Installation configs for Collabora with Nextcloud without Reverse Proxy

Hi I am currently attemtping to install Collabora with Nextcloud I have succeeded in connecting them in nextcloud as shown by

However upon opening a docx file I receive an error on Nextcloud stating

Document loading failed

Unauthorised WOPI host. Please try again later and report to your administrator if the issue persists.

Following this I inspected logs in my container and noticed that requests from Collabora is being rejected

wsd-00001-00032 2024-11-08 09:16:45.193711 +0000 [ websrv_poll ] ERR  #33: Read failed, have 0 buffered bytes (ECONNREFUSED: Connection refused)| net/Socket.hpp:1275
wsd-00001-00032 2024-11-08 09:16:45.193807 +0000 [ websrv_poll ] ERR  #33: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1591
wsd-00001-00032 2024-11-08 09:16:45.193816 +0000 [ websrv_poll ] ERR  #33: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1591
wsd-00001-00032 2024-11-08 09:16:45.193828 +0000 [ websrv_poll ] ERR  #33: WOPI::CheckFileInfo failed for URI [http://nextcloud:8080/index.php/apps/richdocuments/wopi/files/46_ocrji49pzuhu?access_token=SCtz8RRqzdxvFTb2gryjTx3uY1dfHikB&access_token_ttl=0]: 0 (Unknown) . Headers:    Body: []| wsd/wopi/CheckFileInfo.cpp:98
wsd-00001-00032 2024-11-08 09:16:45.193832 +0000 [ websrv_poll ] ERR  #33: Invalid URI or access denied to [http://nextcloud:8080/index.php/apps/richdocuments/wopi/files/46_ocrji49pzuhu?access_token=SCtz8RRqzdxvFTb2gryjTx3uY1dfHikB&access_token_ttl=0]| wsd/wopi/CheckFileInfo.cpp:116
wsd-00001-00032 2024-11-08 09:16:45.337420 +0000 [ websrv_poll ] ERR  #33: CheckFileInfo failed for [http%3A%2F%2Fnextcloud%3A8080%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F46_ocrji49pzuhu], State::Fail| wsd/RequestVettingStation.cpp:269
wsd-00001-00032 2024-11-08 09:16:45.560060 +0000 [ websrv_poll ] ERR  #35: Read failed, have 0 buffered bytes (ECONNREFUSED: Connection refused)| net/Socket.hpp:1275
wsd-00001-00032 2024-11-08 09:16:45.560099 +0000 [ websrv_poll ] ERR  #35: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1591
wsd-00001-00032 2024-11-08 09:16:45.560108 +0000 [ websrv_poll ] ERR  #35: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1591
wsd-00001-00032 2024-11-08 09:16:45.560119 +0000 [ websrv_poll ] ERR  #35: WOPI::CheckFileInfo failed for URI [http://nextcloud:8080/index.php/apps/richdocuments/wopi/files/46_ocrji49pzuhu?access_token=SCtz8RRqzdxvFTb2gryjTx3uY1dfHikB&access_token_ttl=0&permission=edit]: 0 (Unknown) . Headers:      Body: []| wsd/wopi/CheckFileInfo.cpp:98
wsd-00001-00032 2024-11-08 09:16:45.560123 +0000 [ websrv_poll ] ERR  #35: Invalid URI or access denied to [http://nextcloud:8080/index.php/apps/richdocuments/wopi/files/46_ocrji49pzuhu?access_token=SCtz8RRqzdxvFTb2gryjTx3uY1dfHikB&access_token_ttl=0&permission=edit]| wsd/wopi/CheckFileInfo.cpp:116

I tried to do a curl in Collabora to the following URL which results in an error

curl -v http://nextcloud:8080/index.php/apps/richdocuments/wopi/files/46_ocrji49pzuhu?access_token=SCtz8RRqzdxvFTb2gryjTx3uY1dfHikB&access_token_ttl=0

