WOPI Access denied

Dear Collabora Community,

although I’ve searched several forums the past days and there are many posts and docs available, I’m struggling to get the connection to the Collabora Server up and running. I hope to find some new insight which will help me.

Goal:
Having my Nextcloud instance connect to the Collabora server, then having the Collabora server running in the same datacenter as a CT/VM

My test setup:
Nextcloud Server hosted on a VM behind a pfSense with HAProxy (works fine since years) in a datacenter
Collabora server hosted on a VM (exposed on 80 & 443) on a Proxmox server at home - non docker version - nginx webserver running as explained in most tutorials and documentation

  • Collabora is up and running, capabilities, discovery and admin are working fine.

  • Connection from Nextcloud to Collobara is OK.

Opening a document fails, logs show access/permissions issue. I’ve played around with different hosting locations and CT/VM. Everytime I get stuck at the WOPI part, so I assume either there is an issue with the SSL connection or the permitted hosts. Also I’ve tested several host and net entries permitting the Nextcloud server.

Configuration Files

coolwsd service log

Server: COOLWSD HTTP Server 22.05.6.3
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: rAEphy1EiPgB//IKwNamJrbhbmw=
| net/WebSocketHandler.hpp:921
wsd-27147-27170 2022-10-12 11:20:11.144842 +0000 [ prisoner_poll ] TRC  #21: Wrote 201 bytes of 201 buffered data| net/Socket.hpp:1437
wsd-27147-27170 2022-10-12 11:20:11.144849 +0000 [ prisoner_poll ] INF  ChildProcess ctor [27173].| wsd/COOLWSD.hpp:59
wsd-27147-27170 2022-10-12 11:20:11.144856 +0000 [ prisoner_poll ] TRC  #21: Resetting thread affinity while in transit (was 0x7fa0c7b7b700)| net/Socket.hpp:329
wsd-27147-27170 2022-10-12 11:20:11.144861 +0000 [ prisoner_poll ] TRC  Calling addNewChild in disposition's move thing to add to NewChildren| wsd/COOLWSD.cpp:3373
wsd-27147-27170 2022-10-12 11:20:11.144866 +0000 [ prisoner_poll ] TRC  Adding a new child 27173 to NewChildren| wsd/COOLWSD.cpp:540
wsd-27147-27170 2022-10-12 11:20:11.144871 +0000 [ prisoner_poll ] INF  Have 1 spare child after adding [27173]. Notifying.| wsd/COOLWSD.cpp:545
wsd-27147-27170 2022-10-12 11:20:11.144887 +0000 [ prisoner_poll ] TRC  #20: Revents: 0x0| net/Socket.hpp:1296
wsd-27147-27170 2022-10-12 11:20:11.144893 +0000 [ prisoner_poll ] TRC  #21: Removing socket (at 2 of 3) from prisoner_poll| net/Socket.cpp:468
wsd-27147-27170 2022-10-12 11:20:11.144899 +0000 [ prisoner_poll ] TRC  #19: setupPollFds getPollEvents: 0x1| net/Socket.hpp:858
wsd-27147-27170 2022-10-12 11:20:11.144904 +0000 [ prisoner_poll ] TRC  #20: setupPollFds getPollEvents: 0x1| net/Socket.hpp:858
wsd-27147-27170 2022-10-12 11:20:11.144908 +0000 [ prisoner_poll ] TRC  ppoll start, timeoutMicroS: 5000000 size 2| net/Socket.cpp:337
wsd-27147-27147 2022-10-12 11:20:11.144922 +0000 [ coolwsd ] TRC  Have 1 new children.| wsd/COOLWSD.cpp:5270
wsd-27147-27147 2022-10-12 11:20:11.144937 +0000 [ coolwsd ] INF  WSD initialization complete: setting log-level to [error] as configured.| wsd/COOLWSD.cpp:5286
wsd-27147-27191 2022-10-12 11:21:29.690136 +0000 [ docbroker_001 ] ERR  loading document exception: Access denied, 403. WOPI::CheckFileInfo failed on: https://cloud.divonet.de/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6?access_token=kOJNMFaRYYqCpkit-27173-27171 2022-10-12 11:21:31.690975 +0000 [ kit_spare_001 ] FTL  Forced Exit with code: 70| common/Util.cpp:1097
xGNIhcEcSLsEsqvsejp&access_token_ttl=0| wsd/DocumentBroker.cpp:2263
wsd-27147-27191 2022-10-12 11:21:29.690195 +0000 [ docbroker_001 ] ERR  Failed to add session to [https://cloud.divonet.de:443/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6] with URI [https://cloud.divonet.de/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6?access_token=kOJNMFaRYYqCpxGNIhcEcSLsEsqvsejp&access_token_ttl=0]: Access denied, 403. WOPI::CheckFileInfo failed on: https://cloud.divonet.de/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6?access_token=kOJNMFaRYYqCpxGNIhcEcSLsEsqvsejp&access_token_ttl=0| wsd/DocumentBroker.cpp:2225
