Latest Nextcloud/Collabora cannot open documents.

[CodeMouse92]

I just upgraded my Nextcloud server from 10.3 to 11.0.1, by way of 11.0. All went well, and then I updated the Collabora Office app and pulled down the latest Collabora docker...all following Nextcloud's official instructions.

Now I can't open files in Collabora Office.

Steps to reproduce

1. Ensure Collabora, Nextcloud, and the Collabora app are up to date. Also ensure Documents is NOT enabled.
2. Try to open an .odt file via the web interface.

Expected behaviour

The document should open.

Actual behaviour

On Nextcloud, I get ""Well, this is embarrassing, we cannot connect to your document. Please try again."
This is true of any file I open, even a newly created one.

On the docker logs for Collabora (sudo docker logs th3d0ck3rpr0c3ssid), I see multiple copies of the following (with an actual token instead of [SCRUBBED], of course):

wsd-00026-0029 01:21:19.366410 [ client_req_hdl ] WRN  WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:255
wsd-00026-0030 01:21:20.182984 [ client_ws_0019 ] ERR  Unknown resource: /lool/https://nextcloud.mousepawmedia.net/index.php/apps/richdocuments/wopi/files/1694_ock4jvyh706l%3Faccess_token=[SCRUBBED]&access_token_ttl=0&permission=edit/ws| wsd/LOOLWSD.cpp:1223

Server configuration

Operating system:Ubuntu 16.04 LTS 64-bit Server

Web server: LAMP

Database: mysql Ver 14.14 Distrib 5.7.17, for Linux (x86_64)

PHP version: PHP 5.6.30-1+deb.sury.org~xenial+1 (cli)

Nextcloud version: 11.0.1

Updated from an older Nextcloud/ownCloud or fresh install: Updated from 11.0, which itself was a manual update from 10.3.

Where did you install Nextcloud from: Manual install from .ZIP originally, automatic updates to 10.3. (Everything worked to this point.) Manual upgrade from .zip for 10.3 -> 11.0.0. Automatic upgrade tool for 11.0.0 -> 11.0.1.

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.4.1
  - admin_audit: 1.1.0
  - apporder: 0.3.3
  - comments: 1.1.0
  - dav: 1.1.1
  - federatedfilesharing: 1.1.1
  - files: 1.6.1
  - files_accesscontrol: 1.1.2
  - files_pdfviewer: 1.0.1
  - files_sharing: 1.1.1
  - files_texteditor: 2.2
  - files_trashbin: 1.1.0
  - files_versions: 1.4.0
  - files_videoplayer: 1.0.0
  - firstrunwizard: 2.0
  - gallery: 16.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.0
  - notifications: 1.0.1
  - password_policy: 1.1.0
  - provisioning_api: 1.1.0
  - richdocuments: 1.1.25
  - serverinfo: 1.1.1
  - sharebymail: 1.0.1
  - survey_client: 0.1.5
  - systemtags: 1.1.3
  - theming: 1.1.1
  - twofactor_backupcodes: 1.0.0
  - updatenotification: 1.1.1
  - user_ldap: 1.1.1
  - workflowengine: 1.1.1
Disabled:
  - bookmarks
  - encryption
  - external
  - federation
  - files_automatedtagging
  - files_external
  - files_retention
  - templateeditor
  - user_external
  - user_saml

The content of config/config.php:

Config report

{
    "system": {
        "instanceid": "ock4jvyh706l",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "nextcloud.mousepawmedia.net"
        ],
        "datadirectory": "\/opt\/nextcloud\/data",
        "overwrite.cli.url": "https:\/\/nextcloud.mousepawmedia.net",
        "dbtype": "mysql",
        "version": "11.0.1.2",
        "dbname": "nextcloud",
        "dbhost": "localhost",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "UTC",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
        "mail_from_address": "hawksnest",
        "mail_smtpmode": "smtp",
        "mail_domain": "mousepawgames.com",
        "mail_smtpauth": 1,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtphost": "gator3102.hostgator.com",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance": false,
        "mail_smtpsecure": "ssl",
        "appstore.experimental.enabled": true,
        "loglevel": 2,
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}

