fa4e0ba46045%24d160ff69-23c9-40c2-9a65-2932d45a0402%21a016b042-a7a8-413a-9ce5-7ed272266629&lang=en&app_name=OnlyOffice&view_mode=write","url":"/open?file_id=d22362d2-e19b-4018-82a1-fa4e0ba46045%24d160ff69-23c9-40c2-9a65-2932d45a0402%21a016b042-a7a8-413a-9ce5-7ed272266629&lang=en&app_name=OnlyOffice&view_mode=write","proto":"HTTP/1.1","status":500,"size":65,"start":"04/Jun/2024:14:54:20 +0000","end":"04/Jun/2024:14:54:20 +0000","time_ns":24267625,"time":"2024-06-04T14:54:20Z","message":"http"}
traefik-1                      | {"ClientAddr":"10.0.2.28:46722","ClientHost":"10.0.2.28","ClientPort":"46722","ClientUsername":"-","DownstreamContentSize":65,"DownstreamStatus":500,"Duration":29358381,"OriginContentSize":65,"OriginDuration":29252172,"OriginStatus":500,"Overhead":106209,"RequestAddr":"ocis.jp.solidgear.prv","RequestContentSize":0,"RequestCount":218,"RequestHost":"ocis.jp.solidgear.prv","RequestMethod":"POST","RequestPath":"/app/open?file_id=d22362d2-e19b-4018-82a1-fa4e0ba46045%24d160ff69-23c9-40c2-9a65-2932d45a0402%21a016b042-a7a8-413a-9ce5-7ed272266629\u0026lang=en\u0026app_name=OnlyOffice\u0026view_mode=write","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"ocis@docker","ServiceAddr":"172.19.0.3:9200","ServiceName":"ocis@docker","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"172.19.0.3:9200","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2024-06-04T14:54:20.057348276Z","StartUTC":"2024-06-04T14:54:20.057348276Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_X-Request-Id":"73647bb3-4a07-46e7-96b7-371e11b6dd44","entryPointName":"https","level":"info","msg":"","origin_X-Request-Id":"73647bb3-4a07-46e7-96b7-371e11b6dd44","request_X-Request-Id":"73647bb3-4a07-46e7-96b7-371e11b6dd44","time":"2024-06-04T14:54:20Z"}

Note that there is a call to /wopi/iop/openinapp in the wopiserver (running the collaboration service) which isn't implemented. As far as I know, this isn't part of the WOPI specification. If that endpoint is now mandatory, we'll need to implement it somehow.

[2403905]

I ran with the docker compose below but it's still has an issue with the cross origin

---
version: "3.7"

services:
  traefik:
    image: traefik:v2.9.1
    networks:
      ocis-net:
        aliases:
          - ${OCIS_DOMAIN:-ocis.owncloud.test}
          - ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
          - ${COLLABORA_DOMAIN:-collabora.owncloud.test}
          - ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
          - ${COMPANION_DOMAIN:-companion.owncloud.test}
    command:
      - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
      # letsencrypt configuration
      - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
      - "--certificatesResolvers.http.acme.storage=/certs/acme.json"
      - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
      - "--certificatesresolvers.http.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
      # enable dashboard
      - "--api.dashboard=true"
      # define entrypoints
      - "--entryPoints.http.address=:80"
      - "--entryPoints.http.http.redirections.entryPoint.to=https"
      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.https.address=:443"
      # docker provider (get configuration from container labels)
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.exposedByDefault=false"
      # access log
      - "--accessLog=true"
      - "--accessLog.format=json"
      - "--accessLog.fields.headers.names.X-Request-Id=keep"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
      - "certs:/certs"
    labels:
      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
      - "traefik.http.routers.traefik.middlewares=traefik-auth"
      - "traefik.http.routers.traefik.tls.certresolver=http"
      - "traefik.http.routers.traefik.service=api@internal"
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always

  ocis:
    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
    networks:
      ocis-net:
    ports:
      - "9999:9999"
    entrypoint:
      - /bin/sh
    # run ocis init to initialize a configuration file with random secrets
    # it will fail on subsequent runs, because the config file already exists
    # therefore we ignore the error and then start the ocis server
    command: [ "-c", "ocis init || true; ocis server" ]
    environment:
      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
      OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
      # INSECURE: needed if oCIS / Traefik is using self generated certificates
      OCIS_INSECURE: "${INSECURE:-false}"
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
      # admin user password
      IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
      # demo users
      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
      MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
      NATS_NATS_HOST: 0.0.0.0
      NATS_NATS_PORT: 9233
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
      COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.owncloud.test}
      ONLYOFFICE_DOMAIN: ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
      # make collabora the secure view app
      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: com.owncloud.api.app-provider-collabora
    volumes:
      - ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
      - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
      - ./config/ocis/web.yaml:/etc/ocis/web.yaml
      - ocis-config:/etc/ocis
      - ocis-data:/var/lib/ocis
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ocis.entrypoints=https"
      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
      - "traefik.http.routers.ocis.tls.certresolver=http"
      - "traefik.http.routers.ocis.service=ocis"
      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always

  wopiserver:
    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
    networks:
      ocis-net:
    ports:
      - "9304:9304"
    depends_on:
      onlyoffice:
        condition: service_healthy
    entrypoint:
      - /bin/sh
    command: [ "-c", "ocis collaboration server" ]
    environment:
      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
      MICRO_REGISTRY: "nats-js-kv"
      MICRO_REGISTRY_ADDRESS: "ocis:9233"
      COLLABORATION_WOPI_WOPISRC: http://wopiserver:9300
      COLLABORATION_WOPI_SECRET: Brotato
      COLLABORATION_APP_NAME: "OnlyOffice"
      COLLABORATION_APP_ADDR: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
      COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
      COLLABORATION_DEBUG_ADDR: 0.0.0.0:9304
      COLLABORATION_DEBUG_PPROF: "true"
      COLLABORATION_DEBUG_ZPAGES: "true"
      AUTOMEMLIMIT_EXPERIMENT: system
      COLLABORATION_LOG_LEVEL: debug
      OCIS_RUNTIME_HOST: "ocis"
      OCIS_CONFIG_DIR: /etc/ocis/
    volumes:
      - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
      - ocis-config:/etc/ocis
      - ocis-data:/var/lib/ocis
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wopiserver.entrypoints=https"
      - "traefik.http.routers.wopiserver.rule=Host(`wopiserver.${DOMAIN:-owncloud.test}`)"
      - "traefik.http.routers.wopiserver.tls.certresolver=http"
      - "traefik.http.routers.wopiserver.service=wopiserver"
      - "traefik.http.services.wopiserver.loadbalancer.server.port=9300"
    logging:
      driver: "local"
    restart: always

  onlyoffice:
    image: onlyoffice/documentserver:7.5.0
    networks:
      ocis-net:
    entrypoint:
      - /bin/sh
      - /entrypoint-override.sh
    environment:
      WOPI_ENABLED: "true"
      USE_UNAUTHORIZED_STORAGE: "${INSECURE:-false}" # self signed certificates
    volumes:
      - ./config/onlyoffice/entrypoint-override.sh:/entrypoint-override.sh
      - ./config/onlyoffice/local.json:/etc/onlyoffice/documentserver/local.dist.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.onlyoffice.entrypoints=https"
      - "traefik.http.routers.onlyoffice.rule=Host(`${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}`)"
      - "traefik.http.routers.onlyoffice.tls.certresolver=http"
      - "traefik.http.routers.onlyoffice.service=onlyoffice"
      - "traefik.http.services.onlyoffice.loadbalancer.server.port=80"
      # websockets can't be opend when this is ommitted
      - "traefik.http.middlewares.onlyoffice.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.onlyoffice.middlewares=onlyoffice"
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
    healthcheck:
      test: [ "CMD", "curl", "-f", "http://localhost/hosting/discovery" ]

volumes:
  certs:
  ocis-config:
  ocis-data:
  wopi-recovery:
  #portainer_data:
  #keycloak_postgres_data:

networks:
  ocis-net:

[2403905]

Works well

---
version: "3.7"

services:
  traefik:
    image: traefik:v2.9.1
    networks:
      ocis-net:
        aliases:
          - ${OCIS_DOMAIN:-ocis.owncloud.test}
          - ${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
          - ${COLLABORA_DOMAIN:-collabora.owncloud.test}
          - ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
          - ${COMPANION_DOMAIN:-companion.owncloud.test}
    command:
      - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
      # letsencrypt configuration
      - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
      - "--certificatesResolvers.http.acme.storage=/certs/acme.json"
      - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
      - "--certificatesresolvers.http.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}"
      # enable dashboard
      - "--api.dashboard=true"
      # define entrypoints
      - "--entryPoints.http.address=:80"
      - "--entryPoints.http.http.redirections.entryPoint.to=https"
      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.https.address=:443"
      # docker provider (get configuration from container labels)
      - "--providers.docker.endpoint=unix:///var/run/docker.sock"
      - "--providers.docker.exposedByDefault=false"
      # access log
      - "--accessLog=true"
      - "--accessLog.format=json"
      - "--accessLog.fields.headers.names.X-Request-Id=keep"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
      - "certs:/certs"
    labels:
      - "traefik.enable=${TRAEFIK_DASHBOARD:-false}"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_BASIC_AUTH_USERS:-admin:$$apr1$$4vqie50r$$YQAmQdtmz5n9rEALhxJ4l.}" # defaults to admin:admin
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DOMAIN:-traefik.owncloud.test}`)"
      - "traefik.http.routers.traefik.middlewares=traefik-auth"
      - "traefik.http.routers.traefik.tls.certresolver=http"
      - "traefik.http.routers.traefik.service=api@internal"
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always

  ocis:
    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
    networks:
      ocis-net:
    ports:
      - "9999:9999"
    entrypoint:
      - /bin/sh
    # run ocis init to initialize a configuration file with random secrets
    # it will fail on subsequent runs, because the config file already exists
    # therefore we ignore the error and then start the ocis server
    command: [ "-c", "ocis init || true; ocis server" ]
    environment:
      OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-info}
      OCIS_LOG_COLOR: "${OCIS_LOG_COLOR:-false}"
      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
      # INSECURE: needed if oCIS / Traefik is using self generated certificates
      OCIS_INSECURE: "${INSECURE:-false}"
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
      # admin user password
      IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
      # demo users
      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
      MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
      NATS_NATS_HOST: 0.0.0.0
      NATS_NATS_PORT: 9233
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
      COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.owncloud.test}
      ONLYOFFICE_DOMAIN: ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
      # make collabora the secure view app
      FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: com.owncloud.api.app-provider-collabora
    volumes:
      - ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
      - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
      - ./config/ocis/web.yaml:/etc/ocis/web.yaml
      - ocis-config:/etc/ocis
      - ocis-data:/var/lib/ocis
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ocis.entrypoints=https"
      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`)"
      - "traefik.http.routers.ocis.tls.certresolver=http"
      - "traefik.http.routers.ocis.service=ocis"
      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always

