Sorry, that was wrong. You need 6.2.0 which will be released today.
1 Like
Not me, still the same errorā¦
"level":"info","service":"collaboration","time":"2024-07-30T08:18:21Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/registry/register.go:17","message":"registering external service com.owncloud.api.collaboration.Collabora-27210f45-65da-4d9b-a41d-89549704e52f@172.22.0.3:9301"}
{"level":"error","service":"collaboration","error":"XML syntax error on line 158: invalid character entity & (no semicolon)","WopiAppUrl":"https://collabora.cloud.mydomain.com/hosting/discovery","time":"2024-07-30T08:18:21Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/helpers/discovery.go:56","message":"WopiDiscovery: failed to parse wopi discovery response"}
error parsing wopi discovery response: XML syntax error on line 158: invalid character entity & (no semicolon)
I suspect is the reverse Proxy setupā¦ I will have to check thisā¦ I think there is something wrong when going to collabora
Indeed it was 
now I can see that I can open ODTs for example, but in the web I am getting this:
This content is blocked. Contact the site owner to fix the issue.
so I am nearly thereā¦
1 Like
Uhmm still not able to pass over that error 
ā¦ I checked logs on nginx and in the OCIS and I got this:
2024-07-31T15:36:24Z INF access-log bytes=1672 duration=12.648485 line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:34 method=PROPFIND path="/remote.php/dav/spaces/d2d02646-4ac8-4607-bd9a-3d8951e03631$96a39ea3-9670-4eed-9555-8536a7be0594/New file.ods" proto=HTTP/1.0 remote-addr=93.99.226.135 request-id=4f352c0f-eb26-4e78-95c5-93f6c262fd71 service=proxy status=207 traceid=c008b93595acfb087f25a4f0d65b6b36
2024-07-31T15:36:24Z DBG rewrite hook found line=github.com/owncloud/ocis/v2/services/proxy/pkg/router/router.go:224 method=POST path=/app/open policy=ocis prefix=/app/ routeType=prefix service=proxy
2024-07-31T15:36:24Z DBG cache hit for userinfo claims="marshaling error: json: unsupported type: map[interface {}]interface {}" line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/oidc_auth.go:69 service=proxy
2024-07-31T15:36:24Z DBG successfully authenticated request authenticator=oidc line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/oidc_auth.go:194 path=/app/open service=proxy
2024-07-31T15:36:24Z DBG skipping auth line=github.com/cs3org/reva/v2@v2.21.0/internal/grpc/interceptors/auth/auth.go:122 method=/cs3.gateway.v1beta1.GatewayAPI/Authenticate pkg=rgrpc service=gateway traceid=5730bb45ec6c0b530dd10e5e39c759ab
2024-07-31T15:36:24Z DBG skipping auth line=github.com/cs3org/reva/v2@v2.21.0/internal/grpc/interceptors/auth/auth.go:122 method=/cs3.auth.registry.v1beta1.RegistryAPI/GetAuthProviders pkg=rgrpc service=gateway traceid=5730bb45ec6c0b530dd10e5e39c759ab
and in the nginx it shows status 207 I am not sure what I am missing, if the whole things doesnāt like to use nginx, and to the SSL termination with the certificate from the AWS Load Balancerā¦
