Collabora CODE and Seafile CE setup woes

Installation & Configuration
1

Hi,

I installed Collabora on my server (Ubuntu 20.04) from native packages (no Docker) as described in the documentation (with NGINX ssl termination). I’d like to integrate it with my Seafile (Community Edition) installation so I can create and edit documents from Seafile. Seafile has been setup as described in the documentation (with SQLite and NGINX ssl termination) and works flawlessly.

Unfortunately I can’t edit files.

Collabora is up and running, I can get the XML file through <myurl>/hosting/discovery from outside, so passing through NGINX ssl termination works fine, but whenver I try to edit a docx file I get a dialog telling me that the file will be passed through an insecure connection (though the called address is clearly https).
After clicking ‘Continue’ an empty site is opened with a seafile/server watermark (no in-frame Collabora).

I realize this might be a Seafile problem, but I think there might also be a chance that it’s something with my Collabora config.

This is my NGINX config for Collabora:

collabora.conf 
server {
    listen       80;
    server_name  collabora.aetherrauschen.de;
    rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
    server_tokens off;
}

server {
    listen 443 ssl;
    server_name collabora.aetherrauschen.de;
    ssl_certificate     /etc/letsencrypt/live/aetherrauschen.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/aetherrauschen.de/privkey.pem;
    server_tokens off;

    # static files
    location ^~ /loleaflet {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $http_host;
    }

    # websockets, download, presentation and image upload
    location ^~ /lool {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
    }
}

And relevant parts of my loolwsd.xml:

loolwsd.xml 
<ssl desc="SSL settings">
        <enable type="bool" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
        <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>
        <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path>
        <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path>
        <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
        <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
        <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
            <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
            <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
            <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
            <pin></pin>
            </pins>
        </hpkp>
    </ssl>
<storage desc="Backend storage">
        <filesystem allow="false" />
        <wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true">
            <host desc="Regex pattern of hostname to allow or deny." allow="true">collabora.aetherrauschen.de</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">127.0.0.1</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="false">192\.168\.1\.1</host>
            <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
            <reuse_cookies desc="When enabled, cookies from the browser will be captured and set on WOPI requests." type="bool" default="false">false</reuse_cookies>
            <locking desc="Locking settings">
                <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
            </locking>
        </wopi>
        <webdav desc="Allow/deny webdav storage. Mutually exclusive with wopi." allow="false">
            <host desc="Regex pattern of hostname to allow or deny." allow="true">collabora.aetherrauschen.de</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">127.0.0.1</host>

        </webdav>
        <ssl desc="SSL settings">
            <as_scheme type="bool" default="true" desc="When set we exclusively use the WOPI URI's scheme to enable SSL for storage">true</as_scheme>
            <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and loolwsd. When empty this defaults to following the ssl.enable setting"></enable>
            <cert_file_path desc="Path to the cert file" relative="false"></cert_file_path>
            <key_file_path desc="Path to the key file" relative="false"></key_file_path>
            <ca_file_path desc="Path to the ca file. If this is not empty, then SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified." relative="false"></ca_file_path>
            <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overriden only if absolutely needed."></cipher_list>
        </ssl>
    </storage>

I’m wondering, whether the <ssl> settings In the <storage> part may be the cause of my problem, as I’m not sure which values to set.
I dont get any errors in the logs though.

2

I don’t have experience with Seafile, the proxy / loolwsd settings seem to conform to a terminating proxy connection, thus the ssl / enable + termination settings are fine as they are (false and true respectively). The proxy config seems to be incomplete, though, please refer to: Setting up Nginx reverse proxy - Collabora Office and Collabora Online

While I don’t know if the 80 port part of the proxy config can cause hiccups, I’d probably remove that.

1 Like
3

@baeron Thanks!

That was exactly the problem. I added it because I also had it for other services (like Seafile itself), but it seems that it f…ed up things for Collabora.

1 Like