Are you using external storage, if yes which one: NO

Are you using encryption: NO

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

LDAP config

+-------------------------------+--------------------------------------------------------------------------------------+
| Configuration                 |                                                                                      |
+-------------------------------+--------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      |                                                                                      |
| hasPagedResultSupport         |                                                                                      |
| homeFolderNamingRule          |                                                                                      |
| lastJpegPhotoLookup           | 0                                                                                    |
| ldapAgentName                 |                                                                                      |
| ldapAgentPassword             | ***                                                                                  |
| ldapAttributesForGroupSearch  |                                                                                      |
| ldapAttributesForUserSearch   |                                                                                      |
| ldapBackupHost                |                                                                                      |
| ldapBackupPort                |                                                                                      |
| ldapBase                      | ou=Users, dc=ldap, dc=mousepawmedia, dc=net                                          |
| ldapBaseGroups                | ou=Groups, dc=ldap, dc=mousepawmedia, dc=net                                         |
| ldapBaseUsers                 | ou=Users, dc=ldap, dc=mousepawmedia, dc=net                                          |
| ldapCacheTTL                  | 600                                                                                  |
| ldapConfigurationActive       | 1                                                                                    |
| ldapDynamicGroupMemberURL     |                                                                                      |
| ldapEmailAttribute            | mail                                                                                 |
| ldapExperiencedAdmin          | 0                                                                                    |
| ldapExpertUUIDGroupAttr       |                                                                                      |
| ldapExpertUUIDUserAttr        |                                                                                      |
| ldapExpertUsernameAttr        |                                                                                      |
| ldapGroupDisplayName          | cn                                                                                   |
| ldapGroupFilter               |                                                                                      |
| ldapGroupFilterGroups         |                                                                                      |
| ldapGroupFilterMode           | 0                                                                                    |
| ldapGroupFilterObjectclass    |                                                                                      |
| ldapGroupMemberAssocAttr      | uniqueMember                                                                         |
| ldapHost                      | localhost                                                                            |
| ldapIgnoreNamingRules         |                                                                                      |
| ldapLoginFilter               | (&(|(objectclass=posixAccount))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))) |
| ldapLoginFilterAttributes     |                                                                                      |
| ldapLoginFilterEmail          | 1                                                                                    |
| ldapLoginFilterMode           | 0                                                                                    |
| ldapLoginFilterUsername       | 1                                                                                    |
| ldapNestedGroups              | 0                                                                                    |
| ldapOverrideMainServer        |                                                                                      |
| ldapPagingSize                | 500                                                                                  |
| ldapPort                      | 389                                                                                  |
| ldapQuotaAttribute            |                                                                                      |
| ldapQuotaDefault              |                                                                                      |
| ldapTLS                       | 0                                                                                    |
| ldapUserDisplayName           | cn                                                                                   |
| ldapUserDisplayName2          | sn                                                                                   |
| ldapUserFilter                | (|(objectclass=posixAccount))                                                        |
| ldapUserFilterGroups          |                                                                                      |
| ldapUserFilterMode            | 0                                                                                    |
| ldapUserFilterObjectclass     | posixAccount                                                                         |
| ldapUuidGroupAttribute        | auto                                                                                 |
| ldapUuidUserAttribute         | auto                                                                                 |
| turnOffCertCheck              | 0                                                                                    |
| turnOnPasswordChange          | 0                                                                                    |
| useMemberOfToDetectMembership | 1                                                                                    |
+-------------------------------+--------------------------------------------------------------------------------------+

Client configuration

Browser: Vivaldi

Operating system: Ubuntu 16.04 LTS 64-bit

Logs

Web server error log

Web server error log

[Wed Feb 01 17:02:02.195599 2017] [authz_core:error] [pid 2326] [client 192.168.254.15:40636] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata
[Wed Feb 01 17:02:09.377073 2017] [authz_core:error] [pid 3984] [client 192.168.254.15:40642] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata
[Wed Feb 01 17:07:58.118941 2017] [authz_core:error] [pid 4055] [client 192.168.254.15:40858] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata
[Wed Feb 01 17:08:15.404360 2017] [authz_core:error] [pid 2328] [client 192.168.254.15:40872] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata
[Wed Feb 01 17:14:04.886810 2017] [proxy:warn] [pid 4013] [client 192.168.254.15:41004] AH01144: No protocol handler was valid for the URL /lool/adminws. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Wed Feb 01 17:14:52.350296 2017] [authz_core:error] [pid 4013] [client 192.168.254.15:41036] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata
[Wed Feb 01 17:14:56.437057 2017] [authz_core:error] [pid 2329] [client 192.168.254.15:41030] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata
[Wed Feb 01 17:20:35.390297 2017] [authz_core:error] [pid 2330] [client 192.168.254.15:41166] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata
[Wed Feb 01 17:20:39.853842 2017] [authz_core:error] [pid 2326] [client 192.168.254.15:41168] AH01630: client denied by server configuration: /opt/nextcloud/data/.ocdata