  wopiserver:
    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
    networks:
      ocis-net:
    ports:
      - "9304:9304"
    depends_on:
      onlyoffice:
        condition: service_healthy
    entrypoint:
      - /bin/sh
    command: [ "-c", "ocis collaboration server" ]
    environment:
      COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
      COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
      MICRO_REGISTRY: "nats-js-kv"
      MICRO_REGISTRY_ADDRESS: "ocis:9233"
      COLLABORATION_WOPI_SRC: http://wopiserver:9300
      COLLABORATION_WOPI_SECRET: Brotato
      COLLABORATION_APP_NAME: "OnlyOffice"
      COLLABORATION_APP_ADDR: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
      COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
      COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
      COLLABORATION_DEBUG_ADDR: 0.0.0.0:9304
      COLLABORATION_DEBUG_PPROF: "true"
      COLLABORATION_DEBUG_ZPAGES: "true"
      OCIS_URL: "https://ocis.owncloud.test"
      COLLABORATION_LOG_LEVEL: debug
      OCIS_RUNTIME_HOST: "ocis"
      OCIS_CONFIG_DIR: /etc/ocis/
    volumes:
      - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
      - ocis-config:/etc/ocis
      - ocis-data:/var/lib/ocis
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.wopiserver.entrypoints=https"
      - "traefik.http.routers.wopiserver.rule=Host(`wopiserver.${DOMAIN:-owncloud.test}`)"
      - "traefik.http.routers.wopiserver.tls.certresolver=http"
      - "traefik.http.routers.wopiserver.service=wopiserver"
      - "traefik.http.services.wopiserver.loadbalancer.server.port=9300"
    logging:
      driver: "local"
    restart: always

  onlyoffice:
    image: onlyoffice/documentserver:7.5.0
    networks:
      ocis-net:
    entrypoint:
      - /bin/sh
      - /entrypoint-override.sh
    environment:
      WOPI_ENABLED: "true"
      USE_UNAUTHORIZED_STORAGE: "${INSECURE:-false}" # self signed certificates
    volumes:
      - ./config/onlyoffice/entrypoint-override.sh:/entrypoint-override.sh
      - ./config/onlyoffice/local.json:/etc/onlyoffice/documentserver/local.dist.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.onlyoffice.entrypoints=https"
      - "traefik.http.routers.onlyoffice.rule=Host(`${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}`)"
      - "traefik.http.routers.onlyoffice.tls.certresolver=http"
      - "traefik.http.routers.onlyoffice.service=onlyoffice"
      - "traefik.http.services.onlyoffice.loadbalancer.server.port=80"
      # websockets can't be opend when this is ommitted
      - "traefik.http.middlewares.onlyoffice.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.onlyoffice.middlewares=onlyoffice"
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always
    healthcheck:
      test: [ "CMD", "curl", "-f", "http://localhost/hosting/discovery" ]

volumes:
  certs:
  ocis-config:
  ocis-data:
  wopi-recovery:
  #portainer_data:
  #keycloak_postgres_data:

networks:
  ocis-net:

[2403905]

The typo in a var COLLABORATION_WOPI_WOPISRC. It has to be COLLABORATION_WOPI_SRC

[jvillafanez]

You're right with the typo. It would have cause a problem later, although it wasn't the problem for this one.

There might be something wrong with the app-provider (my ocis-appprovider-onlyoffice container) which causes the call to the /wopi/iop/openinapp endpoint to happen. Removing that container (and fixing the typoe with the WOPI_SRC env var) solves the issue.

I think we can close this issue, but maybe we want to investigate what happens with the ocis-appprovider-onlyoffice container

[micbar]

I think we can close this issue, but maybe we want to investigate what happens with the ocis-appprovider-onlyoffice container

we do not need the old app provider anymore. The collaboration service brings its own one.

[2403905]

I think we can close this issue, but maybe we want to investigate what happens with the ocis-appprovider-onlyoffice container

we do not need the old app provider anymore. The collaboration service brings its own one.

👍 @jvillafanez You already implemented the openinapp functionality in a collaboration service

[jvillafanez]

We should update the documentation about the app-provider service... either remove the service, mark it as obsolete, or add some information about how / when to use it and the conditions to use it, if any.

If the app-provider service is meant to be used with the cs3org WOPI server, it should be clear. From what I understand, app-provider + cs3org wopiserver = collaboration service. This is totally fine by me, but it seems the app-provider is incompatible with the collaboration service. If we can't enforce that only one of those service is active (or none), at least it should be documented.

[2403905]

I'll add the deployment example

[micbar]

We will change the ocis wopi deployment example as soon as the collaboration service works with all 3 office suites.

1) collabora as part of the single process - this will be the default 2) onlyoffice as sidecar 3) office365 via wopiproxy as sidecar