Failure to Save documents to Collabora through reverse proxy

User Support
1

Hey there, running into trouble with my collabora instance. I am running it parallel to nextcloud and behind an apache 2 reverse proxy.

Whenever I try to save a file larger than 128(ish) KB, the file gets corrupted and set to the value of packets that actually went through.

This worked prior to setting up the reverse proxy, but I don’t understand what’s going wrong.

I know my collabora instance can communicate with WOPI to the Nextcloud host as showcased by this curl:

root@Collabora:~# curl -v GET "https://nc.domain/index.php/apps/richdocuments/wopi/files/4265_ocjqfivp2zz4?access_token=Idon'tknowhowmuchthistokenmatterssoIwon'tputitin"
* Could not resolve host: GET
* Closing connection 0
curl: (6) Could not resolve host: GET
*   Trying REVERSE.PROXY.IP.96:443...
* Connected to nc.domain (REVERSE.PROXY.IP.96) port 443 (#1)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.domain
*  start date: Jan 20 00:00:00 2025 GMT
*  expire date: Jan 20 23:59:59 2026 GMT
*  subjectAltName: host "nc.domain" matched cert's "*.domain"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* using HTTP/1.1
> GET /index.php/apps/richdocuments/wopi/files/4265_ocjqfivp2zz4?access_token=Idon'tknowhowmuchthistokenmatterssoIwon'tputitin HTTP/1.1
> Host: nc.domain
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 04 Mar 2025 12:11:33 GMT
< Server: Apache/2.4.62 (Debian)
< Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
< Upgrade: websocket
< Connection: Upgrade
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: noindex, nofollow
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
< X-Request-Id: FtMv6yQLaFM7SHqfzUhl
< Cache-Control: no-cache, no-store, must-revalidate
< Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
< Content-Length: 953
< Content-Type: application/json; charset=utf-8
< Set-Cookie: ocjqfivp2zz4=lplnl9c4a989fvbhl71pjgehr5; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: oc_sessionPassphrase=fRjHmKukfdEJWs%2BasRzdP%2BS1ay3l0GqWezuhUED9wHV%2B%2FLW2lELWbqZXMlMWiK6BtInxMwzRY1IFSLddCzZVwbM226T20FRgLSL%2B%2B17fScYPs72zm%2FzqEYz3EHht%2Bx7Q; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: ocjqfivp2zz4=lplnl9c4a989fvbhl71pjgehr5; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Set-Cookie: ocjqfivp2zz4=lplnl9c4a989fvbhl71pjgehr5; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: ocjqfivp2zz4=lplnl9c4a989fvbhl71pjgehr5; path=/; secure; HttpOnly; SameSite=Lax
<
* Connection #1 to host nc.domain left intact
{"BaseFileName":"sample-docx-files-sample4.docx","Size":131072,"Version":"0","UserId":"v.F","OwnerId":"v.F","UserFriendlyName":"Valentin F","UserExtraInfo":{"avatar":"https:\/\/nc.domain\/avatar\/v.F\/64","is_admin":true},"UserPrivateInfo":{"ZoteroAPIKey":"","SignatureCert":"","SignatureKey":"","SignatureCa":""},"UserCanWrite":true,"UserCanNotWriteRelative":false,"PostMessageOrigin":"https:\/\/nc.domain\/","LastModifiedTime":"2025-03-04T11:04:57.000000Z","SupportsRename":true,"UserCanRename":true,"EnableInsertRemoteImage":true,"EnableInsertRemoteFile":true,"EnableShare":true,"HideUserList":"","EnableOwnerTermination":true,"DisablePrint":false,"DisableExport":false,"DisableCopy":false,"HideExportOption":false,"HidePrintOption":false,"DownloadAsPostMessage":false,"SupportsLocks":false,"IsUserLocked":false,"EnableRemoteLinkPicker":true,"HasContentRange":true,"IsAdminUser":true,"IsAnonymousUser":false}root@Collaborcurl -v -X GET "https://nc.domain/index.php/apps/richdocuments/wopi/files/4265_ocjqfivp2zz4/contents?access_token=Idon'tknowhowmuchthistokenmatterssoIwon'tputitin" -o testfile.docx.docx
Note: Unnecessary use of -X or --request, GET is already inferred.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying REVERSE.PROXY.IP.96:443...
* Connected to nc.domain (REVERSE.PROXY.IP.96) port 443 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [112 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [5677 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.domain
