Debugging help - Nextcloud- coolwsd servers

Hello,

I seem to have run into an issue with my configuration. I am running Fedora 41, basic lamp stack, I configured my apache to reverse proxy over to coolwsd (installed via package) according to the install guide (copy/paste).

The error returned when attempting to open a document is (tokens ommitted)
Dec 31 11:08:33 Alfred coolwsd[716600]: wsd-716600-716613 2024-12-31 11:08:33.094068 -0500 [ websrv_poll ] ERR #23: Unknown resource: /cool/(preconfigured domain for nextcloud)%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F(file token)?access_token=(access token)&access_token_ttl=0/ws GWebSocket, host: collab, path: 4

This results in a failure to open the document, as expected with this error.

Hii @FamousL

It seems like you’re encountering an issue with your reverse proxy setup, particularly with how URLs are being forwarded to coolwsd. This type of error often arises due to improper handling of URL encoding in the reverse proxy configuration.

Check below points to resolve the issue

1. Improper URL Encoding in Apache Configuration
   Apache might be misinterpreting or altering the encoded URL when forwarding it to coolwsd. Ensure you have the following directive in your Apache configuration for the reverse proxy:

   AllowEncodedSlashes NoDecode
   ProxyPass /cool http://127.0.0.1:9980 retry=0
   ProxyPassReverse /cool http://127.0.0.1:9980
   

   • AllowEncodedSlashes NoDecode is critical to ensure that encoded slashes (%2F) in the URL are not decoded before being sent to coolwsd.

2. Check the coolwsd.xml Configuration
   Make sure your coolwsd.xml file is configured to accept the domain for your Nextcloud instance. For example:

   <wopi desc="WOPI settings">
       <host desc="Regex pattern of hostname to allow or deny." allow="true">.*</host>
       <server_name desc="Server name." allow="true">your-nextcloud-domain.com</server_name>
   </wopi>
   

   Replace your-nextcloud-domain.com with the actual domain of your Nextcloud server.

3. Verify the Apache Proxy Modules
   Ensure that the necessary modules are enabled for Apache:

   sudo a2enmod proxy
   sudo a2enmod proxy_http
   sudo a2enmod headers
   

   Then restart Apache:

   sudo systemctl restart apache2
   

4. Test Direct Access to coolwsd
   Test if coolwsd is accessible directly by visiting http://127.0.0.1:9980/hosting/discovery. If this returns a valid XML response, the coolwsd service is running fine, and the issue is isolated to the reverse proxy.

5. Check Logs for More Details
   Review both Apache and coolwsd logs for additional insights. For example:

   • Apache logs: /var/log/httpd/error_log or /var/log/apache2/error.log.
   • coolwsd logs: Usually configured in /var/log/coolwsd.log or /var/log/loolwsd.log.

6. Update Apache Configuration for Path
   If the error persists, ensure that the ProxyPass configuration explicitly includes the /cool prefix:

   ProxyPass "/cool/" "http://127.0.0.1:9980/"
   ProxyPassReverse "/cool/" "http://127.0.0.1:9980/"
   

Please check above points and let me know, we will go through the issue together if not solved.

Thanks,
Darshan

Hello, going through point by point

1. i have /cool going to http://127.0.0.1:9980/cool is that incorrect? I tried both and am getting the same error either way
2. I have my nextcloud server set in the wopi storage section, specifically the alias_groups
3. httpd -M |grep -E “proxy|headers”
   headers_module (shared)
   proxy_module (shared)
   proxy_ajp_module (shared)
   proxy_balancer_module (shared)
   proxy_connect_module (shared)
   proxy_express_module (shared)
   proxy_fcgi_module (shared)
   proxy_fdpass_module (shared)
   proxy_ftp_module (shared)
   proxy_http_module (shared)
   proxy_hcheck_module (shared)
   proxy_scgi_module (shared)
   proxy_uwsgi_module (shared)
   proxy_wstunnel_module (shared)
   proxy_html_module (shared)
   proxy_http2_module (shared)
4. This part does return valid xml, and does so through the reverse proxy as well.
5. apache isn’t reporting any errors, and coolwsd’s log file is not even showing up.

1. Reverse Proxy Path
   Update your Apache configuration to forward /cool directly to http://127.0.0.1:9980/:

   ProxyPass "/cool/" "http://127.0.0.1:9980/"
   ProxyPassReverse "/cool/" "http://127.0.0.1:9980/"
   AllowEncodedSlashes NoDecode
   

   Restart Apache:

   sudo systemctl restart httpd
   

   See Collabora Proxy Settings for details.

