allowed hosts ^(.*)\.example\.org doesn't work any longer

[joergmschulz]

Summary

until some versions ago, the stanza ^(.*)\.example\.org could be used for the ALLOWED_HOSTS. Now, the FIRST host matching this pattern will be allowed, all following denied. Thus, it is not possible to use one docker for multiple hosts. The solution is to use groups in coolwsd.xml / didn't find the syntax yet.

1st update: the coolwsd.xml section for multiple hosts looks like:

<alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="groups">
            <!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
                    add the hosts below.  If one host is accessible under multiple ip addresses
                    or names, add them as aliases. -->
            <group>
                    <host desc="hostname to allow or deny." allow="true">https://server1.yourdomain.de:443</host>
                    <host desc="hostname to allow or deny." allow="true">https://secondnameforserver1.yourdomain:443</host>
                    <!-- <alias>scheme://aliasname1:port</alias>
                    <alias>scheme://aliasname2:port</alias> -->
            </group>
            <group>
                    <host desc="hostname to allow or deny." allow="true">https://server2.yourdomain.de:443</host>
            </group>
            <!-- More "group"s possible here -->
</alias_groups>

[tiredofit]

I'm not having any success loading this new image 2.3.6 on a Nextcloud 23.0.3 install. And you? We can certainly adjust this to make the accepted hosts work, just need a few known good configs to build upon.

[joergmschulz]

Yesterday, I made it work with the restriction above (only first host connects). Out of the box.

services:
  office2:
    image: tiredofit/collabora-online
    container_name: office2.${DOMAIN}.de
    hostname: office2.${DOMAIN}.de
    # expose:
      # - 9980
    cap_add:
      - MKNOD
      - NET_ADMIN
      - SYS_CHROOT
      - FOWNER
    privileged: true
    labels:
      - traefik.enable=true
      - traefik.frontend.rule=Host:office2.${DOMAIN}.de
      - traefik.http.services.office2.loadbalancer.server.port=9980
      - "traefik.http.routers.office2.rule=Host(`office2.somedomain.de`, `office2.yourdomain.de`)"
      - "traefik.http.routers.office2.tls=true"
      - "traefik.docker.network=traefik"
      - traefik.office2.backend=office2

    volumes:
      - /data/${DOMAIN}/office2/logs:/logs
      - /data/${DOMAIN}/office2/fonts:/assets/custom-fonts
    environment:
      - CONTAINER_NAME=office2.${DOMAIN}.de
      - TIMEZONE=Europe/Berlin

      - ADMIN_USER=js
      - ADMIN_PASS=welovepasswordswithescaped$$signsmaybebetterputthisintotheDotEnvFile
      - ALLOWED_HOSTS=^(.*)\.yourdomain.de
      - AUTO_SAVE=30
      - DICTIONARIES=de,fr
      - "DONT_GEN_SSL_CERT=set"
      - ENABLE_CLEANUP=true
      - ENABLE_TLS=FALSE
      - ENABLE_TLS_REVERSE_PROXY=TRUE
      - INTERFACE=notebookbar
      - "LANGUAGE=de_DE en_GB en_US fr_FR"
      - LOG_LEVEL=error

      - "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:user_interface.mode=notebookbar --o:welcome.enable=false --o:user_interface.TextStatusbar=false"
    networks:
      traefik:
      services:
        ipv4_address: ${OFFICE_IP}
    restart: unless-stopped

networks:
  traefik:
    external: true
  services:
    external: true

I'm getting many messages like frk-01559-01559 2022-03-24 08:45:50.381682 +0100 [ forkit ] ERR #18: read failed, have 0 buffered bytes (EAGAIN: Resource temporarily unavailable)| net/Socket.hpp:1123 which I haven't seen before. Other than that, it's working.

One downside in comparison to the CODE version is: they added some magic to inherit the nextcloud css/templates. Maybe it would be a good idea to not compile our own cool but use the code image as base.

[tiredofit]

Our directives are fairly similar - You have one one more capabilities than I do FOWNER and you have extra_params where as I dont. I'll fiddle with it today.

As for the new CODE version - I can try to build a different one based on the CODE dailies. When I tried to mirror their release strategy my users started complaining about compatibility issues - Spreadsheets would open up blank etc. I just recently moved my org to Nextcloud 23 and see the new developments with Nextcloud Office taking up the entire browser window instead of the weird IFraming they were doing, which means I'll probably have to find the good working combo and stick with that for a while.

NC 24 looks appealing though even though I am going to try to hold off for a while - the new file ACLs reorganization looks like it will reduce confusion for users.

[joergmschulz]

the extra parameters are a copy of what I had using the COOL image; don't know yet whether all are necessary or whether it's my nc traefik configuration that makes things work out. As I am using the latest tiredofit image for NC, you should be able to make collabora work as well.

yes, the COOL integration is very good now in NC23. For a while, I've build my own COOL images (which currently isn't working for spreadsheets), but when they dropped the user num / files-open num limitations I returned to COOL just to be surprised positively by the integration of the CSS. Performance improved as well. When you move to the cool image, look at the --o:welcome.enable=false parameter ;-)

NC: It's not the best idea to hold back releases - they come twice a year and NC are quick obsoleting old releases. But, as we have seen with 23.0.x the dotzero and dot1 releases aren't always perfect.

[joergmschulz]

re: similar: They're mainly yours :-)

[joergmschulz]

documentation for the new way of adding multiple hosts (domain1, domain2) is here: https://sdk.collaboraonline.com/docs/installation/CODE_Docker_image.html

[tiredofit]

With 2.4.0 I have switched to using the new alias groups. I have not yet tested to see if regex works however, I am using absolute names. My environment value is: https://sub1.domain.tld,https://sub2.domain.tld,https://sub3.domain.tld --

We can further enhance it in future if necessary. I also pinned it to a tagged release which seems to resolve all the weird document loading issues we were having.

I nearly pulled my hair out trying to find Track Changes this morning after finding out they removed the Hamburger Icon - FWIW it's under the Review Tab when using Notebookbar :)

[joergmschulz]

will check out and test that one after Easter. Great job again. If I understood the doc and the discussion on the collabora forum correctly, wildcards will not work for the domains currently, but only for the aliases (if cloud1...cloud7.domain.tld point to the same WOPI instance). But this can be a misunderstanding...

[tiredofit]

I'll give it a go too over the next few days to see what is up - I have a very dirty hack in mind to make regex work out of the box instead of relying on the tags eg:

Make one host tag Attach aliases in the manner how I was earlier via comma seperation 'host1.domain.tld,host2.domain,tld,*.domain.com`. So the first Grouping would be fake and it would only rely on the aliases themselves. Going to wait and see how Collabora finalizes theres before acting on it.

[joergmschulz]

this has long been resolved by the use of the ALLOWED_HOSTS environment variable