hi there!
I installed Nextcloud (version 31.0.5), Collabora CODE (version 25.04.2.1) and Traefik (version >= 2) with Docker
Nextcloud is up, I set collabora url on page http s://cloud.domain.tld/settings/admin/richdocuments and now see the green block (“Collabora Online server is reachable.”) but on the same page, the iframe below displays an error and I can see a 400 bad request on http s://code.domain.tld/browser/dist/fetch-settings-file in the browser debugger
I see these errors in collabora logs:http://cloud.domain.tld/index.php/apps/richdocuments/wopi/settings?type=systemconfig&access_token= &fileId=-1] with status[Moved Permanently]| wsd/DocumentBroker.cpp:1835 <= I’m pretty sure it’s caused by the http to https redirection#-1: Failed to install config [shared-http_cloud.domain.tld/index.php/apps/richdocuments/wopi/settings-]| wsd/RequestVettingStation.cpp:209
what I already checked:
Nexcloud container can curl http s://code.domain.tld/hosting/discovery
CODE container doesn’t include curl, wget or ping so I hope it can reach nextcloud
I can log in on https ://code.domain.tld/browser/dist/admin/admin.html
I found this doc: CODE Docker image — SDK https://sdk.collaboraonline.com/ documentation and understand I should configure some options in /etc/coolwsd/coolwsd.xml but it’s not mounted (yet?) so it would be gone each time I rerun container (which will be pretty often until everything is fully configured :D)
I haven’t fixed this message yet: " You have not configured the allow-list for WOPI requests. Without this setting users may download restricted files via WOPI requests to the Nextcloud server."
do you think it’s a setting issue with Collabora CODE or something wrong with Traefik?
NB: had to “break” links on purpose as I’m a new user
thanks in advance!
Hello @Elianora Welcome to collabora online forum
I have very similar question and there is a nice discussion on this topic. I would like if you can read those points and check if that helps ?
@wwe , can you please help me? For days and day I have struggled and cannot make Nextcloud + Collabora work behind my reverse-proxy, that is Caddy. Using only Docker for the containers and exposing ports 80 and 9980 on host I can use Nextcloud...
Thanks
1 Like
thanks!
let’s fix every security stuff now
1 Like
Awesome @Elianora
If it’s okay can you share how you solved it ? It’s better for other users
Thanks
you’re right!
I changed a few labels in the 3 files so I’m not sure wich change fixed the issue but here’re my working docker-compose files:
Traefik:
services:
traefik:
image: traefik
container_name: traefik
restart: always
command:
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.websecure.asDefault=true"
- "--entrypoints.wss.address=:9980"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.letsencrypt.acme.email=contact@domain.tld"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--accesslog=true"
- "--accesslog.format=json"
- "--accessLog.filters.statusCodes=400-499"
ports:
- "80:80"
- "8080:8080"
- "443:443"
expose:
- 8080
volumes:
- "./traefik.yml:/traefik.yml:ro"
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- nextcode
labels:
- "traefik.http.routers.traefik.middlewares=traefik-basic-auth,traefik-https-redirect,traefik-https-forward"
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(`proxy.domain.tld`)"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.middlewares.traefik-basic-auth.basicauth.users=admin:$$apr1$$aepdom5b$$Ojf8ES2LsBFHBN4DcON2P1"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.traefik-https-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.wss.protocol=https"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`proxy.domain.tld`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-basic-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
nextcode:
external: true
nextcloud:
services:
db:
[...]
redis:
[...]
app:
image: nextcloud
restart: always
depends_on:
- redis
- db
volumes:
- nextcloud:/var/www/html
environment:
- TZ=Europe/Paris
- MYSQL_PASSWORD=<db-password>
- MYSQL_DATABASE=<db-name>
- MYSQL_USER=<db-user>
- MYSQL_HOST=db
- NEXTCLOUD_TRUSTED_DOMAINS=nextcloud.domain.tld
- VIRTUAL_HOST=nextcloud.domain.tld
- OVERWRITEPROTOCOL=https
- NC_default_phone_region=FR
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.rule=Host(`nextcloud.domain.tld`)"
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
- "traefik.http.services.nextcloud.loadbalancer.server.port=80"
- "traefik.http.routers.nextcloud.middlewares=nextcloud_redirectregex@docker"
- "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.permanent=true"
# caldav and co
- "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.regex=https://(.*)/.well-known/(?:card|cal)dav"
- "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav"
- "traefik.http.routers.nextcloud.middlewares=nextcloud_hsts"
# hsts
- "traefik.http.middlewares.nextcloud_hsts.headers.stsSeconds=15552000"
- "traefik.http.middlewares.nextcloud_hsts.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.nextcloud_hsts.headers.stsPreload=true"
- "traefik.http.middlewares.nextcloud_hsts.headers.forceSTSHeader=true"
- 'traefik.http.middlewares.nextcloud_hsts.headers.customRequestHeaders.X-Forwarded-Proto=https'
networks:
- nextcode
volumes:
nextcloud:
driver: local
driver_opts:
device: /home/<my-user>/nextcloud/data
o: bind
type: local
db:
driver: local
driver_opts:
device: /home/<my-user>/nextcloud/db
o: bind
type: local
networks:
nextcode:
external: true
and collabora CODE:
services:
collabora:
image: collabora/code:latest
ports:
- "9980:9980"
environment:
- domain=nextcloud.domain.tld
- aliasgroup1=https://nextcloud.domain.tld
- username=<admin-user>
- password=<admin-password>
- extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:net.frame_ancestors=*
- VIRTUAL_HOST=collabora.domain.tld
- DONT_GEN_SSL_CERT=true
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.collabora.tls=true'
- 'traefik.http.routers.collabora.tls.certresolver=letsencrypt'
- 'traefik.http.routers.collabora.entrypoints=websecure'
- 'traefik.http.routers.collabora.rule=Host(`collabora.domain.tld`)'
- "traefik.http.routers.collabora.service=collabora"
- "traefik.http.middlewares.collabora-headers.headers.customrequestheaders.Upgrade=websocket"
- "traefik.http.middlewares.collabora-headers.headers.customrequestheaders.Connection=Upgrade"
- 'traefik.http.routers.collabora.middlewares=collabora-headers'
- 'traefik.http.services.collabora.loadbalancer.server.port=9980'
# reverse proxy
- "traefik.http.middlewares.collabora-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.collabora-headers.headers.customrequestheaders.X-Forwarded-Host=collabora.domain.tld"
- 'traefik.http.middlewares.collabora-headers.headers.referrerPolicy=no-referrer'
- 'traefik.http.middlewares.collabora-headers.headers.stsSeconds=15552000'
- 'traefik.http.middlewares.collabora-headers.headers.forceSTSHeader=true'
- 'traefik.http.middlewares.collabora-headers.headers.stsPreload=true'
- 'traefik.http.middlewares.collabora-headers.headers.stsIncludeSubdomains=true'
- 'traefik.http.middlewares.collabora-headers.headers.browserXssFilter=true'
- 'traefik.http.middlewares.collabora-headers.headers.customRequestHeaders.X-Forwarded-Proto=https'
cap_add:
- MKNOD
networks:
- nextcode
restart: unless-stopped
networks:
nextcode:
external: true
I’m not finished with all the security check so consider these as a working base only
1 Like
Great work @Elianora Keep it up