Somehow still not able to get it working, the compose I am using:
services:
nginx:
image: nginx:${NGINX_VERSION:-}
container_name: nginx
restart: always
environment:
TZ: Etc/UTC
volumes:
- /opt/docker/ocis/nginx:/etc/nginx/conf.d:ro
- /var/log/nginx:/var/log/nginx
ports:
- 80:80
networks:
- ocis
ocis:
image: owncloud/ocis-rolling:${RELEASE:-latest}
restart: always
entrypoint:
- /bin/sh
command: ["-c", "ocis init || true; ocis server"]
container_name: cis
volumes:
- "/opt/docker/ocis/metadata:/var/lib/ocis/metadata"
- "/opt/docker/ocis/data:/var/lib/ocis"
- "/opt/docker/ocis/configs/ocis/app-registry-collabora.yaml:/etc/ocis/app-registry.yaml"
- "/opt/docker/ocis/configs/ocis:/etc/ocis"
- "/var/log/ocis:/logs"
environment:
OCIS_URL: ${OCIS_URL:-}
OCIS_LOG_FILE: "/logs/output.log"
PROXY_HTTP_ADDR: ${PROXY_HTTP_ADDR:-0.0.0.0:9200}
STORAGE_USERS_DRIVER: ${STORAGE_USERS_DRIVER:-}
STORAGE_USERS_S3NG_ROOT: ${STORAGE_USERS_S3NG_ROOT:-}
STORAGE_SYSTEM_DRIVER: ${STORAGE_SYSTEM_DRIVER:-}
STORAGE_USERS_S3NG_ENDPOINT: ${STORAGE_USERS_S3NG_ENDPOINT:-}
STORAGE_USERS_S3NG_REGION: ${STORAGE_USERS_S3NG_REGION:-}
STORAGE_USERS_S3NG_ACCESS_KEY: ${STORAGE_USERS_S3NG_ACCESS_KEY:-}
STORAGE_USERS_S3NG_SECRET_KEY: ${STORAGE_USERS_S3NG_SECRET_KEY:-}
STORAGE_USERS_S3NG_BUCKET: ${STORAGE_USERS_S3NG_BUCKET:-}
DEMO_USERS: "false"
PROXY_TLS: "false"
OCIS_INSECURE: "true"
OCIS_LOG_PRETTY: "true"
# make the registry available to the app provider containers
GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
NATS_NATS_HOST: 0.0.0.0
NATS_NATS_PORT: 9233
networks:
- ocis
collabora:
image: collabora/code:24.04.5.1.1
container_name: collabora
restart: always
ports:
- 9980:9980
command: "/start-collabora-online.sh"
environment:
aliasgroup1: https://${WOPISERVER_DOMAIN:-wopi.owncloud.domain.com}:443
DONT_GEN_SSL_CERT: "YES"
PROXY_ENABLE_BASIC_AUTH: "false"
domain: "owncloud.domain.com"
#admin: "admin" #redacted
#password: "admin" #redacted
extra_params: "--o:security.seccomp=false --o:security.capabilities=false --o:ssl.enable=false --o:ssl.termination=true"
networks:
- ocis
ocis-collaboration:
image: owncloud/ocis-rolling:${RELEASE:-latest}
restart: always
entrypoint:
- /bin/sh
command: [ '-c', '/usr/bin/ocis collaboration server']
container_name: ocis-collaboration
volumes:
- "/opt/docker/ocis/configs/ocis:/etc/ocis"
environment:
COLLABORATION_GRPC_ADDR: 0.0.0.0:9301
COLLABORATION_HTTP_ADDR: 0.0.0.0:9300
MICRO_REGISTRY: "nats-js-kv"
MICRO_REGISTRY_ADDRESS: "ocis:9233"
COLLABORATION_WOPI_SRC: http://ocis-collaboration:9300
COLLABORATION_CS3API_DATAGATEWAY_INSECURE: "${INSECURE:-true}"
COLLABORATION_APP_ADDR: https://${COLLABORA_DOMAIN:-collabora.owncloud.domain.com}
COLLABORATION_APP_INSECURE: "${INSECURE:-true}"
COLLABORATION_APP_NAME: "Collabora"
COLLABORATION_LOG_LEVEL: info
COLLABORATION_WOPI_SECRET: "AbcD1234"
networks:
- ocis
networks:
ocis:
Am I doing somewhing wrong here? thanks again guys
If youāre using the āocis_fullā example deployment as a base, make sure you also copy (and adjust if needed) the configuration folder.