Nextcloud log (data/nextcloud.log)

Nextcloud log

{"reqId":"WJJs6H8AAQEAAHAN2LAAAAAF","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:04+00:00","method":"GET","url":"\/ocs\/v2.php\/apps\/notifications\/api\/v2\/notifications","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"}
{"reqId":"WJJtA38AAQEAAHAyPKUAAAAK","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:31+00:00","method":"GET","url":"\/index.php\/settings\/apps\/list?category=organization","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"}
{"reqId":"WJJtE38AAQEAAHAzOwYAAAAL","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:47+00:00","method":"GET","url":"\/index.php\/settings\/apps\/list?category=social","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"}
{"reqId":"WJJtFX8AAQEAAHDCcyIAAAAI","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:50+00:00","method":"GET","url":"\/index.php\/settings\/apps\/list?category=enabled","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"}
{"reqId":"WJJtGn8AAQEAAHALfPQAAAAB","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:55+00:00","method":"GET","url":"\/index.php","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"}
{"reqId":"WJJtHX8AAQEAAHAO39gAAAAH","remoteAddr":"192.168.254.15","app":"PHP","message":"Class 'OCA\\Richdocuments\\AppInfo\\Application' not found at \/opt\/nextcloud\/apps\/richdocuments\/appinfo\/app.php#28","level":3,"time":"2017-02-01T23:19:57+00:00","method":"GET","url":"\/index.php","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"}
{"reqId":"WJKCqX8AAQEAABZfU8EAAAAE","remoteAddr":"192.168.254.15","app":"core","message":"Login failed: 'b99b5cd8-35af-1036-9f7c-e1f2a57c2622' (Remote IP: '192.168.254.15')","level":2,"time":"2017-02-02T00:51:54+00:00","method":"POST","url":"\/index.php\/login\/confirm","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"}
{"reqId":"WJKGJn8AAQEAAA@up48AAAAL","remoteAddr":"192.168.254.15","app":"core","message":"Login failed: 'b99b5cd8-35af-1036-9f7c-e1f2a57c2622' (Remote IP: '192.168.254.15')","level":2,"time":"2017-02-02T01:06:49+00:00","method":"POST","url":"\/index.php\/login\/confirm","user":"b99b5cd8-35af-1036-9f7c-e1f2a57c2622","version":"11.0.1.2"}

[CodeMouse92]

FIXED! There were changes in Collabora CODE 2.0 updates 2. The following changes have to be made in the Apache proxy configuration for Collabora.

1. Change AllowEncodedSlashes On to AllowEncodedSlashes NoDecode

2. Change ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws to ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

This information needs to be updated on Nextcloud's instructions.

[nephilim75]

Hello

great news. But do you know how to get it fixed for nginx users?

    ### Collabora
    # static files
    location ^~ /loleaflet {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # websockets, download, presentation and image upload
    location ^~ /lool {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
    }

Kind regards
//neph

[CodeMouse92]

I don't know, directly. I've never used nginx.

However, I do know the breakdown of the changes to Apache2's configuration. If you can figure out the equivalents, you can solve the rest.

1. The websocket proxy now must have the nocanon option turned on for Apache2 mod_proxy. From the docs...

Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional nocanon keyword suppresses this and passes the URL path "raw" to the backend. Note that this keyword may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy.

You would need to find the nginx equivalent of this behavior for your websocket proxy.

2. On Apache2, we need to use the AllowEncodedSlashes NoDecode option. For info on the nginx equivalent behavior, see this StackOverflow question.

I hope that helps, and all the best! Please post the solution here if you find it.

[dwaynehulsman]

I have the same issue on Caddy but haven't been able to figure out how to resolve this issue yet.

proxy /loleaflet https://127.0.0.1:9980 {	
    		proxy_header Host $http_host
		transparent
		websocket
	}
	
	proxy /hosting/discovery https://127.0.0.1:9980 {
                proxy_header Host $http_host
		transparent
		websocket
        }

	proxy /lool https://127.0.0.1:9980 {
                proxy_header Upgrade $http_upgrade
		proxy_header Connection "upgrade"
	        proxy_header Host $http_host
		transparent
		websocket
        }

[CodeMouse92]

I did a bit of research, and both Apache2 changes relate to the same principle - the new version of Collabora requires slashes to NOT be encoded. Take a look at this nginx bug report. Still doing some digging.