Trying 172.20.0.5:8080...
* connect to 172.20.0.5 port 8080 failed: Connection refused
* Failed to connect to nextcloud port 8080 after 0 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to nextcloud port 8080 after 0 ms: Couldn't connect to server

I have no idea how to resolve this as my allow_list for WOPI in Nextcloud is empty which allows everything through. Hence I’m also able to access the url

http://nextcloud:8080/index.php/apps/richdocuments/wopi/files/46_ocrji49pzuhu?access_token=SCtz8RRqzdxvFTb2gryjTx3uY1dfHikB&access_token_ttl=0

from my computer which returns the following

{"BaseFileName":"Welcome to Nextcloud Hub.docx","Size":24295,"Version":"0","UserId":"admin","OwnerId":"admin","UserFriendlyName":"admin","UserExtraInfo":{"avatar":"http:\/\/nextcloud:8080\/avatar\/admin\/64","is_admin":true},"UserPrivateInfo":{"ZoteroAPIKey":""},"UserCanWrite":true,"UserCanNotWriteRelative":false,"PostMessageOrigin":"http:\/\/nextcloud:8080\/","LastModifiedTime":"2024-11-08T08:38:53.000000Z","SupportsRename":true,"UserCanRename":true,"EnableInsertRemoteImage":true,"EnableShare":true,"HideUserList":"","EnableOwnerTermination":true,"DisablePrint":false,"DisableExport":false,"DisableCopy":false,"HideExportOption":false,"HidePrintOption":false,"DownloadAsPostMessage":false,"SupportsLocks":false,"IsUserLocked":false,"EnableRemoteLinkPicker":true,"HasContentRange":true,"IsAdminUser":true,"IsAnonymousUser":false}

However, the collabora container is getting rejected.

Finally my docker-compose file is as shown below

services:
  postgres:
    container_name: postgres
    image: postgres
    restart: always
    volumes:
      - postgres:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB_FILE=/run/secrets/postgres_db
      - POSTGRES_USER_FILE=/run/secrets/postgres_user
      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
    secrets:
      - postgres_db
      - postgres_password
      - postgres_user
    networks:
      - nextcloud_network

  redis:
    container_name: redis
    image: redis:alpine
    restart: always
    networks:
      - nextcloud_network

  nextcloud:
    image: nextcloud
    container_name: nextcloud
    restart: always
    ports:
      - 8080:80
    volumes:
      - nextcloud:/var/www/html
    environment:
      - POSTGRES_HOST=postgres
      - POSTGRES_DB_FILE=/run/secrets/postgres_db
      - POSTGRES_USER_FILE=/run/secrets/postgres_user
      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
      - NEXTCLOUD_ADMIN_PASSWORD_FILE=/run/secrets/nextcloud_admin_password
      - NEXTCLOUD_ADMIN_USER_FILE=/run/secrets/nextcloud_admin_user
      - NEXTCLOUD_TRUSTED_DOMAINS=collabora nextcloud
    depends_on:
      - redis
      - postgres
    secrets:
      - nextcloud_admin_password
      - nextcloud_admin_user
      - postgres_db
      - postgres_password
      - postgres_user
    networks:
      - nextcloud_network

  collabora:
    image: collabora/code
    container_name: collabora
    environment:
      - aliasgroup1=nextcloud
      - aliasgroup2=collabora
      - username=/run/secrets/collabora_admin_user
      - password=/run/secrets/collabora_admin_password
      - extra_params=--o:ssl.enable=false 
    ports:
      - "9980:9980"
    secrets:
      - collabora_admin_password
      - collabora_admin_user
    networks:
      - nextcloud_network

volumes:
  postgres:
  nextcloud:

networks:
  nextcloud_network:

secrets:
  nextcloud_admin_password:
    file: ./files/password.txt
  nextcloud_admin_user:
    file: ./files/user.txt
  collabora_admin_password:
    file: ./files/password.txt
  collabora_admin_user:
    file: ./files/user.txt
  postgres_db:
    file: ./files/db.txt
  postgres_password:
    file: ./files/password.txt
  postgres_user:
    file: ./files/user.txt

Any help would be greatly appreciated. Thanks!