wsd-27147-27191 2022-10-12 11:21:29.690218 +0000 [ docbroker_001 ] ERR  Unauthorized Request while starting session on https://cloud.divonet.de:443/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6 for socket #29. Terminating connection. Error: Access denied, 403. WOPI::CheckFileInfo failed on: https://cloud.divonet.de/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6?access_token=kOJNMFaRYYqCpxGNIhcEcSLsEsqvsejp&access_token_ttl=0| wsd/COOLWSD.cpp:4612
wsd-27147-27191 2022-10-12 11:21:29.690438 +0000 [ docbroker_001 ] ERR  Invalid or unknown session [00e] to remove.| wsd/DocumentBroker.cpp:2308
wsd-27147-27185 2022-10-12 11:21:30.282377 +0000 [ websrv_poll ] ERR  Error while handling Client WS Request: Failed to create DocBroker with docKey [https://cloud.divonet.de:443/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6].| wsd/COOLWSD.cpp:4655
wsd-27147-27185 2022-10-12 11:21:30.282405 +0000 [ websrv_poll ] ERR  #29: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1431
wsd-27147-27185 2022-10-12 11:21:30.282437 +0000 [ websrv_poll ] ERR  #29: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1431
wsd-27147-27185 2022-10-12 11:21:30.282448 +0000 [ websrv_poll ] ERR  #29: Attempted to remove: 879 which is > size: 0 clamped to 0| net/Socket.hpp:1233
wsd-27147-27185 2022-10-12 11:21:30.282462 +0000 [ websrv_poll ] ERR  #29: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1431
wsd-27147-27185 2022-10-12 11:21:31.248058 +0000 [ websrv_poll ] ERR  Error while handling Client WS Request: Failed to create DocBroker with docKey [https://cloud.divonet.de:443/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6].| wsd/COOLWSD.cpp:4655
wsd-27147-27185 2022-10-12 11:21:31.248080 +0000 [ websrv_poll ] ERR  #29: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1431
wsd-27147-27185 2022-10-12 11:21:31.248091 +0000 [ websrv_poll ] ERR  #29: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1431
wsd-27147-27185 2022-10-12 11:21:31.248100 +0000 [ websrv_poll ] ERR  #29: Attempted to remove: 879 which is > size: 0 clamped to 0| net/Socket.hpp:1233
wsd-27147-27185 2022-10-12 11:21:31.248111 +0000 [ websrv_poll ] ERR  #29: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1431
wsd-27147-27211 2022-10-12 11:21:33.667281 +0000 [ docbroker_002 ] ERR  loading document exception: Access denied, 403. WOPI::CheckFileInfo failed on: https://cloud.divonet.de/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6?access_token=kOJNMFaRYYqCpxGNIhcEcSLsEsqvsejp&access_token_ttl=0&permission=edit| wsd/DocumentBroker.cpp:2263
wsd-27147-27211 2022-10-12 11:21:33.667297 +0000 [ docbroker_002 ] ERR  Failed to add session to [https://cloud.divonet.de:443/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6] with URI [https://cloud.divonet.de/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6?access_token=kOJNMFaRYYqCpxGNIhcEcSLsEsqvsejp&access_token_ttl=0&permission=edit]: Access denied, 403. WOPI::CheckFileInfo failed on: https://cloud.divonet.de/index.php/apps/richdocuments/wopi/files/5373260_oc7w2ffce1u6?access_token=kOJNMFaRYYqCpxGNIhcEcSLsEsqvsejp&access_token_ttl=0&permission=edit| wsd/DocumentBroker.cpp:2225
wsd-27147-27211 2022-10-12 11:21:33.667310 +0000 [ docbroker_002 ] ERR  Unauthorized Request while starting session on https://cloud.divonet.de:443/index.php/apps/richdocumkit-27192-27171 2022-10-12 11:21:35.667894 +0000 [ kit_spare_002 ] FTL  Forced Exit with code: 70| common/Util.cpp:1097

Looking forward for some thoughts. Thanks

Hi there,
no one from the community has an idea or did I miss out on some crucial information?

maybe this troubleshooting guide and this topic on Nextcloud forum gives you some hints…

Thanks @wwe for helping out.

@Ollie89 have you found out what was the problem?

Hi @pedro.silva, not yet as I was out for vacation the past two weeks, but I will now use the helpful resources @wwe shared to troubleshoot.

I have fallen into this kind of error trying to embed into a web application. Have you found what the case of this issue was?

Hi @gstlouis,
unfortunately not, I’ve tried several attempts on different hosts. The only way I resolved my issue was to use different hosts to run the VMs, so my Nextcloud instance is running in a datacenter and my Collabora server at home. Worked immediately. I assume it’s an issue with the reverse proxy routing the traffic.

thanks for the comment. I actually managed to fix this on my end in my type of envrionment

Feel free to read this

https://github.com/CollaboraOnline/collabora-mattermost/issues/72