Looking for help with configuring Apache2 & coolwsd.xml for Proxy

I have a setup that has a TrueNAS host, running Docker images for Nextcloud and Collabora, and a Linux VM running Virtualmin which manages Apache and other web apps for me as a proxy.

Originally, I had Nextcloud configured to use Collabora using the URL of 10.0.0.253:9980, ignoring the self-signed certificate. This worked from my home network, but failed when I was outside and accessing Nextcloud via Proxy.

I then tried to set up a Proxy for Collabora, but after configuring it, I am getting an 403 Forbidden when trying to browse to the new URL for the proxy. The intended URL of the Collabora server is office(dot)aiskon(dot)net

I tried to follow the directions from the Proxy Settings page, but seem to be stuck. Below are my files:

https://www.aiskon.net/public/collabora/apache2.txt

https://www.aiskon.net/public/collabora/coolwsd.xml.txt

May I get pointers on what I am missing?

Thank you!

If it helps at all, here are my settings from within Nextcloud:

hello @GJSchaller Welcome to collabora online forum. I did some investigation, here are some points that you can check one by one and see if that works ?

1. Check coolwsd.xml Configuration

  • Ensure that the coolwsd.xml file allows traffic from the reverse proxy (office.aiskon.net):
    To allow multiple hosts or aliases (e.g., your internal network IP and proxy domain), switch the mode to "groups" and explicitly define your allowed hosts. Here’s how you can configure it:

Checkout coolwsd.xml => alias_groups


2. Apache Proxy Configuration

  • Your Apache proxy settings for Collabora seem well-structured, but here are a few refinements:
    • Add nocanon to all ProxyPass directives where URLs are being passed to coolwsd (especially WebSocket URLs).
    ProxyPass           /cool http://10.0.0.253:9980/cool nocanon
    ProxyPassReverse    /cool http://10.0.0.253:9980/cool
    
    • Ensure that the WebSocket upgrade conditions match. For example:
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
    RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
    RewriteRule ^/?(.*) "ws://10.0.0.253:9980/$1" [P,L]
    

3. Enable AllowEncodedSlashes Globally

  • You have configured AllowEncodedSlashes NoDecode for the VirtualHost, but this might need to be set globally in Apache:
    AllowEncodedSlashes NoDecode
    

4. Verify SSL Configuration

  • Confirm that the SSL certificate for office.aiskon.net is valid and trusted by Collabora. You can test this by accessing https://office.aiskon.net/hosting/discovery directly.
  • Ensure the SSL handshake works between Apache and the Collabora server. If using self-signed certificates:
    • Add the self-signed CA certificate to Apache’s trusted store.
    • Configure Collabora to ignore invalid certificates temporarily by setting <ssl> in coolwsd.xml:
      <ssl>
          <termination>true</termination>
      </ssl>
      

5. Inspect Collabora Logs

  • Check the Collabora logs for details on the 403 Forbidden error:
    docker logs <collabora-container-name>
    
    Look for messages related to unauthorized access, WebSocket issues, or CORS errors.

6. Confirm Proxy Functionality

  • Test each proxied endpoint individually in your browser or with curl to verify if Apache forwards requests properly:
    curl -I https://office.aiskon.net/hosting/discovery
    curl -I https://office.aiskon.net/cool
    curl -I https://office.aiskon.net/cool/adminws
    

7. Firewall/Network Configuration

  • Ensure that port 9980 is open between your TrueNAS Docker host and the proxy server.
  • Confirm there are no additional security rules on the TrueNAS or Linux VM blocking traffic.

If still haveing the same issue then please can you share the error logs ? Will help to find the cause

Thanks
Darshan

Thank you for this - I’ll do some digging on my end. Most of this is already in place, I just need to check the logs.

My day job has also been my night / weekend job this week, I may be a few days before I can respond here.

1 Like

Finally getting back to this - thank you for your patience.

Steps 1, 2, and 4 are already in place. I focused on Step 6, which some interesting results.

When I browse to http://10.0.0.253:9980/cool from my home network, I still get a HTTP ERROR 400, even without going through the proxy. I can browse to http://10.0.0.253:9980/hosting/discovery and get the XML file, though, so at least that part is working.

Could the issue be the Docker image itself (or its configuration), rather than the proxy?

Maybe i am not sure can you share docker image config file ?

File is as follows:

services:
  mariadb:
    image: lscr.io/linuxserver/mariadb:latest
    container_name: nextcloud-db
    environment:
      - PUID=999
      - PGID=999
      - TZ=America/New_York
      - MYSQL_ROOT_PASSWORD=(Redacted)
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=(Redacted)
    volumes:
      - /mnt/data/apps/nextcloud/database:/config
    restart: unless-stopped
  nextcloud:
    image: lscr.io/linuxserver/nextcloud:latest
    container_name: nextcloud
    environment:
      - PUID=568
      - PGID=568
      - TZ=America/New_York
    volumes:
      - /mnt/data/apps/nextcloud/config:/config
      - /mnt/data/apps/nextcloud/data:/data
    ports:
      - 11000:443
    restart: unless-stopped
  collabora:
    image: collabora/code
    container_name: collabora
    restart: unless-stopped
    environment:
      - PUID=568
      - PGID=568
      - TZ=America/New_York
      - dictionaries=en_US
    volumes:
      - /mnt/data/apps/nextcloud/collabora:/etc/coolwsd/:rw
    ports:
      - 9980:9980
networks: {}

Coming back to this - I reset everything back to as simple as possible, and a working state (Local access only, no proxy set up). I’ll try to work out the local issues before setting up the proxy.

Right now, using the docker compose file listed above, here are the results I get for various URLs:

https://10.0.0.253:9980/ - “OK”

(Base URL)/hosting/discovery - XML File (Expected result)

(Base URL)/cool - HTTP Error 400

(Base URL)/cool/adminws - HTTP Error 400

Collabora works fine when tested from my local network at home - I can browse Nextcloud and open a file to edit. I’m not sure if I need to fix the two HTTP 400 errors before trying the proxy next?

Hii @GJSchaller

the HTTP 400 errors for /cool and /cool/adminws might not necessarily indicate a problem in your setup

If local access is stable:

  • Proceed with proxy setup. Typically, you’ll use something like NGINX or Traefik.
  • Ensure the proxy correctly handles WebSocket connections (important for Collabora).
  • Use a valid SSL certificate, either self-signed for testing or issued by Let’s Encrypt for production.

Once the proxy is configured:

  • Confirm the /hosting/discovery endpoint is accessible through the proxied URL.
  • Test editing files in Nextcloud via the proxied URL.

https://collabora-online-for-nextcloud.readthedocs.io/en/latest/install/

Note:

  • Ensure the Collabora container is reachable from the proxy (use Docker’s network or map the host IP).
  • Add any necessary headers to the proxy configuration for WebSocket support

Thanks,
Darshan