Fixing CODE Multihost Configuration

CODE recently broke multihosts configurations. Previously, it was possibly to configure the CODE server to accept requests from several “integration” hosts by correctly setting the domain variable as described in CODE Docker image — SDK https://sdk.collaboraonline.com/ documentation

This no longer works, there’s also a bug report on GitHub regarding this.

However, even with adjusting coolwsd.xml as described in this bug report, I was not yet able to get it to work. CODE will always accept connections from the first host trying to connect, and refuse the other one afterwards, saying

[ docbroker_005 ] ERR loading document exception: No acceptable WOPI hosts found matching the target host [nextcloud.example.com] in config.| wsd/DocumentBroker.cpp:2124

(CODE 21.11.3.4 git hash: 2ea9477)

CODE is running in a Docker container which listens locally, and I use an Apache httpd reverse proxy on this host which terminates incoming TLS connections and forwards the http connection to the CODE container.

My <wopi> block currently looks as follows:

<wopi desc="Allow/deny wopi storage." allow="true">
    <host desc="Regex pattern of hostname to allow or deny." allow="true">(nextcloud.(example.com|example.net))</host>
    <host desc="Regex pattern of hostname to allow or deny." allow="true">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
    <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
    <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
    <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
    <host desc="Regex pattern of hostname to allow or deny." allow="true">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
    <host desc="Regex pattern of hostname to allow or deny." allow="false">192\.168\.1\.1</host>
    <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
    <locking desc="Locking settings">
        <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
    </locking>

    <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="groups">
    <!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
            add the hosts below.  If one host is accessible under multiple ip addresses
            or names, add them as aliases. -->
    <!--<group>
            <host desc="hostname to allow or deny." allow="true">scheme://hostname:port</host>
            <alias desc="regex pattern of aliasname">scheme://aliasname1:port</alias>
            <alias desc="regex pattern of aliasname">scheme://aliasname2:port</alias>
    </group>-->
    <!-- More "group"s possible here -->
        <group> 
            <host desc="hostname to allow or deny." allow="true">https://nextcloud.example.com</host>
        </group>
        <group>
            <host desc="hostname to allow or deny." allow="true">https://nextcloud.example.net</host>
        </group>
    </alias_groups>
</wopi>

I also tried http instead of https as the protocol, as my CODE, but this didn’t change anything…

I think I got something wrong, but also after re-reading the bugreport and Configuration — SDK https://sdk.collaboraonline.com/ documentation , I can’t figure out, where my mistake lies…

@GOhrner 21.11.3.4.1 - problem with multiple domains - #3 by ivnmad

@rash419: Thanks, I remembered I read this other thread, and looked for it in the topics list, but somehow was not able to find it…

However, this suggestion looks exactly like what I did, I think…

See snipped above, I have alias_groups mode set to groups and included two groups with the two host names, but still got the described behaviour.

I’ll try adding the port also to the host description, but this would be a bit surprising to me if it would actually make a difference…

@GOhrner
Can you please share the full logs

@GOhrner: Thank you so much for the report!

I can see two things that might be a bit suspicious, so if you can confirm any of them is actually fixing the issue for you, that would be great.

1. <host desc=“Regex pattern of hostname to allow or deny.” allow=“true”>(nextcloud.(example.com|example.net))</host> looks a bit complicated, with the extra brackets. For the debugging purposes, can you try to change this to 2 <host> lines - one for .com and the other for .net variant?

2. The other thing is a missing port number in the alias group’s <host> - can you try to add that?

Can you please let us know if 1. or 2. or a combination of both have fixed it for you? We’ll continue trying to reproduce on our side in the meantime.

@kendy, @rash419: Please wait with retrying - I was looking into it again today just at the same time, and I think the problem was just on my end, or rather, in front of my computer… The usual thing… :-/ Sorry for stirring things up, I’ll soon be able to report if it works now or not.

@kendy, @rash419: Sorry, my apologies, it was a blunder on my part. Basically copied the wrong config file into the container.

To maybe still provide some additional insight:

• No, port numbers don’t appear to be necessary, it works without.
• I’m now using https:// as the protocol, even though coolwsd runs behind an TLS termnating Apache reverse proxy.
• I didn’t have to change the host allow regexp - it looked this way from earlier CODE versions when I could just specify this regexp on the docker command line to properly enable multi domain support. However it still seems to work now.

My config snippet:

    <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="groups">
    <!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
            add the hosts below.  If one host is accessible under multiple ip addresses
            or names, add them as aliases. -->
    <!--<group>
            <host desc="hostname to allow or deny." allow="true">scheme://hostname:port</host>
            <alias desc="regex pattern of aliasname">scheme://aliasname1:port</alias>
            <alias desc="regex pattern of aliasname">scheme://aliasname2:port</alias>
    </group>-->
    <!-- More "group"s possible here -->
        <group> 
            <host desc="hostname to allow or deny." allow="true">https://nextcloud.example.com</host>
        </group>
        <group>
            <host desc="hostname to allow or deny." allow="true">https://nextcloud.example.net</host>
        </group>
    </alias_groups>

</wopi>

@GOhrner: Perfect, thank you so much for letting us know and for the additional information!

just seen start-collabora-online.pl in the github repo.
in the PR we see:

environment:
  - aliasgroup1=https://servername:443,https://its-alias:443,https://its-second-alias:443
  - aliasgroup2=https://second-servername:443,https://seconds-alias:443

can this be added to some additional documentation / howto for the docker-compose.yml?
@pedro.silva : Where would we find such doc?

it is will released with next docker image, so docker users can define multiple host directly from command line : )
CODE Docker image — SDK https://sdk.collaboraonline.com/ documentation

@rash419: Is the syntax for alias names in example in the referenced documentation actually correct?

aliasgroup1=https://<domain1>:443,https://<your-dot-escaped-aliasname1>|<your-dot-escaped-aliasname2>:443

This looks suspicious to me, I’d either have expected brackets around the two alias names, or a repetition of the protocol and port specifiers.

How it this expression actually evaluated, what kind of syntax is this?

As a regular expression, it probably won’t work that way, and if it’s a simple string split algorithm using the pipe symbol as the split delimiter, it also shouldn’t… (Cannot currently test this myself, unfortunately.)

@GOhrner If you can test that would be great : )

successfully tested: