Looking for help with configuring Apache2 & coolwsd.xml for Proxy

I have a setup that has a TrueNAS host, running Docker images for Nextcloud and Collabora, and a Linux VM running Virtualmin which manages Apache and other web apps for me as a proxy.

Originally, I had Nextcloud configured to use Collabora using the URL of 10.0.0.253:9980, ignoring the self-signed certificate. This worked from my home network, but failed when I was outside and accessing Nextcloud via Proxy.

I then tried to set up a Proxy for Collabora, but after configuring it, I am getting an 403 Forbidden when trying to browse to the new URL for the proxy. The intended URL of the Collabora server is office(dot)aiskon(dot)net

I tried to follow the directions from the Proxy Settings page, but seem to be stuck. Below are my files:

https://www.aiskon.net/public/collabora/apache2.txt

https://www.aiskon.net/public/collabora/coolwsd.xml.txt

May I get pointers on what I am missing?

Thank you!

If it helps at all, here are my settings from within Nextcloud:

Screenshot 2025-01-08 1343361545×450 25.7 KB

hello @GJSchaller Welcome to collabora online forum. I did some investigation, here are some points that you can check one by one and see if that works ?

1. Check coolwsd.xml Configuration

• Ensure that the coolwsd.xml file allows traffic from the reverse proxy (office.aiskon.net):
  To allow multiple hosts or aliases (e.g., your internal network IP and proxy domain), switch the mode to "groups" and explicitly define your allowed hosts. Here’s how you can configure it:

Checkout coolwsd.xml => alias_groups

2. Apache Proxy Configuration

• Your Apache proxy settings for Collabora seem well-structured, but here are a few refinements:
  • Add nocanon to all ProxyPass directives where URLs are being passed to coolwsd (especially WebSocket URLs).

  ProxyPass           /cool http://10.0.0.253:9980/cool nocanon
  ProxyPassReverse    /cool http://10.0.0.253:9980/cool
  

  • Ensure that the WebSocket upgrade conditions match. For example:

  RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
  RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
  RewriteRule ^/?(.*) "ws://10.0.0.253:9980/$1" [P,L]
  

3. Enable AllowEncodedSlashes Globally

• You have configured AllowEncodedSlashes NoDecode for the VirtualHost, but this might need to be set globally in Apache:

  AllowEncodedSlashes NoDecode
  

4. Verify SSL Configuration

• Confirm that the SSL certificate for office.aiskon.net is valid and trusted by Collabora. You can test this by accessing https://office.aiskon.net/hosting/discovery directly.
• Ensure the SSL handshake works between Apache and the Collabora server. If using self-signed certificates:
  • Add the self-signed CA certificate to Apache’s trusted store.
  • Configure Collabora to ignore invalid certificates temporarily by setting <ssl> in coolwsd.xml:

    <ssl>
        <termination>true</termination>
    </ssl>
    

5. Inspect Collabora Logs

• Check the Collabora logs for details on the 403 Forbidden error:

  docker logs <collabora-container-name>
  

  Look for messages related to unauthorized access, WebSocket issues, or CORS errors.

6. Confirm Proxy Functionality

• Test each proxied endpoint individually in your browser or with curl to verify if Apache forwards requests properly:

  curl -I https://office.aiskon.net/hosting/discovery
  curl -I https://office.aiskon.net/cool
  curl -I https://office.aiskon.net/cool/adminws
  

7. Firewall/Network Configuration

• Ensure that port 9980 is open between your TrueNAS Docker host and the proxy server.
• Confirm there are no additional security rules on the TrueNAS or Linux VM blocking traffic.

If still haveing the same issue then please can you share the error logs ? Will help to find the cause

Thanks
Darshan

Thank you for this - I’ll do some digging on my end. Most of this is already in place, I just need to check the logs.

My day job has also been my night / weekend job this week, I may be a few days before I can respond here.