Collabora with reverseproxy not working after upgrade to Nextcloud 23

[michag86]

Steps to reproduce

1. setup collabora as described here: https://nextcloud.com/collaboraonline/ (I set up reverse proxy on the same domain as nextcloud but nextcloud is in a sub folder)
2. try to open a document

Expected behaviour

document opens

Actual behaviour

got 404 fpr request:

POST	https://mydomain.com/browser/15dc78e/cool.html?WOPISrc=https://mydomain.com/nextcloud/index.php/apps/richdocuments/wopi/files/1453442_5181209720c29&title=test.xlsx&lang=de&closebutton=1&revisionhistory=1

maybe this is related to #1895

Server configuration

Server configuration detail

Operating system: Linux 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64

Webserver: Apache (fpm-fcgi)

Database: mysql 10.3.32

PHP version: 7.4.3

Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, sodium, cgi-fcgi, mysqlnd, PDO, xml, apcu, bcmath, bz2, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, imagick, intl, json, exif, mysqli, pdo_mysql, pdo_sqlite, apc, posix, readline, shmop, SimpleXML, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, Phar, Zend OPcache

Nextcloud version: 23.0.0 - 23.0.0.10

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array ( )

List of activated apps

Enabled:

• accessibility: 1.9.0
• activity: 2.15.0
• admin_audit: 1.13.0
• calendar: 3.0.1
• circles: 23.0.0
• cloud_federation_api: 1.6.0
• comments: 1.13.0
• contacts: 4.0.6
• contactsinteraction: 1.4.0
• dashboard: 7.3.0
• dav: 1.21.0
• deck: 1.6.0
• federatedfilesharing: 1.13.0
• federation: 1.13.0
• files: 1.18.0
• files_markdown: 2.3.5
• files_pdfviewer: 2.4.0
• files_rightclick: 1.2.0
• files_sharing: 1.15.0
• files_trashbin: 1.13.0
• files_versions: 1.16.0
• files_videoplayer: 1.12.0
• groupfolders: 11.1.0
• logreader: 2.8.0
• lookup_server_connector: 1.11.0
• mail: 1.11.0
• maps: 0.1.9
• nextcloud_announcements: 1.12.0
• notifications: 2.11.1
• oauth2: 1.11.0
• password_policy: 1.13.0
• photos: 1.5.0
• previewgenerator: 3.4.0
• privacy: 1.7.0
• provisioning_api: 1.13.0
• recommendations: 1.2.0
• richdocuments: 4.1.2
• serverinfo: 1.13.0
• settings: 1.5.0
• sharebymail: 1.13.0
• spreed: 13.0.0
• support: 1.6.0
• survey_client: 1.11.0
• suspicious_login: 4.1.0
• systemtags: 1.13.0
• text: 3.4.0
• theming: 1.14.0
• twofactor_backupcodes: 1.12.0
• twofactor_email: 2.1.1
• twofactor_nextcloud_notification: 3.3.1
• twofactor_totp: 6.2.0
• updatenotification: 1.13.0
• user_status: 1.3.1
• viewer: 1.7.0
• weather_status: 1.3.0
• workflowengine: 2.5.0
  Disabled:
• announcementcenter
• bruteforcesettings
• documentserver_community
• encryption
• extract
• files_external
• files_fulltextsearch
• firstrunwizard
• fulltextsearch
• fulltextsearch_elasticsearch
• onlyoffice
• polls
• ransomware_protection
• sharerenamer
• user_ldap

Configuration (config/config.php)

{
"instanceid": "REMOVED SENSITIVE VALUE",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"datadirectory": "REMOVED SENSITIVE VALUE",
"dbtype": "mysql",
"version": "23.0.0.10",
"dbname": "REMOVED SENSITIVE VALUE",
"dbhost": "REMOVED SENSITIVE VALUE",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"installed": true,
"loglevel": 3,
"forcessl": true,
"theme": "",
"maintenance": false,
"trusted_domains": [
"darkvoice.dyndns.org",
"ms07.de"
],
"mail_smtpmode": "smtp",
"mail_smtphost": "REMOVED SENSITIVE VALUE",
"mail_smtpsecure": "ssl",
"mail_smtpauth": 1,
"mail_smtpname": "REMOVED SENSITIVE VALUE",
"mail_smtppassword": "REMOVED SENSITIVE VALUE",
"logtimezone": "Europe/Berlin",
"log_authfailip": true,
"secret": "REMOVED SENSITIVE VALUE",
"overwrite.cli.url": "https://ms07.de/nc",
"mail_from_address": "REMOVED SENSITIVE VALUE",
"mail_domain": "REMOVED SENSITIVE VALUE",
"mail_smtpport": "465",
"appstore.experimental.enabled": true,
"trashbin_retention_obligation": "60, 180",
"updater.release.channel": "stable",
"htaccess.RewriteBase": "/nc/",
"memcache.local": "\OC\Memcache\APCu",
"simpleSignUpLink.shown": false,
"log_rotate_size": 104857600,
"mysql.utf8mb4": true,
"defaultapp": "files",
"preview_max_x": 2048,
"preview_max_y": 2048,
"default_phone_region": "DE"
}

Cron Configuration: Array ( [backgroundjobs_mode] => cron [lastcron] => 1638981301 )

External storages: files_external is disabled

Encryption: no

User-backends:

OC\User\Database

Talk configuration:

STUN servers

stun.nextcloud.com:443

TURN servers

turn:ms07.de:5349 - udp,tcp

Signaling servers (mode: internal):

no custom server configured

Browser: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0

[maurerle]

Seems like /loleaflet has been renamed to /browser and lool to cool in latest collabora version.
Thats why you are getting a 404 error. Because the reverse-proxy configuration is outdated

But after changing this, I still got an error using the docker code image and NC23 until I deleted my Browser-Cache.

Keep in Mind, that the ws configuration for /cool/*/ws must be before the config for /cool

Apache:

ProxyPass           /browser https://127.0.0.1:9980/browser
ProxyPassReverse    /browser https://127.0.0.1:9980/browser

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /cool https://127.0.0.1:9980/cool
ProxyPassReverse    /cool https://127.0.0.1:9980/cool

Nginx:

    location ^~ /browser {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

   # main websocket
   location ~ ^/cool/(.*)/ws$ {
       proxy_pass https://localhost:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $http_host;
       proxy_read_timeout 36000s;
   }

   # download, presentation and image upload
   location ~ ^/(c|l)ool {
       proxy_pass https://localhost:9980;
       proxy_set_header Host $http_host;
   }

   # Admin Console websocket
   location ^~ /cool/adminws {
       proxy_pass https://localhost:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $http_host;
       proxy_read_timeout 36000s;
   }

It's working now again, yay!

[drudgede]

@maurerle just a little hint, according to the official documentation, the matching location for download, presentation and image upload is now ^/(c|l)ool, so the correct block in the nginx config file is:

 # download, presentation and image upload
 location ~ ^/(c|l)ool {
   proxy_pass https://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }

[maurerle]

Thanks, I updated my comment above, so that it is correct if someone else copies from it.

I never found the official documentation you provided. The nextcloud documentation https://nextcloud.com/collaboraonline/ gives you the old apache config, a link to an old blog post for nginx config and a broken link to the collabora online official documentation.
Thats really a pity and describes the bad communication of the changed config..

Besides that, the new richdocuments runs very well. If LibreOffice Calc would get the feature to create sortable tables like Excel does, I'd probably could stop using Excel at all.

[LunaSquee]

@maurerle just a little hint, according to the official documentation, the matching location for download, presentation and image upload is now ^/(c|l)ool, so the correct block in the nginx config file is:

 # download, presentation and image upload
 location ~ ^/(c|l)ool {
   proxy_pass https://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }

Thank you! This fixed the issue for me, I was unaware of the changes until now

[grickard]

I'm unable to get Collabora Online (5.0.1) working even after updating my Apache config to match what @maurerle posted above and clearing my cache. I have pulled the latest Collabora container. This error is showing up in my console:

Firefox can’t establish a connection to the server at wss://office.mync.com/cool/https%3A%2F%2Fmync.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F492740_ocjunr5ybph8%3Faccess_token%3DT6ybm6DUDXQtnNKDZrsdvm9sF50xrTbn%26access_token_ttl%3D0/ws?WOPISrc=https%3A%2F%2Fmy.sptcloud.net%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F492740_ocjunr5ybph8&compat=/ws.

If I query collabora using curl -k https://localhost:9980 I get 'Ok'

[drudgede]

@grickard
What happens if you are running a2enmod proxy proxy_http proxy_connect proxy_wstunnel (being root or using sudo is required) and afterwards using this Apache2 config (inserted into the corresponding <VirtualHost> block) as given in the docs?

 AllowEncodedSlashes NoDecode
 SSLProxyEngine On
 ProxyPreserveHost On


 # cert is issued for collaboraonline.example.com and we proxy to localhost
 SSLProxyVerify None
 SSLProxyCheckPeerCN Off
 SSLProxyCheckPeerName Off


 # static html, js, images, etc. served from coolwsd
 # browser is the client part of Collabora Online
 ProxyPass           /browser https://127.0.0.1:9980/browser retry=0
 ProxyPassReverse    /browser https://127.0.0.1:9980/browser


 # WOPI discovery URL
 ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
 ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery


 # Capabilities
 ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
 ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities

 # Main websocket
 ProxyPassMatch      "/cool/(.*)/ws$"      wss://127.0.0.1:9980/cool/$1/ws nocanon


 # Admin Console websocket
 ProxyPass           /cool/adminws wss://127.0.0.1:9980/cool/adminws


 # Download as, Fullscreen presentation and Image upload operations
 ProxyPass           /cool https://127.0.0.1:9980/cool
 ProxyPassReverse    /cool https://127.0.0.1:9980/cool
 # Compatibility with integrations that use the /lool/convert-to endpoint
 ProxyPass           /lool https://127.0.0.1:9980/cool
 ProxyPassReverse    /lool https://127.0.0.1:9980/cool

[zynexiz]

Have the same issue here, after upgrading to 23.0.0 it stopped working. Just upgraded to Collabora Online v5.0.1 and hoped the issue would been fixed, apparently not. Says it can't load Nextcloud Office.

