So I kind of found the issue and multiple fixes to it.
The problem is that the Collabora and Nextcloud-Servers are being proxied by Cloudflare. Specifying the Nextcloud-Server in aliasgroup1
therefore doesn’t allow the actual requesting IP.
Meaning
a1.a2.a3.a4
maps to example.com, which is listed in aliasgroup1
.
The outgoing requests from that server are coming from b1.b2.b3.b4
, which is not mapped to example.com, and is also not allowed to make WOPI requests, just like any Cloudflare IPs aren’t allowed, except the one that maps to example.com.
Probably insecure solution
This, especially configuring the Allow list for WOPI requests
, did solve my problem.
Just adding all Cloudflare IP-Ranges to Allow list for WOPI requests
in the Nextcloud-Web-UI fixed the problem for me. I am not sure if this is secure (at all).
@Red’s answer (stackoverflow.com) is still kind of correct and would work for static IPs. And I would consider it (more) secure depending on the resulting Allow list for WOPI requests
in the Nextcloud-Web-UI.
A more secure solution would be following this
Things you have to change regardless of Full (strict) Cloudflare ssl configuration
As stated here, you would then specify in the Allow list for WOPI requests
, which can be found in the Nextcloud-Web-UI:
<Docker-hostname-that-both-Nextcloud-and-Collabora-share-as-IPv4,Docker-hostname-that-both-Nextcloud-and-Collabora-share-as-IPv6>
So for example:
10.1.0.1/16,fe80::.../64
You will also have to select Disable certificate verification (insecure)
. Since requests will be made locally, this shouldn’t be a problem.
Things to consider when using Full (strict) Cloudflare ssl configuration - Adding a local nginx server block
The local server block can’t contain the following:
server {
...
ssl_stapling on;
ssl_stapling_verify on;
ssl_verify_client on;
ssl_client_certificate [...];
ssl_trusted_certificate [...];
...
}
Your Cloudflare configuration can stay the same, since requests from Nextcloud to Collabora and vice versa will be made locally
Other things I have changed for the local server block:
server {
listen 127.0.0.1:443 ssl;
listen [::1]:443 ssl;
listen <Docker-hostname-that-both-Nextcloud-and-Collabora-share>:443 ssl;
...
}
Other than that both the local and the public server blocks are exactly the same.
The public server block however only listens on the following:
server {
listen 443 ssl;
listen [::]:443 ssl;
...
}
You might have to add the following to other server blocks that aren’t your public Collabora or Nextcloud blocks if they are also on <Docker-hostname-that-both-Nextcloud-and-Collabora-share>:
server {
...
listen <Docker-hostname-that-both-Nextcloud-and-Collabora-share>:443 ssl;
...
}
Things to consider when using Podman
This also works if all the services concerned are in the same Podman pod, and you are using Podman, NOT Docker:
You would then have to specify as flags for podman pod create
:
--network-alias=collabora.example.com --network-alias=nextcloud.example.com
I also removed the extra Web-Server from my original configuration and just moved it to the reverse proxy for anyone trying to follow that.
NOTE: I did a lot of edits and hope that this is finally done and at least kind of well-structured. NOTE2: Read your edits before submitting