There is a ācsp.yamlā file that is needed to allow connections from ocis to collabora. Itās possible that those connections are being blocked by the browser.
In addition, Iād recommend you to use traefik first, which we know it works and you have examples in the repo, and once you verify everything works you can switch traefik for nginx.
@carlinhos
for csp.yaml problems, (CORS etcā¦) and to check, if settings are ok
use chrome + F12 and check the errors. (icon left side of setting (gear) icon)
Hi,
actually thanks since I missed the correct path fro the csp.yamlā¦ Unfortunatelly still not loading the collaboraā¦
In any case this is the csp.yaml
directives:
child-src:
- '''self'''
connect-src:
- '''self'''
default-src:
- '''none'''
font-src:
- '''self'''
frame-ancestors:
- '''self'''
frame-src:
- '''self'''
- 'blob:'
- 'https://embed.diagrams.net/'
# In contrary to bash and docker the default is given after the | character
- 'https://${COLLABORA_DOMAIN|collabora.owncloud.mydomain.com}/'
img-src:
- '''self'''
- 'data:'
- 'blob:'
# In contrary to bash and docker the default is given after the | character
- 'https://${COLLABORA_DOMAIN|collabora.owncloud.mydomain.com}/'
manifest-src:
- '''self'''
media-src:
- '''self'''
object-src:
- '''self'''
- 'blob:'
script-src:
- '''self'''
- '''unsafe-inline'''
style-src:
- '''self'''
- '''unsafe-inline'''
also the error in the Dev. tools from the browser I have this:
Refused to frame 'https://collabora.owncloud.mydomain.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors collabora.owncloud.mydomain.com:* ocis-collaboration:*".
So not sure if I should add something in the frame-ancestors or even before ā¦ 
I have the ocis domain in the frame-ancestors too.
frame-ancestors:
- '''self'''
- 'https://ocis.owncloud.mydomain.com/'
Iām not a csp expert, but that works for me.
No luck hereā¦
Just it doesnt want to work ā¦no matter what, it is always showing the same errorā¦ I guess I have just need to try exactly how is it on the example, but I did not want to loose the AWS WAF part, which I will loose if I use just a public IP address instead of using the ELB (with the SSL termination on it, so also I do not have to care about certificates)ā¦ I just wanted to secure as much as I can thisā¦ but it looks to me that I am trying to install something in a non standard way, and I guess I am wasting your time and mine
So maybe itās better to make it work in a standard way and then maybe from there try to modify it ā¦ I am just out of ideas alreadyā¦
So today I tried with the default config using the ocis_full config from github ā¦ but when testing to edit a document and trying to launch collabora I get in the web this error:
The webpage at https://collabora.owncloud.mydomain.com/browser/48bf0bf/cool.html?UI_LLCC=en&WOPISrc=https%3A%2F%2Fwopiserver.owncloud.mydomain.com%2Fwopi%2Ffiles%2Fbb6fc9013a67793eaebb9637012db64f9ee7d63d8f15428f66b5e041827deeb9&lang=en&ui=en might be temporarily down or it may have moved permanently to a new web address.