1. Check Hostname Resolution

The logs indicate that Collabora is failing to reach the Nextcloud container at nextcloud:8080. Since both containers are on the same Docker network (nextcloud_network), they should be able to communicate via service names. However, double-check that:

  • The NEXTCLOUD_TRUSTED_DOMAINS environment variable in the Nextcloud service includes the actual hostname nextcloud as well as the Collabora service name collabora. Try using just localhost as an additional domain if the issue persists.

2. Verify Network Connectivity

From inside the Collabora container, try running:

docker exec -it collabora ping nextcloud

This should confirm whether nextcloud is reachable within the network. If it isn’t reachable, restarting the Docker network might help:

docker network rm nextcloud_network
docker network create nextcloud_network
docker-compose up -d

3. Allow WOPI Hosts in Collabora Configuration

To ensure Nextcloud is recognized as an authorized WOPI host:

  • Modify your Collabora configuration to explicitly allow WOPI requests from the Nextcloud URL. In your docker-compose.yml, try adding:

4. Confirm Ports and Firewall Rules

Ensure that port 8080 on the Nextcloud container is correctly exposed to the Collabora container. Also, make sure no firewall or security group settings are blocking the internal Docker network communication on these ports.

5. Verify extra_params Syntax

Collabora’s extra_params might not be interpreting multiple flags as expected. Adjust the syntax by trying:

extra_params: > 
  --o:ssl.enable=false --o:storage.wopi.host[nextcloud]=true

6. Testing the WOPI URL Externally

Since curl from outside Docker works, but fails internally, there may be a network misconfiguration. Verify that:

  • No other services are blocking traffic between containers.
  • Both collabora and nextcloud services are part of nextcloud_network in the docker-compose.yml file and that no containers are inadvertently dropped from the network.

Let me know @Panda if above does not work then we can debug this together and will solve the issue :slight_smile:

Thanks,
Darshan

Hi. Thanks for your response I would like to try

3. Allow WOPI Hosts in Collabora Configuration

but it seems like it was written half way as it ended off with “try adding:” but nothing is found below. Hence, I would like to check on what I should add to allow WOPI hosts through Collabora?

Thanks!

environment:

  • aliasgroup1=nextcloud
  • aliasgroup2=collabora
  • extra_params=–o:ssl.enable=false --o:storage.wopi.host[nextcloud]=true

I have tried the following points stated

1. Check Hostname Resolution

Within Nextcloud config.php the following is found

  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'collabora',
    2 => 'nextcloud',
  ),

To ensure that it is working I have tried accessing using both domains by placing them on my local machine host’s file both pointing to 127.0.0.1 and accessing it using collabora:8080 and nextcloud:8080 on my browser

2. Verify Network Connectivity

I am unable to do a ping in the collabora container as it would result in

docker exec -it collabora ping nextcloud

OCI runtime exec failed: exec failed: unable to start container process: exec: "ping": executable file not found in $PATH: unknown

I decided to go from a different approach and used CURL which results in

docker exec -it collabora curl -v nextcloud

*   Trying 172.20.0.2:80...
* Connected to nextcloud (172.20.0.2) port 80 (#0)
> GET / HTTP/1.1
> Host: nextcloud
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Tue, 12 Nov 2024 02:51:52 GMT
< Server: Apache/2.4.62 (Debian)
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: noindex, nofollow
< X-XSS-Protection: 1; mode=block
< X-Powered-By: PHP/8.2.25
< Set-Cookie: ocrji49pzuhu=b34b3c1253f99987f79e6586d075724f; path=/; HttpOnly; SameSite=Lax
< Set-Cookie: oc_sessionPassphrase=lVRpl00srChyMo5R3tCqMlddovHaZV6HXfPeSUDoxAJuXwjLsojcE4DYdhJ4nlD1udCsZ0F2GJM72dtx%2BfW0I4gsMN%2F66fBnXNjo4fqZKNS5r12ZEjyOAHResbe%2FhwbB; path=/; HttpOnly; SameSite=Lax
< Set-Cookie: ocrji49pzuhu=b34b3c1253f99987f79e6586d075724f; path=/; HttpOnly; SameSite=Lax
< Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-/wVSvvU45/Xr54AywpOoINTSdSZ9t3grruNJ4pYuDM4='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';
< Set-Cookie: nc_sameSiteCookielax=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: nc_sameSiteCookiestrict=true; path=/; httponly;expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Set-Cookie: ocrji49pzuhu=b34b3c1253f99987f79e6586d075724f; path=/; HttpOnly; SameSite=Lax
< Location: http://nextcloud/login
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host nextcloud left intact

