Adding documentserver to existing Traefik proxy: works halfway, but cannot open documents

ExaBirrUma · 4 December 2022 20:44

Do you want to: Ask a how-to question
Document Server version: 7.2.1
Type of installation of the Document Server: docker
OS: Ubuntu Linux
Browser version: Firefox 107.0 (64 bit)

I have an existing server with Traefik and applications running behind Traefik.
Traefik does the TLS work (has certificate configured with Lets Encrypt).
There are applications that can be reached through this setting, so I consider Traefik as working.

Now I want to set up a docker container running ONLYOFFICE document server, to be used from a NextCloud on a different server.

I have done it as with the other docker containers that are already working behind Traefik:

I have defined a subdomain “office” in the DNS.
There are labels in the docker compose file that redirect calls to office.my-cool-domain to this container (note that “my-cool-domain” is not the real domain, I only use it here in order not to write the real domain).
The container is put to the same docker network as Traefik is.
(full docker-compose is below)

This seems to work to some point: Entering https://office.my-cool.domain leads to https://office.my-cool.domain/welcome/ and I see “ONLYOFFICE Docs Community Edition installed”.
I then enabled the integrated test example as documented on this page.

After this, when I use the button “GO TO TEST EXAMPLE” at the bottom of the page, the example opens.
When I click to create a new text document", such a document opens for a moment, then a dialog box informs me that ‘Download failed’ and 'Press “ok” to return to document list".
After pressing “OK”, in the list of documents there is a new document. But clicking it does notwork, it leads to the same message.

Consulting the log of the docker container, I see messages like

2022-12-04T11:50:42.050082751Z [2022-12-04T11:50:42.043] [ERROR] [localhost] [31.nnn.nn.nnn__172.18.0.2new.docx1670154607109] [uid-1] nodeJS - dnsLookup error: hostname = office.my-cool.domain Error: getaddrinfo EAI_AGAIN office.my-cool.domain
2022-12-04T11:50:42.050635872Z     at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:71:26)
2022-12-04T11:50:42.051028967Z [2022-12-04T11:50:42.044] [WARN] [localhost] [31.nnn.nn.nnn__172.18.0.2new.docx1670154607109] [uid-1] nodeJS - checkIpFilter error: url = https://office.my-cool.domain/example/track?filename=new.docx&useraddress=31.nnn.nn.nnn__172.18.0.2

The IP address I have replaced with nnn.nn.nnn above is not the one from my server. (maybe it is not important, but I wonder: What address is it?)

More important: What is wrong? How can I solve this dnsLookup error?
I have consulted other posts, but they usually set up Traefik in the same docker-compose as the documentserver, but my Traefik is already existing and working. I have also seen the official document about using Traefik as proxy for documentserver, but I think it does not apply to my situation, because Traefik is not only serving document server but also other other services and is in itself working well. So I do not want to fiddle with the Traefik setup. I think it is rather in the documentserver setup where something is wrong.

My docker-compose.yml file:

services:

  onlyoffice:
    image: onlyoffice/documentserver:7.2.1
    container_name: onlyoffice_traefik
    stdin_open: true
    tty: true
    restart: unless-stopped
    networks:
      - traefik-bridge

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.onlyoffice.rule=Host(`office.my-cool.domain`)"

networks:
  traefik-bridge:
    external: true

I know that could/should map some folders to volumes, but I want to know first for which folders/services this makes sense in my setup. (Remember that I have NextCloud and want to connect this documentserver there, so I do not need storage etc, this is done on NextCloud).

I guess there is some setting missing in the docker-compose or somewhere - what do I have to configure where?

Thanks a lot for help or hints!

Constantine · 5 December 2022 11:03

Hello @ExaBirrUma

First, execute this command inside of the container with Document Server bash documentserver-update-securelink.sh.

Second, please note that Test Example is not meant to be used behind the proxy. Please try connecting your instance of ONLYOFFICE Docs to your Nextcloud via connector app.

If you face any issues please provide full log catalog of Document Server located in /var/log/onlyoffice/documentserver in it’s container.

ExaBirrUma · 7 December 2022 12:28

Thanks - I wanted to be sure that my setup with Traefik is correct and therefore tested with the example. Thanks for informing me that this is not possible, so now I tried with the live NextCloud.

I have done bash documentserver-update-securelink.sh inside the onlyoffice dockercontainer.

I also got the secret of the onlyoffice server by running the command given on the welcome screen against the docker container:
sudo docker exec ...containerId... /var/www/onlyoffice/documentserver/npm/json -f /etc/onlyoffice/documentserver/local.json 'services.CoAuthoring.secret.session.string'

In NextCloud (24.0.7), I have installed the ONLYOFFICE connector app (version 7.5.8) and configured it as follows (note the my GUI of Nextcloud is not english, so I have translated the labels of the fields and might not found the same wording as in the orignal english NextCloud GUI):

Address of ONLYOFFICE Docs: https://office.my-cool.domain
kept unchecked “do not check certificate (insecure)”
secred key: the secret from the docker command above (20 characters long)

I also set the advanced settings (not sure if necessary):

address of ONLYOFFICE docs for internal request from server: https://office.my-cool.domain (same as above)
server address for internal requests from ONLYOFFICE docs: https://....storage-share.de (the root URL of the NextCloud)

After saving, a message in the upper right corner informs me that “Settings updated successfully (version 7.2.1.34)”

When I create a document in NextCloud, OnlyOffice is starting, after a moment I seee the message (translated): “downloading failed. Click ok to go to the document list”.

However, in all the logs on logs/documentserver, there are no entries from today (except from metrics). Anyway see the logs below.

So how comes this? It seems that the OnlyOffice does not reach the document server. Is the URL wrong? I only specify https://office.my-cool.domain/ (when I open this page, it leads to https://office.my-cool.domain/welcome/ .
Is the correct URL something like https://office.my-cool.domain/.../api/ or such? I could not find a hint about this on https://api.onlyoffice.com .

Thanks a lot for helping me getting this to run!

Logs (let me know if you need more info from the server, like settings etc.):

Note that I tested today, Dec. 7th. The log entries are mostly old, from the 5th.

latest entry in logs/documentserver/docservice/out.log are from server restart (due to bash documentserver-update-securelink.sh two days ago):

[2022-12-05T19:49:21.139] [WARN] [localhost] [docId] [userId] nodeJS - Express server starting...
[2022-12-05T19:49:21.158] [WARN] [localhost] [docId] [userId] nodeJS - Failed to subscribe to plugin folder updates. When changing the list of plugins, you must restart the server. https://nodejs.org/docs/latest/api/fs.html#fs_availability
[2022-12-05T19:49:21.520] [WARN] [localhost] [docId] [userId] nodeJS - Express server listening on port 8000 in production-linux mode. Version: 7.2.1. Build: 34

The corresponding log in documentserver/converter/out.log:

[2022-12-05T19:49:22.224] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers
[2022-12-05T19:49:22.239] [WARN] [localhost] [docId] [userId] nodeJS - worker 6460 started.
[2022-12-05T19:49:22.248] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers
[2022-12-06T19:49:22.253] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers

documentserver/metrics/out.log has a lot of entries (ever 5 minutes) like:

Flushing stats at  Wed Dec 07 2022 11:45:22 GMT+0000 (Coordinated Universal Time)
{
  counters: {
    'statsd.bad_lines_seen': 0,
    'statsd.packets_received': 0,
    'statsd.metrics_received': 0
  },
  timers: {},
  gauges: { 'statsd.timestamp_lag': 0 },
  timer_data: {},
  counter_rates: {
    'statsd.bad_lines_seen': 0,
    'statsd.packets_received': 0,
    'statsd.metrics_received': 0
  },
  sets: {},
  pctThreshold: [ 90 ]
}

All values 0.

All three err.log are empty. Also nginx.error.log has no entries of today (two errors from earlier trials with example).

Constantine · 7 December 2022 15:37

The Advanced server settings allows to set the ONLYOFFICE Docs address for internal requests from Nextcloud server and the returning Nextcloud address for the internal requests from ONLYOFFICE Docs, i.e. Advanced server settings are used when servers are not publicly available for each other. Which doesn’t seem to be your case.
So I ask you to perform next actions:

close Advanced server settings of the connector app;
use your https://office.my-cool.domain (Document Server address) in the ONLYOFFICE Docs address field and press ‘Save’;
open any document from Nextcloud to reproduce the issue;
open browser’s console (F12 in Chrome/Firefox/Edge);
reload the page;
make screenshots of network and console tabs of browser’s console to share with us.

