Error connecting to onlyoffice instance in Podman container

Do you want to: Ask a how-to question

Document Server version: BASE_VERSION=“24.04”

Type of installation of the Document Server: Podman container (as root)
guide that you used as well): Running ONLYOFFICE Docs with Podman on Fedora - ONLYOFFICE
OS: Rocky Linux 9.5
Browser version: Brave 1.75
Additional information:
Any relevant details about the situation. If you’ve modified configuration files or are using a proxy server that might affect the situation, please mention it. You can also attach images and videofile to the post (or to place them to external storage)

I am in the process of migrating my onlyoffice instance from one podman host to another. and for some reason I am struggling with a cURL error:

Error when trying to connect (cURL error 3: URL using bad/illegal format or missing URL (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://docs.example.tld.com, docs.example.tld.com/cache/files/data/conv_check_549371786_65/output.docx/check_549371786.docx?md5=3-iVPpMlGKleGQg6rp80cw&expires=1741105931&filename=check_549371786.docx) (version 8.3.1.25)

This pops up in the UI of nextcloud when saving the config.

Yet, I can run the healthcheck curl command fine from within the nextcloud instance:

[ansible@Podman nextcloud]$ podman exec -it -u www-data nextcloud-app bash
www-data@nextcloud:~/html$ curl https://docs.example.tld.com/healthcheck
true

Curl command works fine hosted on either server.

I checked all the obvious stuff like firewalld ports, routes. The reverse proxy is the same, with same certificate, same upstream server, the only thing that changes is the address of the upstream server, from the old to the new server.

Here is how the container is launched on both hosts

podman run --detach -e JWT_SECRET="mySecretToken" --restart on-failure --volume office-pvc:/var:Z -p 8088:80  -u root --name onlyoffice docker.io/onlyoffice/documentserver:latest

Same port mappings, same proxy, same token, same docker image, just a different host. I know I must be missing something, but this one has me stumped. Both hosts the container is run as root (had no luck running it rootless). Same UID on both hosts, same Podman version (5.2.2).

The reverse proxy if it matters is running nginx 1.22

Here is the reverse proxy config: - I have run the same config in production for a few years without issue, whether native installs of onlyoffice, or docker instances and it has worked fine:

upstream docserver {
  server 192.168.51.55:8088; # ip of the Podman host running OO
}

map $http_host $this_host {
    "" $host;
    default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
     default $http_x_forwarded_proto;
     "" $scheme;
}

map $http_x_forwarded_host $the_host {
    default $http_x_forwarded_host;
    "" $this_host;
}

map $http_upgrade $proxy_connection {
  default upgrade;
  "" close;
}

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

server {  # OnlyOffice
    listen 0.0.0.0:443 ssl;
    listen [::]:443 ssl;
    server_name docs.example.tld.com;
    server_tokens off;
    root /usr/share/nginx/html;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_certificate /etc/letsencrypt/live/docs.example.tld.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/docs.example.tld.com/privkey.pem; # managed by Certbot

#    ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/dh2048_param.pem;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff;

  location / {
    proxy_pass http://docserver;
    proxy_http_version 1.1;
  }
}

Some log output from the reverse proxy node:

108.162.xx.xx - - [04/Mar/2025:11:48:17 -0500] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/2.0" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"
172.71.xx.xx - - [04/Mar/2025:11:48:19 -0500] "GET /healthcheck HTTP/2.0" 200 4 "-" "Nextcloud Server Crawler"
172.71.xx.xx - - [04/Mar/2025:11:48:19 -0500] "POST /coauthoring/CommandService.ashx HTTP/2.0" 200 52 "-" "Nextcloud Server Crawler"
172.68.xx.xx - - [04/Mar/2025:11:48:19 -0500] "GET /apps/onlyoffice/empty?doc=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhY3Rpb24iOiJlbXB0eSJ9.ghFB818FBanY265leMX7xl82o_mDIFc-Qgf67U9tDWg HTTP/2.0" 200 6940 "-" "Node.js/6.13"
172.68.xx.xx - - [04/Mar/2025:11:48:20 -0500] "POST /converter HTTP/2.0" 200 207 "-" "Nextcloud Server Crawler"
108.162.xx.xx - - [04/Mar/2025:11:48:20 -0500] "PUT /apps/onlyoffice/ajax/settings/address HTTP/2.0" 200 360 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"

Log output from podman logs onlyoffice of the non-working instance:

