COOL does not work over https

Hi. COOL is not working properly when I use HTTPS. The error is shown in below picture:

We are using Traefik as a reverse proxy.

What is the solution? should I config something in coolwsd.xml?

@mmeeks @mmoya

You may not have SSL enabled in coolwsd.xml, look under <ssl> / <enable>. Note that in this case you need to have the certificate and private key in place. Alternatively, you can use a terminating reverse proxy, then you need to have <ssl> / <enable> set to false, and <ssl> / <termination> tro true.

You can find sample reverse proxy configs for various setups here: Proxy settings — SDK https://sdk.collaboraonline.com/ documentation

Hi again. We still did not success to run collabora with reverse-proxy

Here is our docker-compose file. It contains hafez (which implements wopi server and is behind a terminating reverse proxy) and collabora services:

version: "3"

services:
  hafez:
    image: hafez:latest
    restart: always
    container_name: hafez
    environment:
      - collabora_endpoint=http://my-server-ip:9980
    ports:
      - 8000:8000
    networks:
      - traefik_default  

    labels:
      - "traefik.enable=true"
      - "traefik.http.services.hafez.loadbalancer.server.scheme=http"
      - "traefik.http.routers.hafez.rule=Host(`mydomian.xxx`)"
      - "traefik.http.services.hafez.loadbalancer.server.port=8000"
      - "traefik.http.routers.hafez.entrypoints=websecure"
      - "traefik.http.routers.hafez.tls.certresolver=myhttpchallenge"
      - "traefik.docker.network=traefik_default"

  collabora:
    image: collabora:1.1
    restart: always
    container_name: collabora
    environment:
      - domain=my-server-ip
      - username=admin
      - password=admin
      - extra_params=--o:ssl.enable=false
    ports: 
     - 9980:9980
    networks:
      - traefik_default 
        

networks:
  traefik_default:
    external: true

We also change every http in apache config file to https:

# Apache2 reverse proxy configuration for Collabora Online
# Internet <-- SSL --> Reverse Proxy <-- No SSL --> coolwsd
# Make sure that you enable the following Apache2 modules: proxy, proxy_wstunnel, and proxy_http.
# Create a virtual host for Collabora Online and include this configuration file.

#  Options -Indexes
  AllowEncodedSlashes NoDecode
  SSLProxyEngine On
  ProxyPreserveHost On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

  # static html, js, images, etc. served from loolwsd
  # loleaflet is the client part of Collabora Online
  ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
  ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

  # WOPI discovery URL
  ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
  ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

  # Capabilities
  ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
  ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities

  # Main websocket
  ProxyPassMatch "/lool/(.*)/ws$" ws://127.0.0.1:9980/lool/$1/ws nocanon

  # Admin Console websocket
  ProxyPass   /lool/adminws ws://127.0.0.1:9980/lool/adminws

  # Download as, Fullscreen presentation and Image upload operations
  ProxyPass           /lool https://127.0.0.1:9980/lool
  ProxyPassReverse    /lool https://127.0.0.1:9980/lool

and set enable as false, and termination as true in loolwsd.xml file:

<ssl desc="SSL settings">
        <!-- switches from https:// + wss:// to http:// + ws:// -->
        <enable type="bool" desc="Controls whether SSL encryption between loolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
        <!-- SSL off-load can be done in a proxy, if so disable SSL, and enable termination below in production -->
        <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>
        <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path>
        <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path>
        <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
        <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
        <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
            <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
            <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
            <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
            <pin></pin>
            </pins>
        </hpkp>
    </ssl>

@bearon

That is either an outdated reverse proxy configuration, or you are still using an old COOL version (6.4), versions 21.11 and 22.05 require a different reverse proxy config. Also, you’re mentioning a terminating setup, but the reverse proxy isn’t set up that way.
And are hafez and COOL communicating directly behind the same reverse proxy?

Yes, we are using 6.4 version

Hi again.
We have changed our CODE image to the latest.

Both Hafez and COOL services are behind a same reverse proxy.
Collabora service is served on a domain with TLS protocol.

In the latest version, we fixed this issue with only below changes:

In the coolwsd.xml we set the following:

  • The ssl.enable value was set to false.
  • The termination value was set to true.

And this is our yaml file:

services:
 hafez:
  image: XX
  restart: always
  container_name: hafez
  environment:
   - collabora_endpoint=[https://COLLABORA.XX]
  networks:
  - hafeznet
  - traefik_default
  labels:
  - "traefik.enable=true"
  - "traefik.http.routers.hafez.rule=Host(`MY.WOPISERVER.DOMIAN`)"
  - "traefik.http.routers.hafez.entrypoints=websecure"
  - "traefik.http.routers.hafez.tls.certresolver=myhttpchallenge"
  - "[traefik.http.services](http://traefik.http.services/).hafez.loadbalancer.server.port=8000"
  - "[traefik.docker.network](http://traefik.docker.network/)=traefik_default"

 collabora:
  image: collabora:latest
  restart: always
  container_name: collabora
  environment:
  - aliasgroup1=MY.WOPISERVER.DOMIAN
  - username=admin
  - password=admin
  - extra_params=--o:ssl.enable=false
 networks:
  - hafeznet
  - traefik_default
 labels:
  - "traefik.enable=true"
  - "traefik.http.routers.collabora.rule=Host(`https://COLLABORA.XX`)"
  - "traefik.http.routers.collabora.entrypoints=websecure"
  - "traefik.http.routers.collabora.tls.certresolver=myhttpchallenge"
  - "[traefik.http.services](http://traefik.http.services/).collabora.loadbalancer.server.port=9980"
  - "[traefik.docker.network](http://traefik.docker.network/)=traefik_default"

networks:
 hafeznet:
  name: hafeznet
 traefik_default:
  external: true

Since it is working properly, it seems nothing else is needed, right? (We have not changed Apache config file)

Just we did not manage to set the ssl.enable and termination with environmental variable in yaml file. We had to change those in coolwsd.xml file manually. So can we do it with environmental variables?

@bearon