Running Arch Linux (in a VM), Apache and Collabora service (not CODE). Using Apache proxy, and it's set up as stated in the documents. Everything seems to be running as it should, but Nextcloud can't load it.

[EDIT] The demo server works, but neither built-in code or standalone server works.

[drudgede]

Are there any logs of the Collabora service? With docker, you can read them with docker logs containerName, e.g. docker logs collabora (the actual container name is shown when running docker ps in the names column).
I'm not sure where logs are located if Collabora was not installed using docker.

By the way, I remember that I had a similar problem where I had to completely restart docker instead of restarting the container only.

[zynexiz]

I get some errors, mainly "WOPI::CheckFileInfo failed" for some reason. I don't use docker, have the server installed from AUR package collabora-online-server-nodocker. Messed around with tons of different solutions, and also removed Collabora app for NextCloud and cleaned the database. No luck.

wsd-302861-302874 2021-12-25 17:36:27.589093 +0100 [ websrv_poll ] ERR  Skipping the token [--co-image-logo=url('/core/img/logo/logo.png?v=21')] since it has more than one '=' pair| wsd/FileServerUtil.cpp:156
wsd-302861-302874 2021-12-25 17:36:27.589137 +0100 [ websrv_poll ] ERR  Skipping the token [--co-image-logo=url(https://mydomain.org/index.php/apps/theming/image/logo?v=21)] since it has more than one '=' pair| wsd/FileServerUtil.cpp:156
wsd-302861-303004 2021-12-25 17:36:27.794151 +0100 [ docbroker_003 ] WRN  Waking up dead poll thread [HttpSynReqPoll], started: false, finished: false| ./net/Socket.hpp:718
wsd-302861-303004 2021-12-25 17:36:27.794237 +0100 [ docbroker_003 ] ERR  Socket #27 SSL BIO error: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version (0: Success)| ./net/SslSocket.hpp:348
wsd-302861-303004 2021-12-25 17:36:27.794267 +0100 [ docbroker_003 ] ERR  Error while handling poll for socket #27 at 0 in HttpSynReqPoll: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version| net/Socket.cpp:468
wsd-302861-303004 2021-12-25 17:36:27.794319 +0100 [ docbroker_003 ] ERR  WOPI::CheckFileInfo failed for URI [https://mydomain.org/index.php/apps/richdocuments/wopi/files/174560_oc9u11yp5294?access_token=qQi2y801E2bXUQcOEAIQB8LitUAZQkhR&access_token_ttl=0]: 0 . Headers:   Body: []| wsd/Storage.cpp:690
wsd-302861-303004 2021-12-25 17:36:27.794347 +0100 [ docbroker_003 ] ERR  loading document exception: WOPI::CheckFileInfo failed: | wsd/DocumentBroker.cpp:1913
wsd-302861-303004 2021-12-25 17:36:27.794357 +0100 [ docbroker_003 ] ERR  Failed to add session to [/index.php/apps/richdocuments/wopi/files/174560_oc9u11yp5294] with URI [https://mydomain.org/index.php/apps/richdocuments/wopi/files/174560_oc9u11yp5294?access_token=qQi2y801E2bXUQcOEAIQB8LitUAZQkhR&access_token_ttl=0]: WOPI::CheckFileInfo failed: | wsd/DocumentBroker.cpp:1875
wsd-302861-303004 2021-12-25 17:36:27.794367 +0100 [ docbroker_003 ] ERR  Storage error while starting session on /index.php/apps/richdocuments/wopi/files/174560_oc9u11yp5294 for socket #19. Terminating connection. Error: WOPI::CheckFileInfo failed: | wsd/COOLWSD.cpp:3690
wsd-302861-303004 2021-12-25 17:36:27.794404 +0100 [ docbroker_003 ] WRN  Ignoring attempted read from 19| ./net/Socket.hpp:1095
wsd-302861-303004 2021-12-25 17:36:27.794411 +0100 [ docbroker_003 ] ERR  Invalid or unknown session [01a] to remove.| wsd/DocumentBroker.cpp:1956
wsd-302861-302874 2021-12-25 17:36:28.082286 +0100 [ websrv_poll ] WRN  DocBroker with docKey [/index.php/apps/richdocuments/wopi/files/174560_oc9u11yp5294] that is marked to be destroyed. Rejecting client request.| wsd/COOLWSD.cpp:2277
wsd-302861-302874 2021-12-25 17:36:28.082422 +0100 [ websrv_poll ] ERR  Error while handling Client WS Request: Failed to create DocBroker with docKey [/index.php/apps/richdocuments/wopi/files/174560_oc9u11yp5294].| wsd/COOLWSD.cpp:3719
wsd-302861-302874 2021-12-25 17:36:28.082446 +0100 [ websrv_poll ] ERR  #26: Socket write returned -1 (EPIPE: Broken pipe)| ./net/Socket.hpp:1381
wsd-302861-302874 2021-12-25 17:36:28.082467 +0100 [ websrv_poll ] ERR  #26: Socket write returned -1 (EPIPE: Broken pipe)| ./net/Socket.hpp:1381
wsd-302861-302874 2021-12-25 17:36:28.082470 +0100 [ websrv_poll ] WRN  Socket #26 is shutting down but 64 bytes couldn't be flushed and still remain in the output buffer.| ./net/WebSocketHandler.hpp:771
wsd-302861-302874 2021-12-25 17:36:28.082489 +0100 [ websrv_poll ] ERR  #26: attempted to remove: 936 which is > size: 0 clamped to 0| ./net/Socket.hpp:1210
wsd-302861-302874 2021-12-25 17:36:28.082509 +0100 [ websrv_poll ] WRN  Ignoring attempted read from 26| ./net/Socket.hpp:1095
wsd-302861-302874 2021-12-25 17:36:28.082513 +0100 [ websrv_poll ] ERR  #26: Socket write returned -1 (EPIPE: Broken pipe)| ./net/Socket.hpp:1381
wsd-302861-302874 2021-12-25 17:36:28.337278 +0100 [ websrv_poll ] WRN  DocBroker with docKey [/index.php/apps/richdocuments/wopi/files/174560_oc9u11yp5294] that is marked to be destroyed. Rejecting client request.| wsd/COOLWSD.cpp:2277
wsd-302861-302874 2021-12-25 17:36:28.337430 +0100 [ websrv_poll ] ERR  Error while handling Client WS Request: Failed