Generating WOPI private key...Done
Generating WOPI public key...Done
 * Starting PostgreSQL 16 database server
   ...done.
 * Starting RabbitMQ Messaging Server rabbitmq-server
   ...done.
Connection to localhost (::1) 5432 port [tcp/postgresql] succeeded!
Connection to localhost (::1) 5672 port [tcp/amqp] succeeded!
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:4: NOTICE:  table "doc_callbacks" does not exist, skipping
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:9: NOTICE:  function merge_db(pg_catalog.varchar,int2,int8,pg_catalog.timestamp,pg_catalog.varchar,int8,int8) does not exist, skipping
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:10: NOTICE:  function merge_db(pg_catalog.varchar,int2,int4,pg_catalog.timestamp,pg_catalog.varchar,int4,int4) does not exist, skipping
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:11: NOTICE:  function merge_db(pg_catalog.varchar,int2,int4,pg_catalog.timestamp,int4,int4,text,text) does not exist, skipping
Starting supervisor: supervisord.
 * Starting periodic command scheduler cron
   ...done.
 * Starting nginx nginx
   ...done.
Generating AllFonts.js, please wait...Done
Generating presentation themes, please wait...Done
Generating js caches, please wait...Done
ds:docservice: stopped
ds:docservice: started
ds:converter: stopped
ds:converter: started
 * Reloading nginx configuration nginx
   ...done.
Installing plugins, please wait...Done
 * Reloading nginx configuration nginx
   ...done.

==> /var/log/onlyoffice/documentserver/converter/err.log <==

==> /var/log/onlyoffice/documentserver/converter/out.log <==
[2025-03-04T16:00:08.119] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-04T16:00:08.121] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers
[2025-03-04T16:00:08.134] [WARN] [localhost] [docId] [userId] nodeJS - worker 752 started.
[2025-03-04T16:00:08.135] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-04T16:00:08.136] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers
[2025-03-04T16:00:26.664] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-04T16:00:26.666] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers
[2025-03-04T16:00:26.673] [WARN] [localhost] [docId] [userId] nodeJS - worker 861 started.
[2025-03-04T16:00:26.673] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-04T16:00:26.674] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers

==> /var/log/onlyoffice/documentserver/docservice/err.log <==

==> /var/log/onlyoffice/documentserver/docservice/out.log <==
[2025-03-04T16:00:08.758] [WARN] [localhost] [docId] [userId] nodeJS - Express server starting...
[2025-03-04T16:00:08.764] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-04T16:00:08.764] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-04T16:00:08.942] [WARN] [localhost] [docId] [userId] nodeJS - Express server listening on port 8000 in production-linux mode. Version: 8.3.1. Build: 25
[2025-03-04T16:00:25.108] [WARN] [localhost] [docId] [userId] nodeJS - Express server starting...
[2025-03-04T16:00:25.112] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-04T16:00:25.112] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-04T16:00:25.230] [WARN] [localhost] [docId] [userId] nodeJS - Express server listening on port 8000 in production-linux mode. Version: 8.3.1. Build: 25

==> /var/log/onlyoffice/documentserver/nginx.error.log <==

podman logs onlyoffice for the working instance:

Generating WOPI private key...Done
Generating WOPI public key...Done
 * Starting PostgreSQL 14 database server
   ...done.
 * Starting RabbitMQ Messaging Server rabbitmq-server
   ...done.
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:4: NOTICE:  table "doc_callbacks" does not exist, skipping
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:9: NOTICE:  function merge_db(pg_catalog.varchar,int2,int8,pg_catalog.timestamp,pg_catalog.varchar,int8,int8) does not exist, skipping
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:10: NOTICE:  function merge_db(pg_catalog.varchar,int2,int4,pg_catalog.timestamp,pg_catalog.varchar,int4,int4) does not exist, skipping
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:11: NOTICE:  function merge_db(pg_catalog.varchar,int2,int4,pg_catalog.timestamp,int4,int4,text,text) does not exist, skipping
Starting supervisor: supervisord.
 * Starting periodic command scheduler cron
   ...done.
 * Starting nginx nginx
   ...done.
Generating AllFonts.js, please wait...Done
Generating presentation themes, please wait...Done
Generating js caches, please wait...Done
ds:docservice: stopped
ds:docservice: started
ds:converter: stopped
ds:converter: started
 * Reloading nginx configuration nginx
   ...done.
Installing plugins, please wait...Done
 * Reloading nginx configuration nginx
   ...done.

==> /var/log/onlyoffice/documentserver/converter/err.log <==

==> /var/log/onlyoffice/documentserver/converter/out.log <==
[2025-03-04T16:01:12.376] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-04T16:01:12.379] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers
[2025-03-04T16:01:12.388] [WARN] [localhost] [docId] [userId] nodeJS - worker 752 started.
[2025-03-04T16:01:12.389] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-04T16:01:12.389] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers
[2025-03-04T16:01:30.718] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-04T16:01:30.720] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers
[2025-03-04T16:01:30.726] [WARN] [localhost] [docId] [userId] nodeJS - worker 861 started.
[2025-03-04T16:01:30.727] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-04T16:01:30.727] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers

==> /var/log/onlyoffice/documentserver/docservice/err.log <==

==> /var/log/onlyoffice/documentserver/docservice/out.log <==
[2025-03-04T16:01:12.764] [WARN] [localhost] [docId] [userId] nodeJS - Express server starting...
[2025-03-04T16:01:12.772] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-04T16:01:12.773] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-04T16:01:12.916] [WARN] [localhost] [docId] [userId] nodeJS - Express server listening on port 8000 in production-linux mode. Version: 8.2.2. Build: 22
[2025-03-04T16:01:29.196] [WARN] [localhost] [docId] [userId] nodeJS - Express server starting...
[2025-03-04T16:01:29.200] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-04T16:01:29.200] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-04T16:01:29.318] [WARN] [localhost] [docId] [userId] nodeJS - Express server listening on port 8000 in production-linux mode. Version: 8.2.2. Build: 22

==> /var/log/onlyoffice/documentserver/nginx.error.log <==

Does not seem to be a network issue, since I can netcat in on port 8088 fine, and run the curl healthcheck without issues.

Anyone see what I am missing?
Thanks

Wanted to add a correction, I had mentioned they are the same image, but I stand corrected.

The images are different: here is the working instance:

[root@Podman2 ansible]# podman image ls
REPOSITORY                           TAG         IMAGE ID      CREATED       SIZE
docker.io/onlyoffice/documentserver  latest      aae28af46240  3 months ago  3.37 GB

and the non-working instance:

[root@Podman nextcloud]# podman image ls
REPOSITORY                           TAG         IMAGE ID      CREATED     SIZE
docker.io/onlyoffice/documentserver  latest      7b91b2d4bbb0  6 days ago  3.61 GB

So the new server has what appears to be a newer version of the image. So investigating what may have changed, or why one works vs not.

newer image: declare -x BASE_VERSION=“24.04”

working image: declare -x BASE_VERSION=“22.04”

So will look into tagging the image to pull 22.04 just for grins.

Ok well this is embarrassing. Apparently nextcloud 30.0.2 is not compatible with “latest” OO 8.3 - and using the :latest tag bit me. So my solution was to pin the version of OnlyOffice to 8.2.2.

Gotta love these docker containers! lol

Hello @dj423
It’s strange, since Document Server supports Nextcloud30\31 starting with the connector v.9.4:

What is your connector version?

If the connector version is the latest, and the issue still occurs on DSv.8.3.1, let’s start troubleshooting. We will need to reproduce the issue > make a screenshot of the error itself in web browser > collect DS logs (/app/onlyoffice/DocumentServer/logs folder)

It’s on version 9.7

Here is the screenshot of the error:

Now this instance is running nextcloud 30.0.4, with 8.3.1 image of onlyoffice.

I should note this error ONLY shows up when I use the 8.3.1 image, does not show up when I roll onlyoffice back to 8.2.2 - so I am assuming a compatibility issue.

Here is output of podman logs onlyoffice:

Generating WOPI private key...Done
Generating WOPI public key...Done
 * Starting PostgreSQL 16 database server
   ...done.
 * Starting RabbitMQ Messaging Server rabbitmq-server
   ...done.
Connection to localhost (::1) 5432 port [tcp/postgresql] succeeded!
Connection to localhost (::1) 5672 port [tcp/amqp] succeeded!
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:4: NOTICE:  table "doc_callbacks" does not exist, skipping
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:9: NOTICE:  function merge_db(pg_catalog.varchar,int2,int8,pg_catalog.timestamp,pg_catalog.varchar,int8,int8) does not exist, skipping
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:10: NOTICE:  function merge_db(pg_catalog.varchar,int2,int4,pg_catalog.timestamp,pg_catalog.varchar,int4,int4) does not exist, skipping
psql:/var/www/onlyoffice/documentserver/server/schema/postgresql/removetbl.sql:11: NOTICE:  function merge_db(pg_catalog.varchar,int2,int4,pg_catalog.timestamp,int4,int4,text,text) does not exist, skipping
Starting supervisor: supervisord.
 * Starting periodic command scheduler cron
   ...done.
 * Starting nginx nginx
   ...done.
Generating AllFonts.js, please wait...Done
Generating presentation themes, please wait...Done
Generating js caches, please wait...Done
ds:docservice: stopped
ds:docservice: started
ds:converter: stopped
ds:converter: started
 * Reloading nginx configuration nginx
   ...done.
Installing plugins, please wait...Done
 * Reloading nginx configuration nginx
   ...done.