2. Verify WOPI Configuration
   Ensure <alias_groups> in coolwsd.xml has the exact Nextcloud URL:

   <alias_group>
       <host>nextcloud.example.com</host>
       <wopi>https://nextcloud.example.com</wopi>
   </alias_group>
   

Check both coolwsd and Apache logs for errors:

• Apache logs: /var/log/httpd/error_log or /var/log/apache2/error.log
• coolwsd logs: /var/log/coolwsd.log

1. done, however the site you linked has it configured differently, perhaps it needs updating?

ProxyPass /cool http://127.0.0.1:9980/cool
ProxyPassReverse /cool http://127.0.0.1:9980/cool
2) I made the change
3) no errors, coolwsd doesn’t seem to have a log
Same error as before shows up in journalctl

Issue seems to be with token.

Error in journalctl
The error suggests coolwsd is unable to process the WOPI URL. Common causes include:

• URL Encoding Mismatch: Ensure AllowEncodedSlashes NoDecode is set in Apache.
• Token Validation Failure: Verify the WOPI token in the URL is correct. Check the Nextcloud logs for WOPI errors: /var/log/nextcloud.log.

Can you Share Details:

• The full URL from the journalctl error (omit tokens).
• Relevant sections of coolwsd.xml and Apache config.

Everything that journalctl spat out token, names ommitted:
Jan 01 12:43:44 (Server’s internal name) coolwsd[6974]: wsd-06974-06987 2025-01-01 12:43:44.862985 -0500 [ websrv_poll ] ERR #33: Unknown resource: /cool/https:%2F%2F(nextcloud domain)%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F378553_oco78dqqgihn?access_token=(token)&access_token_ttl=0/ws GWebSocket, host: (collabora domain), path: 4
Jan 01 12:43:44 (Server’s internal name) coolwsd[6974]: [0] ‘cool’
Jan 01 12:43:44 (Server’s internal name) coolwsd[6974]: [1] ‘https:%2F%2F(nextcloud domain)%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F378553_oco78dqqgihn’
Jan 01 12:43:44 (Server’s internal name) coolwsd[6974]: [2] ‘access_token=(token)&access_token_ttl=0’
Jan 01 12:43:44 (Server’s internal name) coolwsd[6974]: [3] ‘ws’
Jan 01 12:43:44 (Server’s internal name) coolwsd[6974]: full URI: /cool/https:%2F%2F(nextcloud domain)%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F378553_oco78dqqgihn?access_token=(token)&access_token_ttl=0/ws| wsd/ClientRequestDispatcher.cpp:925
Jan 01 12:43:45 (Server’s internal name) coolwsd[6974]: wsd-06974-06987 2025-01-01 12:43:45.181804 -0500 [ websrv_poll ] ERR #33: Unknown resource: /cool/https:%2F%2F(nextcloud domain)%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F378553_oco78dqqgihn?access_token=(token)&access_token_ttl=0&permission=edit/ws GWebSocket, host: (collabora domain), path: 4
Jan 01 12:43:45 (Server’s internal name) coolwsd[6974]: [0] ‘cool’
Jan 01 12:43:45 (Server’s internal name) coolwsd[6974]: [1] ‘https:%2F%2F(nextcloud domain)%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F378553_oco78dqqgihn’
Jan 01 12:43:45 (Server’s internal name) coolwsd[6974]: [2] ‘access_token=(token)&access_token_ttl=0&permission=edit’
Jan 01 12:43:45 (Server’s internal name) coolwsd[6974]: [3] ‘ws’
Jan 01 12:43:45 (Server’s internal name) coolwsd[6974]: full URI: /cool/https:%2F%2F(nextcloud domain)%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F378553_oco78dqqgihn?access_token=(token)&access_token_ttl=0&permission=edit/ws| wsd/ClientRequestDispatcher.cpp:925

current virtual server config, excluding ssl directives and domain directives
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

    # Container uses a unique non-signed certificate
    SSLProxyEngine on
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off



    # keep the host
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:9980/ retry=0
    ProxyPassReverse / http://127.0.0.1:9980/
    # static html, js, images, etc. served from coolwsd
    # (broswer is the client part of Collabora Online)
    ProxyPass /browser http://127.0.0.1:9980/browser retry=0
    ProxyPassReverse /browser http://127.0.0.1:9980/browser

    # WOPI discovery URL
    ProxyPass /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
    ProxyPassReverse /hosting/discovery http://127.0.0.1:9980/hosting/discovery

    # Capabilities
    ProxyPass /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
    ProxyPassReverse /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities

    # Main websocket
    ProxyPassMatch "/cool/(.*)/ws$" ws://127.0.0.1:9980/cool/$1/ws nocanon

    # Admin Console websocket
    ProxyPass /cool/adminws ws://127.0.0.1:9980/cool/adminws

    # Download as, Fullscreen presentation and Image upload operations
    ProxyPass /cool/ http://127.0.0.1:9980/ retry=0
    ProxyPassReverse /cool/ http://127.0.0.1:9980/
    ProxyPass           /lool http://127.0.0.1:9980/cool
    ProxyPassReverse    /lool http://127.0.0.1:9980/cool
    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)           ws://127.0.0.1:9980/$1 [P,L,UnsafeAllow3F]
    RewriteCond %{HTTP:Upgrade} !=websocket [NC]
    RewriteRule /(.*)           http://127.0.0.1:9980/$1 [P,L,UnsafeAllow3F]

main config area:
<server_name default=“” desc=“External hostname:port of the server running coolwsd. If empty, it’s derived from the request (please set it if this doesn’t work). May be specified when behind a reverse-proxy or when the hostname is not reachable directly.” type=“string”>(collabora domain):443</server_name>

backend storage:

<max_file_size desc=“Maximum document size in bytes to load. 0 for unlimited.” type=“uint”>0</max_file_size>

900

<alias_groups desc=“default mode is ‘first’ it allows only the first host when groups are not defined. set mode to ‘groups’ and define group to allow multiple host and its aliases” mode=“groups”>


(nextcloud domain)
(nextcloud domain)


</alias_groups>
<is_legacy_server default=“false” desc=“Set to true for legacy server that need deprecated headers.” type=“bool”>false</is_legacy_server>

Please let me know if there are other sections you need, I didn’t find/replace the entire thing at once, so it may not be entirely consistant.

I did not notice any errors from nextcloud, but it was complaining that there is a new way to handle this,
From nextcloud.log:
{“reqId”:“Z3V-0I_YMV6DFRkHBFzUOAAAAYk”,“level”:0,“time”:“2025-01-01T17:43:45+00:00”,“remoteAddr”:“127.0.0.1”,“user”:“–”,“app”:“no app in context”,“method”:“GET”,“url”:“/index.php/apps/richdocuments/wopi/files/378553_oco78dqqgihn?access_token=accesstoken&access_token_ttl=0”,“message”:“OC_App::registerLogIn() is deprecated, please register your alternative login option using the registerAlternativeLogin() on the RegistrationContext in your Application class implementing the OCP\Authentication\IAlternativeLogin interface”,“userAgent”:“COOLWSD HTTP Agent 24.04.11.1”,“version”:“30.0.4.1”,“data”:}
{“reqId”:“Z3V-0I_YMV6DFRkHBFzUOAAAAYk”,“level”:0,“time”:“2025-01-01T17:43:45+00:00”,“remoteAddr”:“127.0.0.1”,“user”:“–”,“app”:“user_oidc”,“method”:“GET”,“url”:“/index.php/apps/richdocuments/wopi/files/378553_oco78dqqgihn?access_token=accesstoken&access_token_ttl=0”,“message”:“Could not find unique token validation”,“userAgent”:“COOLWSD HTTP Agent 24.04.11.1”,“version”:“30.0.4.1”,“data”:{“app”:“user_oidc”}}
{“reqId”:“Z3V-0I_YMV6DFRkHBFzUOAAAAYk”,“level”:0,“time”:“2025-01-01T17:43:45+00:00”,“remoteAddr”:“127.0.0.1”,“user”:“–”,“app”:“no app in context”,“method”:“GET”,“url”:“/index.php/apps/richdocuments/wopi/files/378553_oco78dqqgihn?access_token=accesstoken&access_token_ttl=0”,“message”:“OCA\Richdocuments\Controller\WopiController::checkFileInfo uses the @PublicPage annotation and should use the #[OCP\AppFramework\Http\Attribute\PublicPage] attribute instead”,“userAgent”:“COOLWSD HTTP Agent 24.04.11.1”,“version”:“30.0.4.1”,“data”:}
{“reqId”:“Z3V-0I_YMV6DFRkHBFzUOAAAAYk”,“level”:0,“time”:“2025-01-01T17:43:45+00:00”,“remoteAddr”:“127.0.0.1”,“user”:“–”,“app”:“no app in context”,“method”:“GET”,“url”:“/index.php/apps/richdocuments/wopi/files/378553_oco78dqqgihn?access_token=accesstoken&access_token_ttl=0”,“message”:“OCA\Richdocuments\Controller\WopiController::checkFileInfo uses the @NoCSRFRequired annotation and should use the #[OCP\AppFramework\Http\Attribute\NoCSRFRequired] attribute instead”,“userAgent”:“COOLWSD HTTP Agent 24.04.11.1”,“version”:“30.0.4.1”,“data”:}
{“reqId”:“Z3V-0I_YMV6DFRkHBFzUOAAAAYk”,“level”:0,“time”:“2025-01-01T17:43:45+00:00”,“remoteAddr”:“127.0.0.1”,“user”:“–”,“app”:“no app in context”,“method”:“GET”,“url”:“/index.php/apps/richdocuments/wopi/files/378553_oco78dqqgihn?access_token=accesstoken&access_token_ttl=0”,“message”:“OCA\Richdocuments\Controller\WopiController::checkFileInfo uses the @NoCSRFRequired annotation and should use the #[OCP\AppFramework\Http\Attribute\NoCSRFRequired] attribute instead”,“userAgent”:“COOLWSD HTTP Agent 24.04.11.1”,“version”:“30.0.4.1”,“data”:}
{“reqId”:“Z3V-0I_YMV6DFRkHBFzUOAAAAYk”,“level”:0,“time”:“2025-01-01T17:43:45+00:00”,“remoteAddr”:“127.0.0.1”,“user”:“–”,“app”:“richdocuments”,“method”:“GET”,“url”:“/index.php/apps/richdocuments/wopi/files/378553_oco78dqqgihn?access_token=accesstoken&access_token_ttl=0”,“message”:“Loaded WOPI Token record: {"id":815,"owner_uid":"Famous","editor_uid":"Famous","guest_displayname":null,"fileid":378553,"version":0,"canwrite":1,"server_host":"https://domain/\“,\“token\”:\“accesstoken\”,\“expiry\”:1735789382,\“template_destination\”:null,\“hide_download\”:0,\“direct\”:0,\“remote_server\”:\”\“,\“remote_server_token\”:\”\“,\“template_id\”:0,\“share\”:null,\“token_type\”:0}.”,“userAgent”:“COOLWSD HTTP Agent 24.04.11.1”,“version”:“30.0.4.1”,“data”:{“app”:“richdocuments”}}
{“reqId”:“Z3V-0I_YMV6DFRkHBFzUOAAAAYk”,“level”:0,“time”:“2025-01-01T17:43:45+00:00”,“remoteAddr”:“127.0.0.1”,“user”:”–“,“app”:“richdocuments”,“method”:“GET”,“url”:”/index.php/apps/richdocuments/wopi/files/378553_oco78dqqgihn?access_token=accesstoken&access_token_ttl=0",“message”:"Loaded WOPI Token record: {"id":815,"owner_uid":"Famous","editor_uid":"Famous","guest_displayname":null,"fileid":378553,"version":0,"canwrite":1,"server_host":"https://domain/\“,\“token\”:\“accesstoken\”,\“expiry\”:1735789382,\“template_destination\”:null,\“hide_download\”:0,\“direct\”:0,\“remote_server\”:\”\“,\“remote_server_token\”:\”\“,\“template_id\”:0,\“share\”:null,\“token_type\”:0}.”,“userAgent”:“COOLWSD HTTP Agent 24.04.11.1”,“version”:“30.0.4.1”,“data”:{“app”:“richdocuments”}}