Checking the link itself (https://mydomain.org/index.php/apps/richdocuments/wopi/files/174560_oc9u11yp5294?access_token=qQi2y801E2bXUQcOEAIQB8LitUAZQkhR&access_token_ttl=0) that seems to fail, I get data from it.

{"BaseFileName":"test.odt","Size":0,"Version":"0","UserId":"admin","OwnerId":"admin","UserFriendlyName":"Admin","UserExtraInfo":{"avatar":"https:\/\/mydomain.org\/index.php\/avatar\/admin\/32"},"UserCanWrite":true,"UserCanNotWriteRelative":false,"PostMessageOrigin":"https:\/\/mydomain.org\/","LastModifiedTime":"2021-12-12T14:29:07.000000Z","SupportsRename":true,"UserCanRename":true,"EnableInsertRemoteImage":true,"EnableShare":true,"HideUserList":"","DisablePrint":false,"DisableExport":false,"DisableCopy":false,"HideExportOption":false,"HidePrintOption":false,"DownloadAsPostMessage":false}

Also see this in apache error log, not sure if it's related to the issue.

[Sat Dec 25 17:36:27.556585 2021] [ssl:error] [pid 298852:tid 140212331591232] [client 192.168.2.176:37786] AH02032: Hostname mydomain.org provided via SNI and hostname office.mydomain.org provided via HTTP have no compatible SSL setup

[zynexiz]

Found the problem that has haunted me for weeks now, I forced the connection to use TLSv1.3. This is why I got the socket error in the logs. Adding TLSv1.2 in Apache config made it work! Feels a bit odd because I don't use SSL to coolwsd itself, so it shouldn't be an issue, but it apparently was.

SSLProtocol -all +TLSv1.3 +TLSv1.2

[EDIT] Just noticed I just needed to add TSLv1.2 on the NextCloud virtual host config, not in the coolwsd reverse proxy part. NextCloud itself works with just TLSv1.3, but not in combination with Collabora Online.

[grickard]

@drudgede Thanks for the response. My proxy config already matches the vhost definition you have specified. I went ahead and rechecked that all the Apache modules were enabled. What actually fixed it for me was changing the Protocol to TLSv1.2 as per @zynexiz. Collabora is functioning as it should now.

[dginhoux]

Hi,

The same issue.

I use a simple configuration, traefik as edge RP and a docker stack with nextcloud-fpm (with caddy) and collabora. Both services are publisheds through https with separate subdomain name.
In my case, Traefik add necessary Header CSP for frame and ancestors.

Everything is fine since few years now, and upgraded at each release ... at this time i use docker image nextcloud 22.2.3 and collabora 21.11.1.1.1.

In nextcloud, i in richdocuments settings, i use the published url of collabora.

Just upgraded to nextcloud 23.0.0 and collabora is broken and can't downgrade nextcloud.

I'm searching how to get log or something else.

[Yetangitu]

For those bit by this problem I suggest to enable the hexify_embedded_urls option in coolwsd.conf, like so:

        ...
        <hexify_embedded_urls default="false" desc="Enable to protect encoded URLs from getting decoded by intermediate hops. Particularly useful on Azure deployments" type="bool">true</hexify_embedded_urls>
        ...

The problem, at least in my installation, is that nginx decodes the embedded url in the initial websocket connection which makes the location pattern fail. Enabling hexify_embedded_urls (which seems to be made for this problem) works around this issue.

[dginhoux]

I just disable and remove the plugin.
Stop the nc stack (nc, collabora, redis, pg).
Clear all my used browsers caches and everything.
Flush the redis "cache".
Start the nc stack (nc, collabora, redis, pg).

Reconnect one browser on NC and install the plugin
Configure the plugin with the public URL (my collabora is published like NC on a subdomain throught traefkk RP).

Return to the files and open an existing excel file....
I'm waiting and turning 5 times around my chair, i eat cookies and !!! Collabora Excel online is working !

I try fews start/stock of my stack, many browses and from many places to be sure it's working.
And : It's working.

Note : my docker images are NC 23.0.0.0 (plugin collaboraonline is 5.0.1) and Collabora is 21.11.1.1.1

[Samonitari]

Well, I presume there are at least two problems with my setup, and one seems to be the current app for Nextcloud 23.

1. General info
   1.1. I can reach hosting/discovery and hosting/capabilities of my installed coolwsd (openSUSE packages)
   1.2. Furthermore, I have correct cool locations in my nginx reverse proxy settings
   1.3. SSL disabled, SSL termination enabled in coolwsd.xml
   1.4. This VPS's domain and nextcloud's subdomain are added to storage.wopi.host list with allow=true. Another VPS's domain (see point 3.) is also added there
   1.5. Generally done everything according to the quite lacking documentation (e.g.: SSL termination setting as I recall is nowhere mentioned...)
2. On the same VPS, with Nextcloud 23.0.0 and richdocuments app 5.0.1:
   2.1. I can connect to coolwsd in Office settings, if I give localhost:9980 as the server
   2.2. I can not connect to through reverse proxy: office settings doesn't eat the (subdomain) URL
   2.3. I can view documents on desktop browsers if I leave the settings as localhost (checked from multiple IPs, browsers)
   2.4. I cannot view documents from mobile
3. On another VPS, running Nextcloud 22.2.3 and richdocuments app 4.2.3
   3.1. I can connect to coolwsd of the aforementioned setup through URL! (obviously, localhost connection doesn't apply here)
   2.2. I can also view documents from desktop browsers
   3.3. Mobile browsers also fail
   3.4. If I use its own collabora with its subdomain URL (nginx reverese-proxies it to docker container-ed, older, loolwsd here), mobile Firefox, Nextcloud mobile app, generally everything seems to work fine
4. On the original (NC 23) VPS, with office settings directed to the second VPS's domain (still on loolwsd)
   4.1 Can connect from any client, all is well again.

I did the hexify=true change, the clear/reinstall @dginhoux did, explicitly stated I want TLSv1.3 or TLSv1.3 in both the main and nextcloud subdomain's nginx server block, created redirects from lool to cool, toggled coolwsd.xml settings back and forth: I am on the edge of looking for a sacrificial animal 😅
Judging by the fact that with 4.2.3 I can connect with URL, but with 5.0.1 I cannot use URL just localhost, I presume some nasty bug snuck into the latter (for which, it seems to be the testing seems inadequate - connection stuff is the base of functionality).
Mobile (browser and nextcloud app) issue seems to be another thing...

[Yetangitu]

Look in your browser's inspector->Network and inspector->Console which connections are failing; in my case it was the websocket connection. Once you know which connection fails try to open such a connection from the command line by using "Copy as curl" (on the culprit in the Network tab) and executing the command while keeping an eye on the log (either daemon.log or a specific cool log, depending on how you configured logging in coolwsd.xml. You chould see which connections make it to the daemon and which don't. For connections which don't make it to the daemon try to edit the path in such a way that it does make it there. Once you have an idea of which connection patterns work and which cause it to fail it should be possible to find the problem. The 5.x series of the richdocuments app encodes connection paths differently from the 4.x series, this was what caused the nginx location pattern to fail. I have no idea whether you're looking at a similar problem but it is worth giving it a try, seeing as how I got it to work here.

This is the relevant section of my nginx config:

# cat /etc/nginx/snippets/coolwsd.conf
    # static files
    location ^~ /browser {
        proxy_pass http://example.org:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass http://example.org:9980;
        proxy_set_header Host $http_host;
    }

    # Capabilities
    location ^~ /hosting/capabilities {
        proxy_pass http://example.org:9980;
        proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/cool/(.*)/ws {
        proxy_pass http://example.org:9980;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_buffering off;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    # we accept 'lool' to be backward compatible
    location ~ ^/(c|l)ool {
        proxy_pass http://example.org:9980;
        proxy_set_header Host $http_host;
    }

    # Admin Console websocket
    location ^~ /cool/adminws {
        proxy_pass http://example.org:9980;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_buffering off;
        proxy_read_timeout 36000s;
    }

And, in coolwsd.xml, relevant sections:

...
	<server_name default="" desc="External hostname:port of the server running coolwsd. If empty, it's derived from the request (please set it if this doesn't work). May be specified when behind a reverse-proxy or when the hostname is not reachable directly." type="string">example.org</server_name>
...
	<hexify_embedded_urls default="false" desc="Enable to protect encoded URLs from getting decoded by intermediate hops. Particularly useful on Azure deployments" type="bool">true</hexify_embedded_urls>
...