Also please check if your servers can reach each other with wget <server_address> from Nextcloud server to Document Server and from inside the Document Server container to Nextcloud address and share outputs.
After reproducing the issue that way please share the whole catalog with us. You can upload it to your Nextcloud portal and share via external link (you can send it via PM if afraid that any sensitive data can be found in them). You can attach next configs as well:

/etc/onlyoffice/documentserver/local.json
/etc/onlyoffice/documentserver/default.json
/etc/onlyoffice/documentserver/nginx/ds.conf
/etc/onlyoffice/documentserver/nginx/includes/ds-docservice.conf

ExaBirrUma · 12 December 2022 10:55

Dear Constantine

Thanks a lot for your prompt help! I appreciate it very much.

I have done as you asked and stored all the output to my cloud. You should have received this text also in an e-mail (to forum@onlyoffice.com), there is also the link to the output. Let me know if I should send the link to some other mail address (I don’t know what is the direct mail to you).

Hope this info help figuring out the problem!

Constantine · 12 December 2022 11:23

Can’t find the message on e-mail. Please share the link directly to me via PM - tap on my avatar and click on “Message” button.

dvaerum · 1 April 2023 20:00

Hey @ExaBirrUma

From what I can read, your problem sounds a lot like the problems I am experiencing.

I filled a bug to Onlyoffice

github.com/ONLYOFFICE/DocumentServer

OnlyOffice uses HTTP instead of HTTPS in browser requests (reverse proxy)

opened 10:26PM - 26 Mar 23 UTC

dvaerum

### This issue is unique. - [X] I have used the [search tool](https://github.…com/ONLYOFFICE/DocuemntServer/issues?q=) and did not find an issue describing my bug. ### Operating System of DocumentServer Docker ### Version information v7.3.2.8 & v7.3.3.49 ### Expected Behavior I expected the request from the JS code in the web-browser to send requests using HTTPS not using HTTP. **Note:** The browser connects to Nextcloud over HTTPS I was unable to verify if this worked on older versions of OnlyOffice ### Actual Behavior The JS code running in the browser send the request using HTTP, not HTTPS **Note:** The browser connects to Nextcloud over HTTPS ### Reproduction Steps 1. Go to the Nextcloud instance in the web-browser 2. Create a "New spreadsheet" file 3. Click on the "New spreadsheet.xlsx" file to open it, see screenshot ![v7 3 2 8_step_10-click-on-file](https://user-images.githubusercontent.com/6872940/227809278-56992737-cab5-4044-b57c-91a57c6ed45c.png) 4. Now you will see the error message from OnlyOffice, see the screenshot ![v7 3 2 8_step_11-click-on-file](https://user-images.githubusercontent.com/6872940/227809284-6261f051-7c20-45a9-bbc4-f3c03928d915.png) 5. If you open the browser console, you will see that the error saying that the content is blocked because you try to load content from both HTTP and HTTPS (seems to be a security policy enabled by something in a header or metadata on an HTML page - [Learn More](https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content)). ``` Blocked loading mixed active content “http://onlyoffice.EXAMPLE.COM/cache/files/data/3304616191/Editor.bin/Editor.bin?md5=EV5BqECOklqjXAMkT6PXCg&expires=1682113345&filename=Editor.bin” ``` 6. If we go to the source code, by clicking on `sdk-all-min.js:512:36` (or `sdk-all-min.js:formatted:14179` if you have selected "Pretty print source") and set a breakpoint and retry the hole think we will get something looking like the following screenshot ![v7 3 2 8_step_20-debugging](https://user-images.githubusercontent.com/6872940/227809291-f9ca1fe1-c9b3-448d-9233-5ead61eb082d.png) 7. In the screenshot we can see that the URL for the variable `Wb` is HTTP and not HTTPS and that is there the problem lies, changing the `http://` to `https://` resolves the problem. ![v7 3 2 8_step_21-debugging](https://user-images.githubusercontent.com/6872940/227809296-95b56b58-c599-46dc-860c-473a0697604d.png) I really hope this can help someone track down and fix this bug. ### Additional information ## Setup **Docker setup files:** [onlyoffice_bug.zip](https://github.com/ONLYOFFICE/DocumentServer/files/11073207/onlyoffice_bug.zip) 1. `cd` into the folder from the unpacked zip-file 2. Run the command to start Traefik ```bash docker-compose -f traefik-docker/docker-compose.yml up -d ``` 3. Config the `DOMAIN_BASE` variable for in `nextcloud-docker/.env` 4. Run the command to start Nextcloud with OnlyOffice ```bash docker-compose -f nextcloud-docker/docker-compose.yml up -d ``` 5. Login to the Nextcloud setup 6. Install OnlyOffice App 7. Config Nextcloud according to the screenshot ![v7 3 2 8_step_00-nextcloud-config](https://user-images.githubusercontent.com/6872940/227809324-5efc4eac-fe45-4fed-ae2c-2a4c64863c67.png) ## (Hacky) Workaround 1. Run the following command ``` # Patch file docker compose exec onlyoffice sed -E -i 's|(function +\w+\(\w+\) *\{ *function +\w+\(\)) *\{ *(\w+)\.open\((\w+),(\w+),(\w+)\);|\1{\nif (\4 \&\& \4.length > 5) {if (\4.substring(0, 5) == "http:") {\4 = \4.replace("http://", "https://");}};\n\2.open(\3,\4,\5);\n|' /var/www/onlyoffice/documentserver/sdkjs/cell/sdk-all-min.js # Restart container docker-compose restart onlyoffice ``` 2. Clean all cached data for Nextcloud and OnlyOffice in your browser, or try with browser in private mode. 3. Now everything should work for spreadsheet files, but if you want it to work for document- & presentation-files you also need to patch `/var/www/onlyoffice/documentserver/sdkjs/word/sdk-all-min.js` and `/var/www/onlyoffice/documentserver/sdkjs/word/sdk-all-min.js`. ## Showing that the `X-Forwarded-*` headers are set by the reverse proxy The IP of: - The docker subnet gateway: 172.18.0.1 - OnlyOffice container: 172.18.0.2 - The server IP (Real IP): 192.168.1.131 I am using Traefik as the reverse-proxy/ssl off-loading, so to make sure that Traefik sets the `X-Forwarded-*` headers I used Wireshark to capture the decrypted trafic between Traefik and the OnlyOffice container. ![v7 3 3 49_step_50-x-forwarded-headers](https://user-images.githubusercontent.com/6872940/227809340-dd979b92-6b5a-44b2-96c0-1ef3466785ea.png)

