I have Collabora and Nextcloud installed as Docker containers on Unraid. Everything was working fine until the recent update to the Collabora Docker container on Unraid (Last Update April 7th, 2022)
The container wont launch any more and this is what the log shows:
============================================================================
Signature ok
subject=C = DE, ST = BW, L = Stuttgart, O = Dummy Authority, CN = localhost
Getting CA Private Key
-e ERR: Use of domain variable is not supported. First host/domain who tries to connect to COOL is always allowed.
To allow multiple host and its aliases use something like this and pass it as env variable:
aliasgroup1=https://domain1:443,https://its-alias|its-second-alias:443
aliasgroup2=https://domain2:443,https://its-alias:443
Every time I try and start the container it gets to that in the log and the container stops. I cant access the Web UI or try and console into the container.
Yes I was struggling with it last night. It seems Collabora are still not capable of publishing easy-to-understand information about important changes to configuration that make updates break.
I discovered that you can’t have the ‘domain’ variable in your docker run or compose file any more, so remove the domain variable completely and the container will run successfully.
ERR: Use of domain variable is not supported. First host/domain who tries to connect to COOL is always allowed.
To allow multiple host and its aliases use something like this and pass it as env variable:
aliasgroup1=https://domain1:443,https://its-alias|its-second-alias:443
aliasgroup2=https://domain2:443,https://its-alias:443
Sorry to hear about this but you read the message then It clearly says that first host is allowed , if you want multiple hosts and aliases we have now different configuration : )
Thanks for this. I encountered the same issue and this resolved it. I simply renamed the variable domain to domain.obsolete, and that worked. I just didn’t want to lose track of it incase it didn’t solve the problem. I may go delete it now…
So I deleted the Domain Variable in the Unraid template as everyone suggested and the Collabora Server booted up fine. Its even working with Nextcloud.
I don’t understand how its working with Nextcloud though because I followed Spaceinvader One’s video setting up the Collabora Server + Nextcloud which can be found here: How to Setup Collabora with Nextcloud for your own online document suite - YouTube
and if you go to the 4:00 mark in that video he explains that Domain Variable is where you need to enter your Nextcloud subdomain so Collabora knows what domains can connect to it. If I deleted that variable how is my Nextcloud allowed to connect to it? Does that mean anyone can connect to my Collabora Server if they know the subdomain its on?
@Ronshizel@dius@tolete@jshpettus@dinosm Hello guys , thanks for the report , sorry to hear that you guys are having a trouble with latest version of CODE, but we have changed how host gets passed to the COOL server, So If you are having only one domain then you can remove the domain and doesnot need to do anything because , now COOL allow the first host that tries to connect without any restriction , but if you are using multiple hosts then you need to pass it with the help of aliasgroups1… variables more on that on sdk : CODE Docker image — SDK https://sdk.collaboraonline.com/ documentation
Again sorry , if you have any questions then please let us know : )
"So If you are having only one domain then you can remove the domain and does not need to do anything because , now COOL allow the first host that tries to connect without any restriction "
What does this mean, no restriction? This appears to be a major security flaw. Does this mean my collabora server is now open to any host on the internet who wants to connect? I want to restrict connections to ONLY my own nextcloud server domain. Please show me how I can restrict my collabora server to ONLY allow connections from my nextcloud domain, assume domain is nextcloud.domain.com.
I think they mean, initially there is no restriction. Then once you made your first connection, the restriction to your domain is automatic. You just have to connect to your server before the bad guys do
Honestly I’m not too happy with unnecessary security hole either… On my setup I modified my internal host file so when nextcloud reaches out to collabora.mydomain.com it connects on my internal network IP. As well as modify the launch script to edit the host file of my docker container to identify cloud.mydomain.com as an internal IP as well from the docker container’s perspective. The connection is faster this way and more secure as everything stays in network. I don’t see why I need an outside connection to my docker container except for the letsencrypt ssl cert renewal… I’ll have to think about it. There must be a way to get rid of the the need completely. Maybe a properly setup self signed cert will do…then I can get rid of the extra public DNS entry entirely…
I’m still waiting on rash419 to post a code example using docker compose to securely setup collabora so only my nextcloud domain can access. I’m not interested in hosting an open collabora server for the entire internet to use.
@jshpettus , your solution sounds interesting. How did you do this? Can you please post code examples? Are you using docker compose or command line docker to launch your collabora container?
Command line docker,
–add-host cloud.mydomain.com:X.X.X.X
to the run command will add an entry to the docker container’s host file
Then on my cloud server’s host file, i have an entry:
X.X.X.X collabora.mydomain.com
which goes to collabora’s host computer’s interface (collabora docker container is listening on 9980 there)
Actually i have it set to the ip of the server hosting the container. Remember that’s the way it behaves normally except it’s getting the ip of the host server from the outside from the outside dns.
@jshpettus Thank you, I will look into this setup, but I"m using docker compose so will have to tweak accordingly for the -host var. Also, unless I"m missing something I understand this will create a fast connection and keep it on internal network, but as long as the public dns entry is still there it appears to me the security hole is still present. What’s to stop a rogue server from connecting to your collabora container?