So if I check the link: https%3A%2F%2Fwopiserver.owncloud.mydomain.com%2Fwopi%2Ffiles%2Fbb6fc9013a67793eaebb9637012db64f9ee7d63d8f15428f66b5e041827deeb9&lang=en&ui=en,
Collabora logs will show:
sd-00001-00023 2024-08-05 22:25:30.363878 +0000 [ websrv_poll ] WRN The config entry net.frame_ancestors is obsolete and will be removed in the future. Please add 'frame-ancestors ocis.owncloud.mydomain.com;' in the net.content_security_policy config| wsd/FileServer.cpp:1401
wsd-00001-00023 2024-08-05 22:25:31.129706 +0000 [ websrv_poll ] ERR No HTTP Authorization type detected. Assuming no authorization needed. Specify access_token to set the Authorization Bearer header.| common/Authorization.cpp:85
WOPI::CheckFileInfo failed for URI [https://wopiserver.owncloud.mydomain.com/wopi/files/bb6fc9013a67793eaebb9637012db64f9ee7d63d8f15428f66b5e041827deeb9]: 401 (Unauthorized) Unauthorized. Headers: Content-Length: 13 / Content-Type: text/plain; charset=utf-8 / Date: Mon, 05 Aug 2024 22:25:31 GMT / X-Collaboration.collabora-Version: 6.1.0 / X-Content-Type-Options: nosniff Body: [Unauthorized
]| wsd/wopi/CheckFileInfo.cpp:95
wsd-00001-00023 2024-08-05 22:25:31.134649 +0000 [ websrv_poll ] ERR #32: Invalid URI or access denied to [https://wopiserver.owncloud.mydomain.com/wopi/files/bb6fc9013a67793eaebb9637012db64f9ee7d63d8f15428f66b5e041827deeb9]| wsd/wopi/CheckFileInfo.cpp:109
But interestingly if I login as admin to the Collabora admin console url: https://collabora.owncloud.mydomain.com/browser/dist/admin/admin.html it will work after this is weird, it is like I would miss somethingā¦
I am using collabora/code:24.04.5.1.1
Thanks again
Weāll need logs from everything.
I wouldnāt bother too much. There are a couple of protections in place so it will be very difficult for an āexternalā request to go through. If you want to check something, better to use the āopen in collaboraā from ocis.
Also note that the collabora server might take some time to be up and running. You can monitor the collabora logs during the startup and wait until the logs are stable.
Well,
the problem is either I connect once to https://collabora.owncloud.mydomain.com/browser/dist/admin/admin.html and login with admin, or whenever I try to edit a file with Collabora will not load and I will se written there:
The webpage at https://collabora.owncloud.mydomain.com/browser/48bf0bf/cool.html?UI_LLCC=en&WOPISrc=https%3A%2F%2Fwopiserver.owncloud.mydomain.com%2Fwopi%2Ffiles%2Fbb6fc9013a67793eaebb9637012db64f9ee7d63d8f15428f66b5e041827deeb9&lang=en&ui=en might be temporarily down or it may have moved permanently to a new web address.
So in reality itās not working, I have just tried to debug ,ā¦ thatās why I followed to the link in the error
Uhmmm it seems that itās related with the fact that one has to accept the selfsigned certificated on the browser uhmmm I think it was just thisā¦
Yes. Youāll eventually need valid / public certificates.
If youāre using self-signed certificates, as a workaround, youāll have to access your collabora domain first in order for the browser to accept the self-signed certificate, and then you can access ocis normally. The drawback is that every user will have to do the same.
yes, well this is a first step, I will try to use Traefik instead of the nginx, but I willl do the SSL termination using the AWS ELBā¦ I need to find out just to donāt use the self generated/self signed certificates, and leave everything using just HTTP/80ā¦
Well this is getting interesting yesterday I read some documentation from Traefik, and it actually makes sense to use here because of the auto-discover of the services but I am having a hard time with it As before, I want to have the SSL termination in AWS ELBā¦ so I do not want Traefik take care of certificates nor having and entrypoint for http:443 if possibleā¦
In Chrome I am getting:
This page isnāt working
ocis.owncloud.mydomain.com redirected you too many times.
Try deleting your cookies.
