Hi. COOL is not working properly when I use HTTPS. The error is shown in below picture:
We are using Traefik as a reverse proxy.
What is the solution? should I config something in coolwsd.xml?
Hi. COOL is not working properly when I use HTTPS. The error is shown in below picture:
We are using Traefik as a reverse proxy.
What is the solution? should I config something in coolwsd.xml?
You may not have SSL enabled in coolwsd.xml
, look under <ssl> / <enable>
. Note that in this case you need to have the certificate and private key in place. Alternatively, you can use a terminating reverse proxy, then you need to have <ssl> / <enable>
set to false
, and <ssl> / <termination>
tro true
.
You can find sample reverse proxy configs for various setups here: Proxy settings — SDK https://sdk.collaboraonline.com/ documentation
Hi again. We still did not success to run collabora with reverse-proxy
Here is our docker-compose file. It contains hafez
(which implements wopi server and is behind a terminating reverse proxy) and collabora
services:
version: "3"
services:
hafez:
image: hafez:latest
restart: always
container_name: hafez
environment:
- collabora_endpoint=http://my-server-ip:9980
ports:
- 8000:8000
networks:
- traefik_default
labels:
- "traefik.enable=true"
- "traefik.http.services.hafez.loadbalancer.server.scheme=http"
- "traefik.http.routers.hafez.rule=Host(`mydomian.xxx`)"
- "traefik.http.services.hafez.loadbalancer.server.port=8000"
- "traefik.http.routers.hafez.entrypoints=websecure"
- "traefik.http.routers.hafez.tls.certresolver=myhttpchallenge"
- "traefik.docker.network=traefik_default"
collabora:
image: collabora:1.1
restart: always
container_name: collabora
environment:
- domain=my-server-ip
- username=admin
- password=admin
- extra_params=--o:ssl.enable=false
ports:
- 9980:9980
networks:
- traefik_default
networks:
traefik_default:
external: true
We also change every http
in apache config file to https
:
# Apache2 reverse proxy configuration for Collabora Online
# Internet <-- SSL --> Reverse Proxy <-- No SSL --> coolwsd
# Make sure that you enable the following Apache2 modules: proxy, proxy_wstunnel, and proxy_http.
# Create a virtual host for Collabora Online and include this configuration file.
# Options -Indexes
AllowEncodedSlashes NoDecode
SSLProxyEngine On
ProxyPreserveHost On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of Collabora Online
ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet
# WOPI discovery URL
ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
# Capabilities
ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" ws://127.0.0.1:9980/lool/$1/ws nocanon
# Admin Console websocket
ProxyPass /lool/adminws ws://127.0.0.1:9980/lool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /lool https://127.0.0.1:9980/lool
ProxyPassReverse /lool https://127.0.0.1:9980/lool
and set enable
as false
, and termination
as true
in loolwsd.xml
file:
<ssl desc="SSL settings">
<!-- switches from https:// + wss:// to http:// + ws:// -->
<enable type="bool" desc="Controls whether SSL encryption between loolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">false</enable>
<!-- SSL off-load can be done in a proxy, if so disable SSL, and enable termination below in production -->
<termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">true</termination>
<cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path>
<key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path>
<ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
<cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
<hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
<max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
<report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
<pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
<pin></pin>
</pins>
</hpkp>
</ssl>
That is either an outdated reverse proxy configuration, or you are still using an old COOL version (6.4), versions 21.11 and 22.05 require a different reverse proxy config. Also, you’re mentioning a terminating setup, but the reverse proxy isn’t set up that way.
And are hafez and COOL communicating directly behind the same reverse proxy?
Yes, we are using 6.4 version
Hi again.
We have changed our CODE image to the latest
.
Both Hafez
and COOL
services are behind a same reverse proxy.
Collabora service is served on a domain with TLS
protocol.
In the latest version, we fixed this issue with only below changes:
In the coolwsd.xml
we set the following:
ssl.enable
value was set to false
.termination
value was set to true
.And this is our yaml file:
services:
hafez:
image: XX
restart: always
container_name: hafez
environment:
- collabora_endpoint=[https://COLLABORA.XX]
networks:
- hafeznet
- traefik_default
labels:
- "traefik.enable=true"
- "traefik.http.routers.hafez.rule=Host(`MY.WOPISERVER.DOMIAN`)"
- "traefik.http.routers.hafez.entrypoints=websecure"
- "traefik.http.routers.hafez.tls.certresolver=myhttpchallenge"
- "[traefik.http.services](http://traefik.http.services/).hafez.loadbalancer.server.port=8000"
- "[traefik.docker.network](http://traefik.docker.network/)=traefik_default"
collabora:
image: collabora:latest
restart: always
container_name: collabora
environment:
- aliasgroup1=MY.WOPISERVER.DOMIAN
- username=admin
- password=admin
- extra_params=--o:ssl.enable=false
networks:
- hafeznet
- traefik_default
labels:
- "traefik.enable=true"
- "traefik.http.routers.collabora.rule=Host(`https://COLLABORA.XX`)"
- "traefik.http.routers.collabora.entrypoints=websecure"
- "traefik.http.routers.collabora.tls.certresolver=myhttpchallenge"
- "[traefik.http.services](http://traefik.http.services/).collabora.loadbalancer.server.port=9980"
- "[traefik.docker.network](http://traefik.docker.network/)=traefik_default"
networks:
hafeznet:
name: hafeznet
traefik_default:
external: true
Since it is working properly, it seems nothing else is needed, right? (We have not changed Apache config file)
Just we did not manage to set the ssl.enable
and termination
with environmental variable in yaml
file. We had to change those in coolwsd.xml
file manually. So can we do it with environmental variables?