I have pulled the collabora/code from docker, and develop a web application for wopi host. They are both on the same server as a docker container, everything looks fine before setting up the reverse proxy and the files can be opened in collabora. But after I set up the reverse proxy in apache2, The result is that the document cannot be opened in CODE, with error message "Well, this is embarassing, we cannot connect to your document. Please try again”. I can access the discovery service and the WOPI rest after set up the reverse proxy. Below is the error log in the Collabora docker container, for security, I replace the domain with xxx:
wsd-00001-00047 2022-07-01 06:49:43.982404 +0000 [ docbroker_001 ] ERR No HTTP Authorization type detected. Assuming no authorization needed. Specify access_token to set the Authorization Bearer header.| common/Authorization.cpp:82
wsd-00001-00047 2022-07-01 06:50:14.006807 +0000 [ docbroker_001 ] ERR loading document exception: WOPI::CheckFileInfo failed: | wsd/DocumentBroker.cpp:2216
wsd-00001-00047 2022-07-01 06:50:14.006845 +0000 [ docbroker_001 ] ERR Failed to add session to [https://office.xxx.com:443/wopi/files/cd6f6172-0a3f-4d18-bfe7-38f448e8485b] with URI [https://office.xxx.com/wopi/files/cd6f6172-0a3f-4d18-bfe7-38f448e8485b]: WOPI::CheckFileInfo failed: | wsd/DocumentBroker.cpp:2178
wsd-00001-00047 2022-07-01 06:50:14.006859 +0000 [ docbroker_001 ] ERR Storage error while starting session on https://office.xxx.com:443/wopi/files/cd6f6172-0a3f-4d18-bfe7-38f448e8485b for socket #28. Terminating connection. Error: WOPI::CheckFileInfo failed: | wsd/COOLWSD.cpp:4407
wsd-00001-00047 2022-07-01 06:50:14.007648 +0000 [ docbroker_001 ] ERR Invalid or unknown session [001] to remove.| wsd/DocumentBroker.cpp:2261
wsd-00001-00044 2022-07-01 06:50:14.133870 +0000 [ websrv_poll ] ERR Error while handling Client WS Request: Failed to create DocBroker with docKey [https://office.xxx.com:443/wopi/files/cd6f6172-0a3f-4d18-bfe7-38f448e8485b].| wsd/COOLWSD.cpp:4437
wsd-00001-00044 2022-07-01 06:50:14.133915 +0000 [ websrv_poll ] ERR #28: Socket write returned -1 (ENOENT: No such file or directory)| net/Socket.hpp:1418
wsd-00001-00044 2022-07-01 06:50:14.133926 +0000 [ websrv_poll ] ERR #28: Socket write returned -1 (ENOENT: No such file or directory)| net/Socket.hpp:1418
wsd-00001-00044 2022-07-01 06:50:14.133933 +0000 [ websrv_poll ] ERR #28: attempted to remove: 876 which is > size: 0 clamped to 0| net/Socket.hpp:1224
wsd-00001-00044 2022-07-01 06:50:14.134368 +0000 [ websrv_poll ] ERR #28 Error while handling poll at 0 in websrv_poll: #28BIO error: 337690831, rc: -1: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown:
140016703928064:error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown:../ssl/ssl_lib.c:1917:
| net/Socket.cpp:451
wsd-00001-00044 2022-07-01 06:50:14.761451 +0000 [ websrv_poll ] ERR Error while handling Client WS Request: Failed to create DocBroker with docKey [https://office.xxx.com:443/wopi/files/cd6f6172-0a3f-4d18-bfe7-38f448e8485b].| wsd/COOLWSD.cpp:4437
wsd-00001-00044 2022-07-01 06:50:14.761492 +0000 [ websrv_poll ] ERR #28: Socket write returned -1 (ENOENT: No such file or directory)| net/Socket.hpp:1418
wsd-00001-00044 2022-07-01 06:50:14.761503 +0000 [ websrv_poll ] ERR #28: Socket write returned -1 (ENOENT: No such file or directory)| net/Socket.hpp:1418
wsd-00001-00044 2022-07-01 06:50:14.761510 +0000 [ websrv_poll ] ERR #28: attempted to remove: 876 which is > size: 0 clamped to 0| net/Socket.hpp:1224
wsd-00001-00044 2022-07-01 06:50:14.761534 +0000 [ websrv_poll ] ERR #28 Error while handling poll at 0 in websrv_poll: #28BIO error: 337690831, rc: -1: error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown:
140016703928064:error:1420C0CF:SSL routines:ssl_write_internal:protocol is shutdown:../ssl/ssl_lib.c:1917:
| net/Socket.cpp:451
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00040-00040 2022-07-01 06:50:16.515329 +0000 [ forkit ] ERR Failed to unmount [/opt/cool/child-roots/9phdbgmlkRX2bxGz/tmp]| common/JailUtil.cpp:70
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00040-00040 2022-07-01 06:50:16.520457 +0000 [ forkit ] ERR Failed to unmount [/opt/cool/child-roots/9phdbgmlkRX2bxGz/lo]| common/JailUtil.cpp:70
sh: 1: /usr/bin/coolmount: Operation not permitted
frk-00040-00040 2022-07-01 06:50:16.525235 +0000 [ forkit ] ERR Failed to unmount [/opt/cool/child-roots/9phdbgmlkRX2bxGz]| common/JailUtil.cpp:70
wsd-00001-00055 2022-07-01 06:50:16.820093 +0000 [ docbroker_002 ] ERR No HTTP Authorization type detected. Assuming no authorization needed. Specify access_token to set the Authorization Bearer header.| common/Authorization.cpp:82
My Apache2 config:
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName office.xxx.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