*  start date: Jan 20 00:00:00 2025 GMT
*  expire date: Jan 20 23:59:59 2026 GMT
*  subjectAltName: host "nc.domain" matched cert's "*.domain"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* using HTTP/1.1
} [5 bytes data]
> GET /index.php/apps/richdocuments/wopi/files/4265_ocjqfivp2zz4/contents?access_token=Idon'tknowhowmuchthistokenmatterssoIwon'tputitin HTTP/1.1
> Host: nc.domain
> User-Agent: curl/7.88.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Tue, 04 Mar 2025 12:16:37 GMT
< Server: Apache/2.4.62 (Debian)
< Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
< Upgrade: websocket
< Connection: Upgrade
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: noindex, nofollow
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
< X-Request-Id: p4zoNn5ugtq0BzQhPTLi
< Cache-Control: no-cache, no-store, must-revalidate
< Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
< Content-Disposition: attachment
< Content-Type: application/octet-stream
< Set-Cookie: ocjqfivp2zz4=8q4k37io769fd3si6d7if0e27o; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: oc_sessionPassphrase=KrFMgXkhkb0j0BR7Xv2kTapc%2F%2FrKFcKWCV%2BkBAozXMbw8w7lq9Rj9FfsNdmGpUUgbnj4KHagI%2B%2FaDZ%2BlEVhe3qQVDSBIq1ANDeCJ6glYMJECUZOo1qA1MVKe3m9OYTKn; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: ocjqfivp2zz4=8q4k37io769fd3si6d7if0e27o; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Set-Cookie: ocjqfivp2zz4=8q4k37io769fd3si6d7if0e27o; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: ocjqfivp2zz4=8q4k37io769fd3si6d7if0e27o; path=/; secure; HttpOnly; SameSite=Lax
< Transfer-Encoding: chunked
<
{ [6540 bytes data]
100  128k    0  128k    0     0   985k      0 --:--:-- --:--:-- --:--:-- 1000k
* Connection #0 to host nc.domain left intact
root@Collabora:~# echo "Collabora Save Test" > /tmp/test.txt
curl -v -X POST --data-binary "@/tmp/test.txt" "https://nc.domain/index.php/apps/richdocuments/wopi/files/4265_ocjqfivp2zz4/contents?access_token=Idon'tknowhowmuchthistokenmatterssoIwon'tputitin"
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying REVERSE.PROXY.IP.96:443...
* Connected to nc.domain (REVERSE.PROXY.IP.96) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=*.domain
*  start date: Jan 20 00:00:00 2025 GMT
*  expire date: Jan 20 23:59:59 2026 GMT
*  subjectAltName: host "nc.domain" matched cert's "*.domain"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.
* using HTTP/1.1
> POST /index.php/apps/richdocuments/wopi/files/4265_ocjqfivp2zz4/contents?access_token=Idon'tknowhowmuchthistokenmatterssoIwon'tputitin HTTP/1.1
> Host: nc.domain
> User-Agent: curl/7.88.1
> Accept: */*
> Content-Length: 20
> Content-Type: application/x-www-form-urlencoded
>
< HTTP/1.1 200 OK
< Date: Tue, 04 Mar 2025 12:16:45 GMT
< Server: Apache/2.4.62 (Debian)
< Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
< Upgrade: websocket
< Connection: Upgrade
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: noindex, nofollow
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
< X-Request-Id: cmbKi8KP8MmRrjrBch7m
< Cache-Control: no-cache, no-store, must-revalidate
< Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
< Content-Length: 50
< Content-Type: application/json; charset=utf-8
< Set-Cookie: ocjqfivp2zz4=ghdljn6ms42cps7e9cc7mbu2sc; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: oc_sessionPassphrase=WZlSjde5sVS4jyDzNlaYkox2QzZE0IvDcSOaXpdgsB4lSn20veP2l8AhLslpTZRXS3HmHbOiYYxGJBY%2F1Z4zQh7ToI9Ty%2FnTTO61VjJMVcor55Gn6xzLCUZss4PLo232; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: ocjqfivp2zz4=ghdljn6ms42cps7e9cc7mbu2sc; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Set-Cookie: ocjqfivp2zz4=ghdljn6ms42cps7e9cc7mbu2sc; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: ocjqfivp2zz4=ghdljn6ms42cps7e9cc7mbu2sc; path=/; secure; HttpOnly; SameSite=Lax
<
* Connection #0 to host nc.domain left intact
{"LastModifiedTime":"2025-03-04T12:16:45.000000Z"}

