Tag: apache

  • Setting up Collabora CODE with NextCloud using Apache reverse proxy on Debian 8 Jessie

    Setting up Collabora CODE with NextCloud using Apache reverse proxy on Debian 8 Jessie

    Setting up Collabora Online Development Edition (CODE) can be a little tricky. This guide shows the steps needed to get Collabora CODE working using an Apache 2.2 reverse proxy on Debian 8 Jessie.

    The steps we are going to have a look at are as follows:

    1. Setup Apache reverse proxy
    2. Setup Collabora CODE based on official Docker image
    3. Install and configure NextCloud Collabora CODE plugin

    The basic configuration we are trying to achieve here is:

    1. Setup a secure domain for accessing Collabora from NextCloud
      1. This will be https://office.yourserver.com
      2. I’m assuming that you already have a working SSL certificate for this domain. If not, have a look at Let’s Encrypt in case you want a cheap solution. For Debian 8 Jessie have a look at the certbot guide.
    2. Setup a reverse proxy configuration for this domain that fowards requests to Collabora webservice endpoints
    3. Access Collabora CODE Docker container through Apache reverse proxy which itself exclusively listens an a secure line on Port 9980 (default)
    4. Install the Collabora NextCloud plugin and configure it to access Collabora through our reverse proxy

    Setup Collabora CODE based on official Docker image

    Collabora can be either installed using a package provided by your distribution or by using the official Docker image collabora/code.

    Normally, the Docker container setup should be pretty pain free. Having said that, for Debian 8 Jessie you need to adjust the storage driver to devicemapper as it seems that the default docker storage driver AUFS and Debian 8 do not work together.

    Adjust Docker storage driver to devicemapper

    The steps required are again pretty straight forward. First get current ExecStart from your docker.service file:

    grep ExecStart /lib/systemd/system/docker.service

    Example output:
    ExecStart=/usr/bin/dockerd -H fd://

    Then use this result to create a systemd Docker drop-in configuration file and create the service directory first if it does not yet exist as well:

    mkdir /etc/systemd/system/docker.service.d
    editor /etc/systemd/system/docker.service.d/execWithDeviceMapper.conf

    Put the following content in execWithDeviceMapper.conf:

    [Service]
    ExecStart=
    ExecStart=/usr/bin/dockerd --storage-driver=devicemapper -H fd://.
    
    

    Finally, restart systemd, docker.service and possibly your existing Collabora container if you had one running:

    systemctl daemon-reload
    systemctl restart docker.service

    Disclaimer: For higher volume production sites you definitely want to optimize this setup (…).

    The command the start your Collabora Docker container is as follows:

    docker run -t -d -p 127.0.0.1:9980:9980 \
    -e 'domain=www\\.yournextcloud1\\.com\|www\\.yournextcloud2\\.com' \
    --restart always --cap-add MKNOD collabora/code

    Note that I’ve provided two domains in the above command to show how to enable multiple domains to access your Collabora web service.

    As always, since the Docker container starts in detached mode make sure to check for possible problems using

    docker logs YOUR_CONTAINER_ID

    Now that we have Collabora CODE up and running as Docker container we need to make it available to the outside world using an Apache reverse proxy.

    Setup Apache reverse proxy

    First and foremost, I will not cover the exact steps to setup the base Apache web server here but provide a working vhost configuration.

    Required Apache modules

    The additional Apache module requirements to get Apache working as reverse proxy for Collabora CODE are:

    1. mod_proxy

    2. mod_proxy_http

    3. mod_proxy_wstunnel

    4. mod_ssl

    Apart from mod_proxy_wstunnel the configuration steps should be pretty straight forward. When using Apache 2.2 and mod_proxy_wstunnel on the other hand things can get a little more tricky since you need to apply a patch and compile the module yourself. Have a look at the very handy guide by waleedsamy on github to compile mod_proxy_wstunnel yourself.

    Apache Reverse Proxy vhost configuration

    Once all requirements are satisfied we can setup the vhost configuration for the Apache reverse proxy domain.

    Remember, our internet-facing domain for accessing Collabora CODE will be office.yourserver.com. This will be the basis for your vhost configuration below.

    UseCanonicalName off
    ServerName office.yourserver.com
    
    # Enable and configure SSL/TLS
    SSLEngine on
    SSLCertificateFile yourserver-cert
    SSLCertificateKeyFile yourserver-key
    SSLCertificateChainFile yourserver-cacert
    
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES25$
    SSLHonorCipherOrder on
    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    
    # Encoded slashes need to be allowed
    AllowEncodedSlashes NoDecode
    
    # Enable and configure SSL Proxy
    SSLProxyEngine On
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    
    # Make sure to keep the host
    ProxyPreserveHost On
    
    # static html, js, images, etc. served from loolwsd
    # loleaflet is the client part of LibreOffice Online
    ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0
    ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet
    
    # WOPI discovery URL
    ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
    ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery
    
    # Main websocket
    ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
    
    # Admin Console websocket
    ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws
    
    # Download as, Fullscreen presentation and Image upload operations
    ProxyPass /lool https://127.0.0.1:9980/lool
    ProxyPassReverse /lool https://127.0.0.1:9980/lool
    

    Check if your reverse proxy is working by accessing the WOPI discovery URL:

    https://office.yourserver.com/hosting/discovery

    If that gives you the corresponding XML namespace information you should be good to go.

    Install and configure NextCloud Collabora CODE plugin

    This is the last step required and should be the easiest one.

    1. Go to the Apps section and choose “Office & Text”
    2. Install the “Collabora Online” app
    3. In Admin -> Collabora Online specific the server you have setup before (https://office.yourserver.com)

    Finally, try to create and edit a document via NextCloud. Enjoy your private Collabora setup using NextCloud!

    For more information have a look at the official Collabora CODE documentation.