to ensure that it is indeed the correct nextcloud IP address I did the following

docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' nextcloud

172.20.0.2

which corresponds to the same IP as shown in CURL

3. Allow WOPI Hosts in Collabora Configuration

I have tried adding

aliasgroup1=nextcloud
aliasgroup2=collabora
extra_params=–o:ssl.enable=false --o:storage.wopi.host[nextcloud]=true

However the same error presists when accessing a docx file

In nextcloud UI

Document loading failed
Unauthorised WOPI host. Please try again later and report to your administrator if the issue persists.

In collabora Docker logs

wsd-00001-00032 2024-11-12 02:55:58.880213 +0000 [ websrv_poll ] ERR  #32: Read failed, have 0 buffered bytes (ECONNREFUSED: Connection refused)| net/Socket.hpp:1275
wsd-00001-00032 2024-11-12 02:55:58.880255 +0000 [ websrv_poll ] ERR  #32: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1591
wsd-00001-00032 2024-11-12 02:55:58.880263 +0000 [ websrv_poll ] ERR  #32: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1591
wsd-00001-00032 2024-11-12 02:55:58.880272 +0000 [ websrv_poll ] ERR  #32: WOPI::CheckFileInfo failed for URI [http://nextcloud:8080/index.php/apps/richdocuments/wopi/files/46_ocrji49pzuhu?access_token=Ez4hvoBoNPE1F5nVcIFTYKHxkBONU5ev&access_token_ttl=0]: 0 (Unknown) . Headers:     Body: []| wsd/wopi/CheckFileInfo.cpp:98
wsd-00001-00032 2024-11-12 02:55:58.880275 +0000 [ websrv_poll ] ERR  #32: Invalid URI or access denied to [http://nextcloud:8080/index.php/apps/richdocuments/wopi/files/46_ocrji49pzuhu?access_token=Ez4hvoBoNPE1F5nVcIFTYKHxkBONU5ev&access_token_ttl=0]| wsd/wopi/CheckFileInfo.cpp:116
wsd-00001-00032 2024-11-12 02:55:58.885759 +0000 [ websrv_poll ] ERR  #32: CheckFileInfo failed for [http%3A%2F%2Fnextcloud%3A8080%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F46_ocrji49pzuhu], State::Fail| wsd/RequestVettingStation.cpp:269

4. Confirm Ports and Firewall Rules

As shown in 3. Collabora is able to CURL Nextcloud

5. Verify extra_params Syntax

As explained in 3. I have attempted to use the settings suggested but to no avail

However a good point was brought up in whether Collabora is able to interpret my parameters entered. Hence I decided to look into coolwsd.xml it seems like it’s not being registered as the aliasgroup do not have nextcloud or collabora. Could this be the issue?