[Emporea]

I still have this problem. I cant get it to work and I am also

on the edge of looking for a sacrificial animal

I am running the 6 container nextcloud fpm, database, nginx, cron and redis and collabora.
All of that behind a nginx-proxy with letsencrypt acme container and docker gen.

I can reach collabora via browser and get a OK.
When trying to set it up in the richdocuments config it just loads for a minute and fails. I tried so much, regarding loolwsd (appearently called coolwsd now), adding some custom location settings to the nginx proxy, different docker environmental commands like Virtual_Proto, loolwsd ssl termination etc.. i am done. I have been doing multiple attemts at researching / trial and error for about a year now. I always abonden my desire of getting collabora to work because I get so frustrated after 2 hours.

What can I try?..

[dginhoux]

A 5.0.2 version of the richdocument app was released yesterday... Still not try.

[Samonitari]

Judging by the fact that with 4.2.3 I can connect with URL, but with 5.0.1 I cannot use URL just localhost, I presume some nasty bug snuck into the latter (for which, it seems to be the testing seems inadequate - connection stuff is the base of functionality). Mobile (browser and nextcloud app) issue seems to be another thing...

Turns out, I was SOOO wrong. Not to say there isn't any bug in Collabora app, but that was on me, excuse me for my accusation.

I missed to include IPv6 listen [::] in Nginx, and I left my desktop Firefox with disabled IPv6 and my workplace VPN also only supports IPv4. It works fine now

[Emporea]

Right now I am not able to use ipv6. Can someone confirm that this issue (or atleast on of the issues) resolves by enabling ipv6?

[cryptomilk]

I have resolved the issue with the documentation since quite some time now. The problem for me is that the client gets disconnects every few seconds. This makes it impossible to write anything.

wsd-00001-00559 2022-04-04 14:01:44.872385 +0000 [ docbroker_01f ] WRN  Waking up dead poll thread [HttpSynReqPoll], started: false, finished: false| ./net/Socket.hpp:722
wsd-00001-00559 2022-04-04 14:01:44.989088 +0000 [ docbroker_01f ] WRN  Waking up dead poll thread [HttpSynReqPoll], started: false, finished: false| ./net/Socket.hpp:722
wsd-00001-00029 2022-04-04 14:01:50.792416 +0000 [ prisoner_poll ] WRN  Prisoner connection disconnected but without valid socket.| wsd/COOLWSD.cpp:2762
wsd-00001-00581 2022-04-04 14:01:51.034268 +0000 [ docbroker_020 ] WRN  Waking up dead poll thread [HttpSynReqPoll], started: false, finished: false| ./net/Socket.hpp:722
wsd-00001-00581 2022-04-04 14:01:51.170684 +0000 [ docbroker_020 ] WRN  Waking up dead poll thread [HttpSynReqPoll], started: false, finished: false| ./net/Socket.hpp:722
wsd-00001-00029 2022-04-04 14:01:57.066150 +0000 [ prisoner_poll ] WRN  Prisoner connection disconnected but without valid socket.| wsd/COOLWSD.cpp:2762

It looks like the client gets disconnected or disconnects every few seconds.

[VVD]

Don't know is it related.
Fresh install Collabora Online 22.05.4.1-1 on Ubuntu 22.04.
Nextcloud 24.0.3, PostgreSQL 12.11, Just installed Nextcloud Office 6.1.31, PHP 7.4.30 - installed on FreeBSD 12.3 amd64.
Error in nextcloud.log:

[richdocuments] Ошибка: Doctrine\DBAL\Exception\InvalidFieldNameException: An exception occurred while executing a query: SQLSTATE[42703]: Undefined column: 7 ОШИБКА:  столбец "template_destination" в таблице "oc_richdocuments_wopi" не существует
LINE 1: ...ersion","canwrite","server_host","token","expiry","template_...
                                                             ^ at <<closure>>

