Nextcloud Office can't connect to CODE behind reverse proxy: Requesting address is denied

So I kind of found the issue and multiple fixes to it.

The problem is that the Collabora and Nextcloud-Servers are being proxied by Cloudflare. Specifying the Nextcloud-Server in aliasgroup1 therefore doesn’t allow the actual requesting IP.

Meaning

a1.a2.a3.a4 maps to example.com, which is listed in aliasgroup1.

The outgoing requests from that server are coming from b1.b2.b3.b4, which is not mapped to example.com, and is also not allowed to make WOPI requests, just like any Cloudflare IPs aren’t allowed, except the one that maps to example.com.

Probably insecure solution

This, especially configuring the Allow list for WOPI requests, did solve my problem.

Just adding all Cloudflare IP-Ranges to Allow list for WOPI requests in the Nextcloud-Web-UI fixed the problem for me. I am not sure if this is secure (at all).

@Red’s answer (stackoverflow.com) is still kind of correct and would work for static IPs. And I would consider it (more) secure depending on the resulting Allow list for WOPI requests in the Nextcloud-Web-UI.

A more secure solution would be following this

Things you have to change regardless of Full (strict) Cloudflare ssl configuration

As stated here, you would then specify in the Allow list for WOPI requests, which can be found in the Nextcloud-Web-UI:

<Docker-hostname-that-both-Nextcloud-and-Collabora-share-as-IPv4,Docker-hostname-that-both-Nextcloud-and-Collabora-share-as-IPv6>

So for example:

10.1.0.1/16,fe80::.../64

You will also have to select Disable certificate verification (insecure). Since requests will be made locally, this shouldn’t be a problem.

Things to consider when using Full (strict) Cloudflare ssl configuration - Adding a local nginx server block

The local server block can’t contain the following:

server {
    ...
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_verify_client on;
    ssl_client_certificate [...];
    ssl_trusted_certificate [...];
    ...
}

Your Cloudflare configuration can stay the same, since requests from Nextcloud to Collabora and vice versa will be made locally

Other things I have changed for the local server block:

server {
    listen 127.0.0.1:443 ssl;
    listen [::1]:443 ssl;
    listen <Docker-hostname-that-both-Nextcloud-and-Collabora-share>:443 ssl;
    ...
}

Other than that both the local and the public server blocks are exactly the same.

The public server block however only listens on the following:

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    ...
}

You might have to add the following to other server blocks that aren’t your public Collabora or Nextcloud blocks if they are also on <Docker-hostname-that-both-Nextcloud-and-Collabora-share>:

server {
    ...
    listen <Docker-hostname-that-both-Nextcloud-and-Collabora-share>:443 ssl;
    ...
}

Things to consider when using Podman

This also works if all the services concerned are in the same Podman pod, and you are using Podman, NOT Docker:

You would then have to specify as flags for podman pod create:

--network-alias=collabora.example.com --network-alias=nextcloud.example.com

I also removed the extra Web-Server from my original configuration and just moved it to the reverse proxy for anyone trying to follow that.

NOTE: I did a lot of edits and hope that this is finally done and at least kind of well-structured. NOTE2: Read your edits before submitting :slight_smile:

2 Likes