Logs of the failure :

mars 03 17:03:59 Collabora coolwsd[2683]: kit-02683-02683 2025-03-03 17:03:59.744011 +0100 [ kitbroker_00e ] WRN  #21: Background save process disconnected but not terminated 2875| kit/KitWebSocket.cpp:339
mars 03 17:04:46 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:04:46.161171 +0100 [ docbroker_00e ] WRN  #25: CheckTimeout: Timeout while requesting [POST nc.domaine.fr/index.php/apps/richdocuments/wopi/files/4196_ocjqfivp2zz4/contents?access_token=riXLK7z0A92qZnqbwD0IYQrXXUrqJAWy&access_token_ttl=0] after 46413ms| net/HttpRequest.hpp:1758
mars 03 17:04:46 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:04:46.161253 +0100 [ docbroker_00e ] ERR  Unexpected response to WOPI::PutFile. Cannot upload file to WOPI storage uri [https://nc.domaine.fr/index.php/apps/richdocuments/wopi/files/4196_ocjqfivp2zz4/contents?access_token=riXLK7z0A92qZnqbwD0IYQrXXUrqJAWy&access_token_ttl=0]: No response received. Connection terminated or timed-out.| wsd/wopi/WopiStorage.cpp:1080
mars 03 17:04:46 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:04:46.161284 +0100 [ docbroker_00e ] ERR  Failed to upload docKey [https%3A%2F%2Fnc.domaine.fr%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F4196_ocjqfivp2zz4] to URI [https://nc.domaine.fr/index.php/apps/richdocuments/wopi/files/4196_ocjqfivp2zz4?access_token=riXLK7z0A92qZnqbwD0IYQrXXUrqJAWy&access_token_ttl=0]. Notifying client.| wsd/DocumentBroker.cpp:3038
mars 03 17:04:46 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:04:46.245209 +0100 [ docbroker_00e ] WRN  After failing to upload, the document size neither matches the original, nor our last uploaded. The document is in conflict.| wsd/DocumentBroker.cpp:5126
mars 03 17:05:58 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:05:58.228538 +0100 [ docbroker_00e ] WRN  #21: CheckTimeout: Timeout while requesting [POST nc.domaine.fr/index.php/apps/richdocuments/wopi/files/4196_ocjqfivp2zz4/contents?access_token=riXLK7z0A92qZnqbwD0IYQrXXUrqJAWy&access_token_ttl=0] after 36032ms| net/HttpRequest.hpp:1758
mars 03 17:05:58 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:05:58.228622 +0100 [ docbroker_00e ] ERR  Unexpected response to WOPI::PutFile. Cannot upload file to WOPI storage uri [https://nc.domaine.fr/index.php/apps/richdocuments/wopi/files/4196_ocjqfivp2zz4/contents?access_token=riXLK7z0A92qZnqbwD0IYQrXXUrqJAWy&access_token_ttl=0]: No response received. Connection terminated or timed-out.| wsd/wopi/WopiStorage.cpp:1080
mars 03 17:05:58 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:05:58.228638 +0100 [ docbroker_00e ] ERR  Failed to upload docKey [https%3A%2F%2Fnc.domaine.fr%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F4196_ocjqfivp2zz4] to URI [https://nc.domaine.fr/index.php/apps/richdocuments/wopi/files/4196_ocjqfivp2zz4?access_token=riXLK7z0A92qZnqbwD0IYQrXXUrqJAWy&access_token_ttl=0]. Notifying client.| wsd/DocumentBroker.cpp:3038
mars 03 17:05:58 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:05:58.318067 +0100 [ docbroker_00e ] WRN  After failing to upload, the document size neither matches the original, nor our last uploaded. The document is in conflict.| wsd/DocumentBroker.cpp:5126
mars 03 17:06:52 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:06:52.277830 +0100 [ docbroker_00e ] WRN  #21: CheckTimeout: Timeout while requesting [POST nc.domaine.fr/index.php/apps/richdocuments/wopi/files/4196_ocjqfivp2zz4/contents?access_token=riXLK7z0A92qZnqbwD0IYQrXXUrqJAWy&access_token_ttl=0] after 36023ms| net/HttpRequest.hpp:1758
mars 03 17:06:52 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:06:52.277943 +0100 [ docbroker_00e ] ERR  Unexpected response to WOPI::PutFile. Cannot upload file to WOPI storage uri [https://nc.domaine.fr/index.php/apps/richdocuments/wopi/files/4196_ocjqfivp2zz4/contents?access_token=riXLK7z0A92qZnqbwD0IYQrXXUrqJAWy&access_token_ttl=0]: No response received. Connection terminated or timed-out.| wsd/wopi/WopiStorage.cpp:1080
mars 03 17:06:52 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:06:52.277973 +0100 [ docbroker_00e ] ERR  Failed to upload docKey [https%3A%2F%2Fnc.domaine.fr%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F4196_ocjqfivp2zz4] to URI [https://nc.domaine.fr/index.php/apps/richdocuments/wopi/files/4196_ocjqfivp2zz4?access_token=riXLK7z0A92qZnqbwD0IYQrXXUrqJAWy&access_token_ttl=0]. Notifying client.| wsd/DocumentBroker.cpp:3038
mars 03 17:06:52 Collabora coolwsd[2102]: wsd-02102-02817 2025-03-03 17:06:52.363203 +0100 [ docbroker_00e ] WRN  After failing to upload, the document size neither matches the original, nor our last uploaded. The document is in conflict.| wsd/DocumentBroker.cpp:5126`