[CodeMouse92]

Collabora just posted the updated nginx configuration instructions. These should work, so cross check them with yours.

server {
    listen       443 ssl;
    server_name  collabora.example.com;

    ssl_certificate /path/to/ssl_certificate;
    ssl_certificate_key /path/to/ssl_certificate_key;

    # static files
    location ^~ /loleaflet {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Main websocket
    location ~ /lool/(.*)/ws$ {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ^~ /lool {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }
}

[nephilim75]

I found this as well but it is not working neither.

[CodeMouse92]

@nephilim75, what's your new configuration file look like?

[pezi]

I have the same problem - this is the nginx configuration file of my VM with a public IP. The reverse proxy points to the docker container running inside an other VM via private IP.

server {
   listen myip:443;

   server_name  office.my.domain;

   ssl_certificate /etc/letsencrypt/live/office.my.domain/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/office.my.domain/privkey.pem;

  location ^~ /loleaflet {
       proxy_pass https://192.168.123.200:9980;
       proxy_set_header Host $http_host;
   }

   # WOPI discovery URL
   location ^~ /hosting/discovery {
       proxy_pass https://192.168.123.200:9980;
       proxy_set_header Host $http_host;

   }

   # Main websocket
   location ~ /lool/(.*)/ws$ {
       proxy_pass https://192.168.123.200:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $http_host;
       proxy_read_timeout 36000s;
   }

   # Admin Console websocket
   location ^~ /lool/adminws {
       proxy_pass https://192.168.123.200:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $http_host;
       proxy_read_timeout 36000s;
   }

   # download, presentation and image upload
   location ^~ /lool {
       proxy_pass https://192.168.123.200:9980;
       proxy_set_header Host $http_host;
   }

}

[nephilim75]

Here is mine:

configuration

upstream php-handler {
    server 127.0.0.1:9000;
    #server unix:/var/run/php5-fpm.sock;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name sub.domain.com;

    ssl_certificate /etc/letsencrypt/live/sub.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sub.domain.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/letsencrypt/live/sub.domain.com/dhparam.pem;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

    # Path to the root of your installation
    root /var/www/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav { return 301
     $scheme://$host/remote.php/dav; }
    location = /.well-known/caldav { return 301
     $scheme://$host/remote.php/dav; }

    location /.well-known/acme-challenge { }

    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;

    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;

    location / {
        rewrite ^ /index.php$uri;
    }

    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~
    ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
        include fastcgi_params;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        #  includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
    }

    location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }

    # Spreed WebRTC
    location ^~ /webrtc {
        proxy_pass http://127.0.0.1:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_buffering             on;
        proxy_ignore_client_abort   off;
        proxy_redirect              off;
        proxy_connect_timeout       90;
        proxy_send_timeout          90;
        proxy_read_timeout          90;
        proxy_buffer_size           4k;
        proxy_buffers               4 32k;
        proxy_busy_buffers_size     64k;
        proxy_temp_file_write_size  64k;
        proxy_next_upstream         error timeout invalid_header http_502 http_503 http_504;
    }

    # Collabora Online
    # static files
    location ^~ /loleaflet {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Main websocket
    location ~ /lool/(.*)/ws$ {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ^~ /lool {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }
}

Kind regards
//neph

[milan475]

I'm having the same issue using the above nginx configuration:

[ttr]

@milan475 You probably using aufs (and/or old kernel) in docker which possibly will not work - it's failing to set up privileged caps.
I've get rid of this issue by updating kernel to 4.7 and storage driver to overlay

[methuselah-0]

Im having the same issues with the updated nginx configuration "Well, this is embarrassing, we cannot connect to your document.". Im using overlay2 storage driver for docker on Debian Testing, php7. The docker logs are:

wsd-00027-0028 13:26:16.769784 [ client_req_hdl ] WRN WOPI host did not pass optional access_token_ttl| wsd/FileServer.cpp:255
wsd-00027-0029 13:26:21.269433 [ client_ws_0005 ] ERR ClientRequestHandler::handleClientRequest: BadRequestException: Invalid or unknown request.| wsd/LOOLWSD.cpp:1240

There was a supposed temporary "solution" here but it didn't work for me.

Alright, I seem to have figured out some voodoo that works on my end.