 0. /opt/nextcloud/3rdparty/doctrine/dbal/src/Connection.php line 1780
    Doctrine\DBAL\Driver\API\PostgreSQL\ExceptionConverter->convert()
 1. /opt/nextcloud/3rdparty/doctrine/dbal/src/Connection.php line 1719
    Doctrine\DBAL\Connection->handleDriverException()
 2. /opt/nextcloud/3rdparty/doctrine/dbal/src/Statement.php line 193
    Doctrine\DBAL\Connection->convertExceptionDuringQuery()
 3. /opt/nextcloud/lib/private/DB/PreparedStatement.php line 87
    Doctrine\DBAL\Statement->execute()
 4. /opt/nextcloud/lib/public/AppFramework/Db/Mapper.php line 252
    OC\DB\PreparedStatement->execute()
 5. /opt/nextcloud/lib/public/AppFramework/Db/Mapper.php line 127
    OCP\AppFramework\Db\Mapper->execute()
 6. /opt/nextcloud/apps/richdocuments/lib/Db/WopiMapper.php line 91
    OCP\AppFramework\Db\Mapper->insert()
 7. /opt/nextcloud/apps/richdocuments/lib/TokenManager.php line 203
    OCA\Richdocuments\Db\WopiMapper->generateFileToken()
 8. /opt/nextcloud/apps/richdocuments/lib/Controller/DocumentController.php line 207
    OCA\Richdocuments\TokenManager->getToken("*** sensitive parameters replaced ***")
 9. /opt/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 225
    OCA\Richdocuments\Controller\DocumentController->index()
10. /opt/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 133
    OC\AppFramework\Http\Dispatcher->executeController()
11. /opt/nextcloud/lib/private/AppFramework/App.php line 172
    OC\AppFramework\Http\Dispatcher->dispatch()
12. /opt/nextcloud/lib/private/Route/Router.php line 298
    OC\AppFramework\App::main()
13. /opt/nextcloud/lib/base.php line 1023
    OC\Route\Router->match()
14. /opt/nextcloud/index.php line 36
    OC::handleRequest()

GET /index.php/apps/richdocuments/index?fileId=155373&requesttoken=Epm2FaeG7avrwat2ZU81VYp0IFiAan8%2B9ayJ4ATC2CY%3D%3ARP%2F8IP%2FCnvmfteBZL3x3Pe0fUTywOzcGgtzkuVeXs1E%3D&path=%2FDocuments%2FWelcome%20to%20Nextcloud%20Hub.docx
from _IP_ by _USERNAME_ at 2022-08-03T12:38:31+00:00

After ALTER TABLE oc_richdocuments_wopi ADD template_destination bigint; this error disappear, but still can't open documents and nothing in logs.
Look like here: #1904 (comment).

Try to save "URL (and Port) of Collabora Online-server":
Saved with error: Collabora Online should use the same protocol as the server installation.
But url was saved.

Fixed this with: coolconfig set ssl.termination true

So it's work now for me. But anyway it need fix during create table oc_richdocuments_wopi - column template_destination.

[Raudius]

Hi thanks for the report.

Github is not the ideal place to track configuration issues. I am in the process of cleaning up the repository to keep only the relevant issues (bugs, security issues and feature requests).

Here you can find some resources which should allow you to fix your issue:

• Installation guide
• Collabora proxy configs (scroll down for NGINX)
• Nextcloud support forum for questions

[ftoledo]

NC 24
Firefox 106
Nextcloud office 6.3
Docker collabora/code:latest
nginx 1.18
debian 11

I get this issue, can be a regression??

Found the problem that has haunted me for weeks now, I forced the connection to use TLSv1.3. This is why I got the socket error in the logs. Adding TLSv1.2 in Apache config made it work! Feels a bit odd because I don't use SSL to coolwsd itself, so it shouldn't be an issue, but it apparently was.

SSLProtocol -all +TLSv1.3 +TLSv1.2

[EDIT] Just noticed I just needed to add TSLv1.2 on the NextCloud virtual host config, not in the coolwsd reverse proxy part. NextCloud itself works with just TLSv1.3, but not in combination with Collabora Online.

I test it on nginx without luck

[albjeremias]

im experiencing the same issue.. documented in here: #752 (comment)

im sure its a regression, cause im using ansible for setting up the reverse proxy... and the old version and new version are failing, anyway there should be a guide to troubleshoot this issue easier...

[drhirn]

Just solved my "document loading failed" too by disabling TLS1.3 (HTTP/3). When using TLS1.2 (HTTP/2) everything is working fine.
Are there any news on this?

edit: This is only needed, when using build-in CODE server. When running an external Collabora server, everthing is fine with TLS1.3.

[ftoledo]

Nothing relate to tls, security or permissions..
I solved it changing the order of config blocks from nginx. I put first the websockets stanzas then the php settings.

Unfortunately I don't have the link of who was the author of the solution at hand (that guy saved my life) (I think he was on stackoverflow)

[overflow-ITA]

i solved the problem setting the dns of collabora server (centos 8) in /etc/hosts to 127.0.0.1 collabora.domain.tld
i use haproxy as ssl termination and collabora ssl disable and termination enable and nginx use port for haproxy different to 443 (in mi case use 8080) without ssl .
I use a different port on nginx because otherwise I couldn't open /browser/dist/admin/ properly with haproxy ssl off. Now everything works perfectly.

[Geolle]

Found the problem that has haunted me for weeks now, I forced the connection to use TLSv1.3. This is why I got the socket error in the logs. Adding TLSv1.2 in Apache config made it work! Feels a bit odd because I don't use SSL to coolwsd itself, so it shouldn't be an issue, but it apparently was.

SSLProtocol -all +TLSv1.3 +TLSv1.2

[EDIT] Just noticed I just needed to add TSLv1.2 on the NextCloud virtual host config, not in the coolwsd reverse proxy part. NextCloud itself works with just TLSv1.3, but not in combination with Collabora Online.

Thank you, first I followed you advice, changed my protocal to http2, but it doesn't work, still got this error

wsd-00001-00118 2023-05-11 09:57:55.151259 +0000 [ docbroker_009 ] ERR  WOPI::CheckFileInfo failed for URI [https://hostname/index.php/apps/richdocuments/wopi/files/725_ocvjhnb3z7kt?access_token=ub0WSauWUBB0Tg2Oh5lkd5Hqb9dqPIuh&access_token_ttl=1683835073000&permission=edit]: 403 Forbidden. Headers:         Server: nginx /       Date: Thu, 11 May 2023 09:57:55 GMT /   Content-Type: application/json; charset=utf-8 /         Content-Length: 2 /   Connection: keep-alive /        Referrer-Policy: no-referrer /  X-Content-Type-Options: nosniff /     X-Frame-Options: SAMEORIGIN /   X-Permitted-Cross-Domain-Policies: none /       X-Robots-Tag: noindex, nofollow /     X-XSS-Protection: 1; mode=block /       X-Powered-By: PHP/8.1.18 /      Set-Cookie: ocvjhnb3z7kt=45e45d032c0b18254ac367c905ef223b; path=/; secure; HttpOnly; SameSite=Lax /   Expires: Thu, 19 Nov 1981 08:52:00 GMT /      Cache-Control: no-cache, no-store, must-revalidate /    Pragma: no-cache /      Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none' /      X-Request-Id: FYUKnprHIvs5rfd38kh8 /  Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none' /         Body: [[]]| wsd/Storage.cpp:695
wsd-00001-00118 2023-05-11 09:57:55.151487 +0000 [ docbroker_009 ] ERR  loading document exception: Access denied, 403. WOPI::CheckFileInfo failed on: https://hostname/index.php/apps/richdocuments/wopi/files/725_ocvjhnb3z7kt?access_token=ub0WSauWUBB0Tg2Oh5lkd5Hqb9dqPIuh&access_token_ttl=1683835073000&permission=edit| wsd/DocumentBroker.cpp:2457
wsd-00001-00118 2023-05-11 09:57:55.151544 +0000 [ docbroker_009 ] ERR  Failed to add session to [https://hostname/index.php/apps/richdocuments/wopi/files/725_ocvjhnb3z7kt] with URI [https://hotname/index.php/apps/richdocuments/wopi/files/725_ocvjhnb3z7kt?access_token=ub0WSauWUBB0Tg2Oh5lkd5Hqb9dqPIuh&access_token_ttl=1683835073000&permission=edit]: Access denied, 403. WOPI::CheckFileInfo failed on: https://hostname/index.php/apps/richdocuments/wopi/files/725_ocvjhnb3z7kt?access_token=ub0WSauWUBB0Tg2Oh5lkd5Hqb9dqPIuh&access_token_ttl=1683835073000&permission=edit| wsd/DocumentBroker.cpp:2419
wsd-00001-00118 2023-05-11 09:57:55.151588 +0000 [ docbroker_009 ] ERR  Unauthorized Request while starting session on https://hostname/index.php/apps/richdocuments/wopi/files/725_ocvjhnb3z7kt for socket #31. Terminating connection. Error: Access denied, 403. WOPI::CheckFileInfo failed on: https://hostname/index.php/apps/richdocuments/wopi/files/725_ocvjhnb3z7kt?access_token=ub0WSauWUBB0Tg2Oh5lkd5Hqb9dqPIuh&access_token_ttl=1683835073000&permission=edit| wsd/COOLWSD.cpp:4936
sh: 1: /usr/bin/coolmount: Operation not permitted
wsd-00001-00118 2023-05-11 09:57:55.169859 +0000 [ docbroker_009 ] ERR  #29: Read failed, have 0 buffered bytes (ECONNRESET: Connection reset by peer)| net/Socket.hpp:1151
wsd-00001-00118 2023-05-11 09:57:55.169922 +0000 [ docbroker_009 ] WRN  #29: Unassociated Kit (117) disconnected unexpectedly| wsd/COOLWSD.cpp:3426
sh: 1: /usr/bin/coolmount: Operation not permitted
sh: 1: /usr/bin/coolmount: Operation not permitted
sh: 1: /usr/bin/coolmount: Operation not permitted
sh: 1: /usr/bin/coolmount: Operation not permitted

, then I empty my config in nextcloud admin Office setting Allow list for WOPI requests, it works, turns out this setting can course this 403 problem. I think TLSv1.2 helps and Allow list for WOPI requests setting also need to be set right.
the Allow list for WOPI requests setting should be set as docker network subnet, for me is 10.255.0.0/16