Coolwsd SSL config :

 <ssl desc="SSL settings">
                <!-- switches from https:// + wss:// to http:// + ws:// -->
                <enable default="true" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." type="bool">false</enable>
                <!-- SSL off-load can be done in a proxy, if so disable SSL, and enable termination below in production -->
                <termination default="false" desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool">true</termination>
                <cert_file_path desc="Path to the cert file" relative="false" type="path">/etc/coolwsd/cert.pem</cert_file_path>
                <key_file_path desc="Path to the key file" relative="false" type="path">/etc/coolwsd/key.pem</key_file_path>
                <ca_file_path desc="Path to the ca file" relative="false" type="path">/etc/coolwsd/ca-chain.cert.pem</ca_file_path>
                <ssl_verification default="false" desc="Enable or disable SSL verification of hosts remote to coolwsd. If true SSL verification will be strict, otherwise certs of hosts will not be verified. You may have to disable it in test environments with self-signed certificates." type="string">false</ssl_verification>
                <cipher_list default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" desc="List of OpenSSL ciphers to accept" type="string"/>
                <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
                        <max_age default="1000" desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true" type="uint">1000</max_age>
                        <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false" type="string"/>
                        <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
                                <pin/>
                        </pins>
                </hpkp>
                <sts desc="Strict-Transport-Security settings, per rfc6797. Subdomains are always included.">
                        <enabled default="false" desc="Whether or not Strict-Transport-Security is enabled. Enable only when ready for production. Cannot be disabled without resetting the browsers." type="bool">false</enabled>
                        <max_age default="31536000" desc="Strict-Transport-Security max-age directive, in seconds. 0 is allowed; please see rfc6797 for details. Defaults to 1 year." type="int">31536000</max_age>
                </sts>
        </ssl>

server_name :

 <server_name default="" desc="External hostname:port of the server running coolwsd. If empty, it's derived from the request (please set it if this doesn't work). May be specified when behind a reverse-proxy or when the hostname is not reachable directly." type="string">office.domain.fr</server_name>

Nextcloud Rproxy :

[](rpsat-test)root@janus:~# cat /etc/apache2/sites-available/nextcloud.conf
<VirtualHost *:80>
        ServerName nc.domain.fr

        CustomLog /var/log/apache2/nc.domain.fr-access.log combined
        ErrorLog /var/log/apache2/nc.domain.fr-error.log
        Redirect permanent / https://nc.domain.fr/
</VirtualHost>

<VirtualHost *:443>
        ServerName nc.domain.fr

        ProxyRequests Off
        SSLEngine On
        SSLProxyEngine On
        SSLProxyVerify None
        SSLProxyCheckPeerName Off

        LimitRequestBody 0
        ProxyTimeout 600
        Timeout 600
        RequestReadTimeout body=600
        AllowEncodedSlashes On

        CustomLog /var/log/apache2/nc.domain.fr-access.log combined
        ErrorLog /var/log/apache2/nc.domain.fr-error.log
        Include "ssl/include-wild-ssl-domain.conf"
        <Files ".ht*">
                Require all denied
        </Files>
        TraceEnable off
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^TRACK
        RewriteRule .* - [R=405,L]