Run the Docker image as normal
Keep trying to open docs on Nextcloud...
Click "OK" on "Well, this is embarrassing, we cannot connect to your document. Please try again."
Click "OK" on "Service is unavailable. Please try again later and report to your administrator if the issue persists."
Keeping going back to step 3 until you finally get "Failed to load the document. Please ensure the file type is supported and not corrupted, and try again."
Click "OK" and exit to Files.
Restart Docker itself (the service, not just the image).
Profit.

Why this works, I have no idea but it has worked three times in a row for me. I hope it'll help someone else and, ultimately, I hope it provides a clue needed to address the problem.

It's not a real "Solution" but I'll mark this as solved for now.

I also tried asking about setting the nginx equivalents of the nocanon and AllowEncodedSlashes options on #nginx freenode but to no avail.

[kuchlbauer1]

Hi!
I'm encountering "Access denied" error when trying to exit a shared document (NC 11.0.2 on Ubuntu 16.04 LTS). Where can I find the "'Apache proxy configuration for Collabora" mentioned by TO to change the Setting there? Sorry, I'm quite new to Linux...
Any help appreciated, thanks!!
Ben

[methuselah-0]

kuchlbauer1
You mean this?
https://www.collaboraoffice.com/code/
https://www.collaboraoffice.com/community-en/code-2-0-updates-2/

[kuchlbauer1]

Thanks, methuselah-0,

I added the proxy as explained in your links, but to no avail.
I'm not using docker though, just a plain Ubuntu 16.04 LTS with NextCloud installed and Collabora AddOn enabled. When I try to edit a document in NC, it still says "Access denied". :-/
Would I have to use docker to make it work?
Thanks!

[methuselah-0]

kuchlbauer1 yes, either Docker or install from source. You can check out linuxbabe's tutorial for it, it's pretty neat and for Ubuntu and apache. https://www.linuxbabe.com/cloud-storage/integrate-collabora-online-server-nextcloud-ubuntu-16-04

[kuchlbauer1]

Dear methuselah-0, thanks for the link, that seems to be a feasible way to do it. I will try that, the instructions seem to be very detailed :-)
Thanks!

[joekerna]

I tried linuxbabe's instructions and still get the error mentioned above. I'm using Nginx. Has anyone had success using their Apache setup?

[methuselah-0]

joekerna I'm using nginx and it works for me. In a separate subdomain.conf file in the server block I have location statements like this which works. Then in the Collabora Online App page in the admin section of the cloud I have in the url bar: https://subdomain.mydomain.tld:9980 which works for me.
You could perhaps also check that you have added your collabora domain in loolwsd.xml for allowed domains.

[joekerna]

I forgot the port in my url in the admin section. Now I get

Access forbidden

That's a new error I can search for...

[joekerna]

@methuselah-0 I've added my domain to loolwsd.xml inside my docker. Sadly the problem persists

[methuselah-0]

joekerna: sorry I got confused with your post and kuchlbauer1 who isn't using the docker version. I couldn't make it work with nginx for docker so I switched to installing lool from source instead which has the added benefit of not being limited to 10 documents. However, if you want to try and fix your config I think CodeMouse92's post earlier on this page gave the correct hints about solving it. The second mofication to the conf-file was about using apache's NoDecode option in nginx and my attempt at it looked something like below but it didn't work for me, possibly because of not setting the nocanon option:
location ^~ /loleaflet {
if ($request_uri ~* "/path/(.*)") {
proxy_pass http://localhost:9980/$1;
proxy_set_header Host $http_host;
}
}
It really might be better to just switch to apache or building from source (which I did) instead of sinking a lot of time into this docker version.

[joekerna]

I've switched to Apache and built if from source... I still can't open documents. I think I'll have to give up...

[methuselah-0]

joekerna, did you build libreoffice online, or the docker collabora image? You might wanna see the full guide provided here: https://help.nextcloud.com/t/howto-install-onlineoffice-on-ubuntu-debian-no-docker-no-limitation/8958
Or I made my own install script that works with nginx, here: https://github.com/methuselah-0/nextcloud-suite.sh

[gabor-udvari]

@joekerna, if you get an Access Forbidden page, there is most probably an unhandeld exception in the background. You can get it displayed like in #37. For me the exception was the following:

Message: cURL error 60: SSL certificate problem: unable to get local issuer certificate

I am using Let's Encrypt certs, so I needed to download the root certs and update my store. Richard Bairwells's blogpost has the commands. The Access Forbidden error with Apache is now solved for me.