the requested information got flagged, hopefully it will be cleared soon.

Unknown Resource Error (ERR #33):

• This typically indicates a mismatch in the routing or configuration between Collabora Online and Nextcloud. Specifically, the WOPI request is not being properly recognized or routed by the Collabora Online server (coolwsd).

Proxy Configuration Adjustments

Ensure your Apache or Nginx configuration is handling encoded slashes properly. For Apache:

For Apache

AllowEncodedSlashes NoDecode
ProxyPreserveHost On

# Adjust ProxyPassMatch
ProxyPassMatch "^/cool/(.*)/ws$" ws://127.0.0.1:9980/cool/$1/ws

For Nginx:

proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:9980;

Update Nextcloud and richdocuments App

• Ensure you are using the latest version of Nextcloud and the richdocuments app.

Note: check the Nextcloud forums at https://help.nextcloud.com/ to see if there are similar issues or insights shared by other users. This might help pinpoint a solution or provide additional ideas.

The slash encoding was already present (just above the quoted section, i apparently mangled the markup)

Adjusted proxypass, error appears the same, however it is now 38 and not 33.

richdocuments is the latest version

@FamousL Have you investigate on Nextcloud forum about this issue ? I would suggest to first check on NC forum/ community section https://help.nextcloud.com/

@FamousL as go through all the possible solution and it might seems to be and issue with communication issue between NC and COOL.

I also encourage you if you can add a detailed note and file a GitHub issue ticket on this ?

Thank you for your amazing effort to describe the problem. Now a little help on filing the problem will also help to investigate and fix this problem

Thanks,
Darshan

lol glad to see it wasn’t just me missing something obvious, I had searched the nextcloud forums, and just a general “all over the place” type search but it hadn’t turned up anything addressing my specific problems.

I can open a ticket, didn’t want to open one and find I misplaced a character in my configuration.

Thank you very much, I appreciate the debugging help.