<Proxy *>
# Order Deny,Allow
# Deny from all
# Allow from 132.148.160.0/24
# Allow from 192.168.5.0/24
</Proxy>
ProxyPreserveHost On
SSLProxyEngine On
LimitRequestBody 52428800
AllowEncodedSlashes NoDecode
# cert is issued for collaboraonline.example.com and we proxy to localhost
SSLProxyVerify none
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
#SSLProxyCheckPeerExpire off
# static html, js, images, etc. served from coolwsd
# browser is the client part of Collabora Online
ProxyPass /browser https://132.148.160.88:9980/browser retry=0
ProxyPassReverse /browser https://132.148.160.88:9980/browser
# WOPI discovery URL
ProxyPass /hosting/discovery https://132.148.160.88:9980/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://132.148.160.88:9980/hosting/discovery
# Capabilities
ProxyPass /hosting/capabilities https://132.148.160.88:9980/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities https://132.148.160.88:9980/hosting/capabilities
# Main websocket
ProxyPassMatch "/cool/(.*)/ws$" wss://132.148.160.88:9980/cool/$1/ws nocanon
# Admin Console websocket
ProxyPass /cool/adminws wss://132.148.160.88:9980/cool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /cool https://132.148.160.88:9980/cool
ProxyPassReverse /cool https://132.148.160.88:9980/cool
# Compatibility with integrations that use the /lool/convert-to endpoint
ProxyPass /lool https://132.148.160.88:9980/cool
ProxyPassReverse /lool https://132.148.160.88:9980/cool
#Wopi host
ProxyPass /wopi http://132.148.160.88:8077/wopi
ProxyPassReverse /wopi http://132.148.160.88:8077/wopi
SSLCertificateFile /etc/letsencrypt/live/office.xxx.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/office.xxx.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
SSL part of the coolwsd.xml
<ssl desc="SSL settings">
<!-- switches from https:// + wss:// to http:// + ws:// -->
<enable type="bool" desc="Controls whether SSL encryption between coolwsd and the network is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable>
<!-- SSL off-load can be done in a proxy, if so disable SSL, and enable termination below in production -->
<termination desc="Connection via proxy where coolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination>
<cert_file_path desc="Path to the cert file" relative="false">/etc/coolwsd/cert.pem</cert_file_path>
<key_file_path desc="Path to the key file" relative="false">/etc/coolwsd/key.pem</key_file_path>
<ca_file_path desc="Path to the ca file" relative="false">/etc/coolwsd/ca-chain.cert.pem</ca_file_path>
<cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
<hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
<max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
<report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
<pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
<pin></pin>
</pins>
</hpkp>
<sts desc="Strict-Transport-Security settings, per rfc6797. Subdomains are always included.">
<enabled desc="Whether or not Strict-Transport-Security is enabled. Enable only when ready for production. Cannot be disabled without resetting the browsers." type="bool" default="false">false</enabled>
<max_age desc="Strict-Transport-Security max-age directive, in seconds. 0 is allowed; please see rfc6797 for details. Defaults to 1 year." type="int" default="31536000">31536000</max_age>
</sts>
</ssl>
Backend storage part of the coolwsd.xml
<storage desc="Backend storage">
<filesystem allow="false" />
<wopi desc="Allow/deny wopi storage." allow="true">
<max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
<locking desc="Locking settings">
<refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
</locking>
<alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="first">
<!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
add the hosts below. If one host is accessible under multiple ip addresses
or names, add them as aliases. -->
<group>
<host desc="hostname to allow or deny." allow="true"></host>
</group>
<!-- More "group"s possible here -->
</alias_groups>
</wopi>
<ssl desc="SSL settings">
<as_scheme type="bool" default="true" desc="When set we exclusively use the WOPI URI's scheme to enable SSL for storage">false</as_scheme>
<enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and coolwsd. When empty this defaults to following the ssl.enable setting"></enable>
<cert_file_path desc="Path to the cert file" relative="false"></cert_file_path>
<key_file_path desc="Path to the key file" relative="false"></key_file_path>
<ca_file_path desc="Path to the ca file. If this is not empty, then SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified." relative="false"></ca_file_path>
<cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overridden only if absolutely needed."></cipher_list>
</ssl>
</storage>