        <Location /index.php/apps/richdocuments/wopi/files/>
                ProxyPass http://10.5.3.40/index.php/apps/richdocuments/wopi/files/
                ProxyPassReverse http://10.5.3.40/index.php/apps/richdocuments/wopi/files/
        </Location>

        <Location />
                ProxyPass http://10.5.3.40/
                ProxyPassReverse http://10.5.3.40/
                ProxyPreserveHost On
                RequestHeader set X-Forwarded-Proto "https"
                RequestHeader set X-Forwarded-Ssl "on"
                RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
        </Location>

        <IfModule mod_headers.c>
                Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
                Header always set Upgrade "websocket"
                Header always set Connection "Upgrade"
        </IfModule>

</VirtualHost>

Collabora rproxy :

<VirtualHost *:80>
  ServerName office.domain.fr
   CustomLog /var/log/apache2/office.domain.fr-access.log combined

    ErrorLog /var/log/apache2/office.domain.fr-error.log

    Redirect permanent / https://office.domain.fr/
</VirtualHost>

<VirtualHost *:443>
  ServerName office.domain.fr

    AllowEncodedSlashes NoDecode
    SSLProxyEngine On
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off

    ProxyPreserveHost On
    Timeout 600
    ProxyTimeout 600
    ProxyBadHeader Ignore

    CustomLog /var/log/apache2/office.domain.fr-access.log combined
    ErrorLog /var/log/apache2/office.domain.fr-error.log
    Include "ssl/include-wild-ssl-domain.conf"

    # Static assets
    ProxyPass /browser http://10.5.3.42:9980/browser retry=0
    ProxyPassReverse /browser http://10.5.3.42:9980/browser

    # WOPI discovery URL
    ProxyPass /hosting/discovery http://10.5.3.42:9980/hosting/discovery retry=0
    ProxyPassReverse /hosting/discovery http://10.5.3.42:9980/hosting/discovery

    # Capabilities
    ProxyPass /hosting/capabilities http://10.5.3.42:9980/hosting/capabilities retry=0
    ProxyPassReverse /hosting/capabilities http://10.5.3.42:9980/hosting/capabilities

    # Main websocket
    ProxyPassMatch "/cool/(.*)/ws$" ws://10.5.3.42:9980/cool/$1/ws nocanon

    # Admin Console websocket
    ProxyPass /cool/adminws ws://10.5.3.42:9980/cool/adminws

    # Download, Fullscreen, Image Upload
    ProxyPass /cool http://10.5.3.42:9980/cool
    ProxyPassReverse /cool http://10.5.3.42:9980/cool

    # Compatibility for /lool/convert-to
    ProxyPass /lool http://10.5.3.42:9980/cool
    ProxyPassReverse /lool http://10.5.3.42:9980/cool

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>
</VirtualHost>

Please let me know if I can offer further information.

Edit : I have made local records on both my nextcloud and collabora machine to be able to communicate prior to the proxy, but this is still not ideal, would love some help.

2

Hii @Valentin.F

It looks like your issue started after setting up the Apache reverse proxy, which suggests that Apache might be limiting the request body size or interfering with large file transfers

Check Apache Configuration for Size Limits

  • Ensure that Apache is not restricting the upload size

Check coolwsd Configuration

  • Collabora’s coolwsd.xml has a setting for maximum upload size limit_file_size

Thanks
Darshan

1 Like
3

Dear Darshan, thank you for your response, please see below:

<limit_virt_mem_mb desc="The maximum virtual memory allowed to each document process. 0 for unlimited." type="uint">0</limit_virt_mem_mb>
<limit_stack_mem_kb desc="The maximum stack size allowed to each document process. 0 for unlimited." type="uint">8000</limit_stack_mem_kb>
<limit_file_size_mb desc="The maximum file size allowed to each document process to write. 0 for unlimited." type="uint">0</limit_file_size_mb>
<limit_num_open_files desc="The maximum number of files allowed to each document process to open. 0 for unlimited." type="uint">0</limit_num_open_files>

There are no size restrictions on the proxy, or in COOL, I’m especially not concerned about COOL config in that regard because it now works locally, with HTTPS.
But nonetheless, I am able to upload large (140+MB) files through the proxy, to Nextcloud :slight_smile:

Thank you!

1 Like