Setting up Collabora CODE with NextCloud using Apache reverse proxy on Debian 8 Jessie
Setting up Collabora Online Development Edition (CODE) can be a little tricky. This guide shows the steps needed to get Collabora CODE working using an Apache 2.2 reverse proxy on Debian 8 Jessie.
The steps we are going to have a look at are as follows:
- Setup Apache reverse proxy
- Setup Collabora CODE based on official Docker image
- Install and configure NextCloud Collabora CODE plugin
The basic configuration we are trying to achieve here is:
- Setup a secure domain for accessing Collabora from NextCloud
- Setup a reverse proxy configuration for this domain that fowards requests to Collabora webservice endpoints
- Access Collabora CODE Docker container through Apache reverse proxy which itself exclusively listens an a secure line on Port 9980 (default)
- Install the Collabora NextCloud plugin and configure it to access Collabora through our reverse proxy
Setup Collabora CODE based on official Docker image
Collabora can be either installed using a package provided by your distribution or by using the official Docker image collabora/code.
Normally, the Docker container setup should be pretty pain free. Having said that, for Debian 8 Jessie you need to adjust the storage driver to devicemapper as it seems that the default docker storage driver AUFS and Debian 8 do not work together.
Adjust Docker storage driver to devicemapper
The steps required are again pretty straight forward. First get current ExecStart from your docker.service file:
grep ExecStart /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd://
Then use this result to create a systemd Docker drop-in configuration file and create the service directory first if it does not yet exist as well:
mkdir /etc/systemd/system/docker.service.d editor /etc/systemd/system/docker.service.d/execWithDeviceMapper.conf
Put the following content in execWithDeviceMapper.conf:
[Service] ExecStart= ExecStart=/usr/bin/dockerd --storage-driver=devicemapper -H fd://.
Finally, restart systemd, docker.service and possibly your existing Collabora container if you had one running:
systemctl daemon-reload systemctl restart docker.service
Disclaimer: For higher volume production sites you definitely want to optimize this setup (…).
The command the start your Collabora Docker container is as follows:
docker run -t -d -p 127.0.0.1:9980:9980 \ -e 'domain=www\\.yournextcloud1\\.com\|www\\.yournextcloud2\\.com' \ --restart always --cap-add MKNOD collabora/code
Note that I’ve provided two domains in the above command to show how to enable multiple domains to access your Collabora web service.
As always, since the Docker container starts in detached mode make sure to check for possible problems using
docker logs YOUR_CONTAINER_ID
Now that we have Collabora CODE up and running as Docker container we need to make it available to the outside world using an Apache reverse proxy.
Setup Apache reverse proxy
First and foremost, I will not cover the exact steps to setup the base Apache web server here but provide a working vhost configuration.
Required Apache modules
The additional Apache module requirements to get Apache working as reverse proxy for Collabora CODE are:
Apart from mod_proxy_wstunnel the configuration steps should be pretty straight forward. When using Apache 2.2 and mod_proxy_wstunnel on the other hand things can get a little more tricky since you need to apply a patch and compile the module yourself. Have a look at the very handy guide by waleedsamy on github to compile mod_proxy_wstunnel yourself.
Apache Reverse Proxy vhost configuration
Once all requirements are satisfied we can setup the vhost configuration for the Apache reverse proxy domain.
Remember, our internet-facing domain for accessing Collabora CODE will be office.yourserver.com. This will be the basis for your vhost configuration below.
UseCanonicalName off ServerName office.yourserver.com # Enable and configure SSL/TLS SSLEngine on SSLCertificateFile yourserver-cert SSLCertificateKeyFile yourserver-key SSLCertificateChainFile yourserver-cacert SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES25$ SSLHonorCipherOrder on SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Encoded slashes need to be allowed AllowEncodedSlashes NoDecode # Enable and configure SSL Proxy SSLProxyEngine On SSLProxyVerify None SSLProxyCheckPeerCN Off # Make sure to keep the host ProxyPreserveHost On # static html, js, images, etc. served from loolwsd # loleaflet is the client part of LibreOffice Online ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0 ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet # WOPI discovery URL ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0 ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery # Main websocket ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon # Admin Console websocket ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws # Download as, Fullscreen presentation and Image upload operations ProxyPass /lool https://127.0.0.1:9980/lool ProxyPassReverse /lool https://127.0.0.1:9980/lool
Check if your reverse proxy is working by accessing the WOPI discovery URL:
If that gives you the corresponding XML namespace information you should be good to go.
Install and configure NextCloud Collabora CODE plugin
This is the last step required and should be the easiest one.
- Go to the Apps section and choose “Office & Text”
- Install the “Collabora Online” app
Admin -> Collabora Onlinespecific the server you have setup before (
Finally, try to create and edit a document via NextCloud. Enjoy your private Collabora setup using NextCloud!
For more information have a look at the official Collabora CODE documentation.