    <storage desc="Backend storage">
        <filesystem allow="false" />
        <wopi desc="Allow/deny wopi storage." allow="true">
            <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
            <locking desc="Locking settings">
                <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
            </locking>

            <alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="first">
            <!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
                    add the hosts below.  If one host is accessible under multiple ip addresses
                    or names, add them as aliases. -->
            <!--<group>
                    <host desc="hostname to allow or deny." allow="true">scheme://hostname:port</host>
                    <alias desc="regex pattern of aliasname">scheme://aliasname1:port</alias>
                    <alias desc="regex pattern of aliasname">scheme://aliasname2:port</alias>
                    
            </group>-->
            <!-- More "group"s possible here -->
            </alias_groups>

            <is_legacy_server desc="Set to true for legacy server that need deprecated headers." type="bool" default="false"></is_legacy_server>
        </wopi>
        <ssl desc="SSL settings">
            <as_scheme type="bool" default="true" desc="When set we exclusively use the WOPI URI's scheme to enable SSL for storage">true</as_scheme>
            <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and coolwsd. When empty this defaults to following the ssl.enable setting"></enable>
            <cert_file_path desc="Path to the cert file. When empty this defaults to following the ssl.cert_file_path setting" relative="false"></cert_file_path>
            <key_file_path desc="Path to the key file. When empty this defaults to following the ssl.key_file_path setting" relative="false"></key_file_path>
            <ca_file_path desc="Path to the ca file. When empty this defaults to following the ssl.ca_file_path setting" relative="false"></ca_file_path>
            <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overridden only if absolutely needed."></cipher_list>
        </ssl>
    </storage>

I have tried both

    environment:
      aliasgroup1: nextcloud
      aliasgroup2: collabora
      username: /run/secrets/collabora_admin_user
      password: /run/secrets/collabora_admin_password
      extra_params: > 
        --o:ssl.enable=false --o:storage.wopi.host[nextcloud]=true

and

    environment:
      - aliasgroup1=nextcloud
      - aliasgroup2=collabora
      - username=/run/secrets/collabora_admin_user
      - password=/run/secrets/collabora_admin_password
      - extra_params=--o:ssl.enable=false  --o:storage.wopi.host[nextcloud]=true 

but the results are the same with the aliasgroup missing in coolwsd.xml

6. Testing the WOPI URL Externally

As shown in 3. Collabora is able to CURL nextcloud

Can you try this way to set your alias group in a correct way?

Also, I encourage to ready the steps to configure collabora with docker in NC

Hi,

Just to understand regarding alias groups isn’t it suppose to be a variable in docker-compose which would automatically update the coolwsd.xml file?

I am unable to adjust it manually in the container as I cannot use

apt-get update -y
apt-get install vim -y

I have also experimented and tried with a lower version specifically

collabora/code:21.11.4.1.1

and it works with the settings

      aliasgroup1: http://nextcloud:8080
      aliasgroup2: http://collabora:9980

Was there a change in settings for ENV variables? Or the way to go now is to directly set the XML files? if it is really the way I will mount a coolwsd.xml file directly. I have checked collabora documentation for 24.04 and it also suggests using alias_groups as seen below

https://sdk.collaboraonline.com/docs/installation/CODE_Docker_image.html#how-to-grab-the-code-image-from-docker-image

It can be noted that after using the old version the issue changes and it seems like it maybe a version difference which causes an error as it now shows this error in the browser console

bundle.js:1 Blocked autofocusing on a <textarea> element in a cross-origin subframe.
onAdd @ bundle.js:1
_layerAdd @ bundle.js:1
whenReady @ bundle.js:1
addLayer @ bundle.js:1
initialize @ bundle.js:1
NewClass @ bundle.js:1
L.map @ bundle.js:1
(anonymous) @ bundle.js:1
(anonymous) @ bundle.js:1
(anonymous) @ bundle.js:1Understand this errorAI
3bundle.js:1 Uncaught TypeError: Cannot read properties of undefined (reading 'isCalc')
    at NewClass._activate (bundle.js:1:1114212)
    at NewClass._onSocketOpen (bundle.js:1:1023206)

while the error in Nextcloud has changed to

Failed to load Nextcloud Office - please try again later

Regarding the nextcloud installation everything is working as the environment variables that I have entered are being correctly registered I have also followed the tutorial and ran the following which results in the following.

docker exec --user www-data nextcloud php occ app:enable richdocuments
richdocuments already enabled