[felixhummel]

@nephilim75

Here is what worked for me (based on https://stackoverflow.com/a/20514632):

  location / {
    include proxy.conf;
    proxy_pass http://127.0.0.1:9980/;
  }
  location ^~ /lool {
    proxy_pass http://127.0.0.1:9980$request_uri;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
  }

Note the http://127.0.0.1:9980$request_uri for /lool.

[ferdiga]

I just upgraded the nextcloud collabora app to 2.0.13 and nextcloud couldn't open any files in collabora.
restart of nextcloud and collabora server didn't solve the problem.

I found this "crazy" solution here - may be completely irrelevant too.

https://help.nextcloud.com/t/failure-please-ensure-the-file-type-is-supported-and-not-corrupted/8031/3

1. Run the Docker image as normal
2. Keep trying to open docs on Nextcloud…
3. Click “OK” on “Well, this is embarrassing, we cannot connect to your document. Please try again.”
4. Click “OK” on “Service is unavailable. Please try again later and report to your administrator if the issue persists.”
5. Keeping going back to step 3 until you finally get “Failed to load the document. Please ensure the file type is supported and not corrupted, and try again.”
6. Click “OK” and exit to Files.
7. Restart Docker itself (the service, not just the image).

[daylicron]

I just upgraded the nextcloud collabora app to 2.0.13 and nextcloud couldn't open any files in collabora.
restart of nextcloud and collabora server didn't solve the problem.

I found this "crazy" solution here - may be completely irrelevant too.

https://help.nextcloud.com/t/failure-please-ensure-the-file-type-is-supported-and-not-corrupted/8031/3

1. Run the Docker image as normal
2. Keep trying to open docs on Nextcloud…
3. Click “OK” on “Well, this is embarrassing, we cannot connect to your document. Please try again.”
4. Click “OK” on “Service is unavailable. Please try again later and report to your administrator if the issue persists.”
5. Keeping going back to step 3 until you finally get “Failed to load the document. Please ensure the file type is supported and not corrupted, and try again.”
6. Click “OK” and exit to Files.
7. Restart Docker itself (the service, not just the image).

OMG, thank you so much. I wasted one and a half our on this. Restarting the docker service did the trick!

[juliushaertl]

All issues discussed in here seem to be either related to the server setup or caused by a non-functional docker container. Please head over to the forum for further setup questions, as this is just the issue tracker for the Nextcloud integration of Collabora Online.

[hifihedgehog]

If you check out the forums, many users have been having this issue ongoing for months now. This issue is not resolved and it leaves a bad taste in everyone's mouths. No one has been able to get an answer for this so I am suggesting this remain opened until which time this is resolved.

[dagli]

any progress in this issue?

[ttr]

This is still an issue ?
Had this issue close to 2y ago and wipe of docker container and re-checking config did help it.
might help to someone so will leave it how it's set up for me:

Docker:
collabora/code:latest, with

env "domain=your\\.nextcloud\\.domain"

port mapping of 127.0.0.1:9980:9980, and capacity added MKNOD
Nginx config (taken from nextcloud website and found out that i did miss some things (only configs related to collabora, but have a look into docs to see rest of it):

    # static files
    location ^~ /loleaflet {
        proxy_pass https://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

   # main websocket
   location ~ ^/lool/(.*)/ws$ {
       proxy_pass https://127.0.0.1:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $http_host;
       proxy_read_timeout 36000s;
   }

   # download, presentation and image upload
   location ~ ^/lool {
       proxy_pass https://127.0.0.1:9980;
       proxy_set_header Host $http_host;
   }

   # Admin Console websocket
   location ^~ /lool/adminws {
       proxy_pass https://127.0.0.1:9980;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
       proxy_set_header Host $http_host;
       proxy_read_timeout 36000s;
   }

and in nextcloud URL is protocol://your.nextcloud.domain
(no trailing slash).

Now, if your website is in mixed content (http and https) this possible will cause issues so, please set up https all way.

Hope this will help someone.

[fabian727]

I had similar problems: I could see the icons of "File" ... but not click them. The document wasn't opened and I hang in a loop of connecting to collabora...
this link: https://www.linuxbabe.com/cloud-storage/integrate-collabora-online-server-nextcloud-ubuntu
helped me.
It is needed to modify /etc/hosts with your.domain.com to the external ip addr of the server (not 127.0.0.1) I think it's worth mentioning in the tutorials...

And yes I know this issue is old

[borgue95]

I know it's late, but I've encountered the same problem. I've enabled WebSockets in the NGiNX proxy configuration and it work like a charm.

I found this tip in this other thread.