ERR_TOO_MANY_REDIRECTS
In the OCIS logs I have these:
2024-08-09T12:20:07Z INF access-log bytes=68 duration=0.01953 line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:34 method=GET path=/ proto=HTTP/1.1 remote-addr=10.9.4.14 request-id=51df1ac7c703/FIcD0GPxKU-000017 service=proxy status=308 traceid=f4b297a968beb078dc8397479cc4311a
2024-08-09T12:20:07Z INF access-log bytes=68 duration=0.02112 line=github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:34 method=GET path=/ proto=HTTP/1.1 remote-addr=10.9.4.14 request-id=51df1ac7c703/FIcD0GPxKU-000018 service=proxy status=308 traceid=64dacd9fc5dbd645e52ddafedb1424cb
And I have these compose:
For docker-compose.yml
services:
traefik:
image: traefik:v3.0.3
container_name: traefik
networks:
ocis-net:
command:
- "--providers.docker"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--api.insecure=true"
- "--entryPoints.http.address=:80"
- "--api.dashboard=true"
- "--providers.docker.exposedByDefault=false"
### LOGS
- "--log.level=${TRAEFIK_LOG_LEVEL:-WARN}"
- "--accessLog=true"
- "--accessLog.fields.headers.names.X-Request-Id=keep"
- "--accessLog.format=json"
ports:
- "80:80"
- "8080:8080"
volumes:
- "${DOCKER_SOCKET_PATH:-/var/run/docker.sock}:/var/run/docker.sock:ro"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`traefik.owcloud.mydomain.com`)"
- "traefik.http.routers.api.service=api@internal"
volumes:
certs:
networks:
ocis-net:
And for the ocis.yml
---
services:
traefik:
networks:
ocis-net:
aliases:
- ocis.owcloud.mydomain.com
ocis:
image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest}
container_name: ocis
networks:
ocis-net:
entrypoint:
- /bin/sh
# run ocis init to initialize a configuration file with random secrets
# it will fail on subsequent runs, because the config file already exists
# therefore we ignore the error and then start the ocis server
command: ["-c", "ocis init || true; ocis server"]
environment:
OCIS_URL: https://ocis.owcloud.mydomain.com
OCIS_LOG_LEVEL: ${LOG_LEVEL:-debug}
OCIS_LOG_COLOR: "${LOG_PRETTY:-false}"
OCIS_LOG_PRETTY: "${LOG_PRETTY:-false}"
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
# demo users
IDM_CREATE_DEMO_USERS: "false"
PROXY_HTTP_ADDR: "0.0.0.0:9200"
OCIS_INSECURE: "true"
volumes:
- ${HOST_OCIS_CONFIG_DIR:-./config/ocis}/banned-password-list.txt:/etc/ocis/banned-password-list.txt
- ${HOST_COL_OCIS_CONFIG_DIR:-ocis-config}:/etc/ocis:/etc/ocis
- ${HOST_OCIS_DATA_DIR:-ocis-data}:/var/lib/ocis
labels:
- "traefik.enable=true"
- "traefik.http.routers.ocis.entrypoints=http"
- "traefik.http.routers.ocis.rule=Host(`ocis.owcloud.mydomain.com`)
- "traefik.http.routers.ocis.service=ocis"
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
logging:
driver: ${LOG_DRIVER:-local}
restart: always
volumes:
ocis-config:
ocis-data:
Whatās weird, is that Traefik seems to be working as it should but OCIS is doing something wrongā¦ Not sure if it automatically tries to redirect to HTTPS or something like this and thatās why we are having that 308 ?
Also I am not sure that even I would be using the port 80 to communicate from the ELB to Traefik, internally OCIS needs the 443 to communicate with traefik? ā¦
- "traefik.enable=true"
- "traefik.http.routers.ocis.entrypoints=https"
- "traefik.http.routers.ocis.rule=Host(`ocis.${DOMAIN:-owncloud.test}`)"
- "traefik.http.routers.ocis.tls.certresolver=http"
- "traefik.http.routers.ocis.service=ocis"
- "traefik.http.services.ocis.loadbalancer.server.port=9200"
Thatās what I have in my environment for the ocis container.
Maybe the problem is that youāre trying to mix AWS ELB with traefik, and both are trying to do the same thing? You might want to skip traefik and move everything traefik is doing to AWS ELB.