because in my case, Onlyoffice through tries to make an HTTP connect back to the Onlyoffice document server from the web-browser, but it is supposed to make an HTTPS connect. This bug triggers a security feature in the browser there prevents the request from going through.

There is a POC there may work for you, to confirm that if the problem is the same.

Constantine · 10 April 2023 10:11

Hello @dvaerum

Sorry for the late response.
Please take a look at the examples of different proxy configurations from our Help Center:
https://helpcenter.onlyoffice.com/installation/docs-community-proxy.aspx

If none of these helps, please provide log files of Document Server from /var/log/onlyoffice/documentserver/ for analysis and also elaborate the status of the issue.

dvaerum · 10 April 2023 10:24

Hey @Constantine

Feeds like you just send my a link to some default documentation when I mentioned a possible bug, so I will be very direct, have you read my bug report?

Constantine · 10 April 2023 14:23

I’ve checked out provided earlier information and it looks like the issue is related to your Traefik configuration.
Please try adding these labels to the .yml file which runs the container with Document Server:

      - "traefik.http.routers.ds.middlewares=onlyoffice-headers"
      - "traefik.http.middlewares.onlyoffice-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.middlewares.onlyoffice-headers.headers.accessControlAllowOrigin=*"

Please use these labels to run a “clear” test, i.e. without your previously used workaround.

Looking forward to your feedback.

ExaBirrUma · 10 April 2023 19:21

Hello Constantine

Good to read from you after such a long time. I started to fear that something grave happened to you! And I did not know where to get such good support - almost thought of giving up.
Glad you are alive!

Your hints were great. At first it did not run. I found that, because I already had a traefik router config for OnlyOffice, I had to rename ds to onlyoffice. And it turned out that accessControlAllowOrigin is deprecated - when I specified this, OnlyOffice did not appear at all in Traefik because the whole config was invalid. The correct field is accessControlAllowOriginList.

So my traefik labels in docker-compose.yml for the OnlyOffice container are now:

  - "traefik.enable=true"
  - "traefik.http.routers.onlyoffice.rule=Host(`office.my-super.domain`)"
  - "traefik.http.routers.onlyoffice.middlewares=onlyoffice-headers"
  - "traefik.http.middlewares.onlyoffice-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
  - "traefik.http.middlewares.onlyoffice-headers.headers.accessControlAllowOriginList=*"

And now it works!!!

Many many thanks!

Constantine · 11 April 2023 07:26

Hello @ExaBirrUma

I’m glad to hear that it is working now.
Again, I am very sorry for the long time absence and I’m happy to hear kind words from you.