==> /var/log/onlyoffice/documentserver/converter/err.log <==

==> /var/log/onlyoffice/documentserver/converter/out.log <==
[2025-03-08T13:48:13.334] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-08T13:48:13.337] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers
[2025-03-08T13:48:13.344] [WARN] [localhost] [docId] [userId] nodeJS - worker 749 started.
[2025-03-08T13:48:13.345] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-08T13:48:13.345] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers
[2025-03-08T13:48:31.931] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-08T13:48:31.933] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers
[2025-03-08T13:48:31.939] [WARN] [localhost] [docId] [userId] nodeJS - worker 862 started.
[2025-03-08T13:48:31.939] [WARN] [localhost] [docId] [userId] nodeJS - num of CPUs: 4; availableParallelism: undefined
[2025-03-08T13:48:31.940] [WARN] [localhost] [docId] [userId] nodeJS - update cluster with 1 workers

==> /var/log/onlyoffice/documentserver/docservice/err.log <==

==> /var/log/onlyoffice/documentserver/docservice/out.log <==
[2025-03-08T13:48:13.666] [WARN] [localhost] [docId] [userId] nodeJS - Express server starting...
[2025-03-08T13:48:13.670] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-08T13:48:13.670] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-08T13:48:13.803] [WARN] [localhost] [docId] [userId] nodeJS - Express server listening on port 8000 in production-linux mode. Version: 8.3.1. Build: 25
[2025-03-08T13:48:30.440] [WARN] [localhost] [docId] [userId] nodeJS - Express server starting...
[2025-03-08T13:48:30.444] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-08T13:48:30.444] [WARN] [localhost] [docId] [userId] nodeJS - notifyLicenseExpiration(): expiration date is not defined
[2025-03-08T13:48:30.560] [WARN] [localhost] [docId] [userId] nodeJS - Express server listening on port 8000 in production-linux mode. Version: 8.3.1. Build: 25

==> /var/log/onlyoffice/documentserver/nginx.error.log <==

My instance does not seem to have the path: /app/onlyoffice/DocumentServer/logs within the container. I did delete and re-create the persistent volume before running the newer version, as running it over the old volume causes “Waiting for connection to the localhost host on port 5432” errors. To fix it, I need to delete the volume for onlyoffice, then recreate it, set the compose file to pull 8.2.2 and onlyoffice runs fine, no errors and documents open fine.

Perhaps some part of the config changes from 8.2.2 to 8.3.1? I do not change the reverse proxy config, I just change the version image that podman pulls. Also to note, I do run the onlyoffice container rootless, so not sure if that is an issue.

Thanks!

Hello @dj423
It seems that the issue is related to your network or the connector settings.
Is it possible to run both instances without reverse proxy for a test? Additionally, your address in the screenshot looks strange:


It looks like there’re two separate addresses joined by ‘,’ character.

FWIW: I set a local static DNS A record to bypass my reverse proxy for both the nextcloud instance as well as onlyoffice. This presented another issue as I terminate TLS on the reverse proxy - not on the onlyoffice instance - it is listening on port 80 within the container and port 81 on the host, so I was not able to test connections since I do not terminate TLS directly on the onlyoffice instance. Has not been an issue going back to version 7.4 of OO, I have run pretty much the same config since then. - Is it a requirement we terminate tls directly on the onlyoffice node? Just curious if I missed something.

I suppose I can spinup TLS directly on the onlyoffice instance, with a cert - but this seems a bit redundant and inefficient behind a reverse proxy with all DNS records pointing to it for connections. In the past it seemed best practice to terminate at the reverse proxy, and only allow port 80/81 through to the backend.

Hello there,
your proxy config seems to be ok to my knowledge, although I have no experience with Podman. What happens when you try to directly reach your onlyoffice-instance under http://192.168.50.55:81 ?
You should see the welcome-page there.

As it was pointed out by @Alexandre and the error message itself, there seems to be some problem with the URL-formatting. It also uses http, rather than https.

You can always override settings for testing purposes by defining them direcly, for example:

proxy_set_header X-Forwarded-Proto "https";

Hello there,
since you accidentally left your domain unchanged, I was able to test your host. Your host does indeed not redirect correctly. I get an “302 Found” message instead of the target. Something is off.

EDIT:
I believe the error lies within the default nginx configuration inside the onlyoffice-container. Check both versions for differences.

EDIT:
When you moved to the newer server, you did add it’s IP to the list of trusted hosts inside the nextcloud configuration?

UPDATE:
I was able to reach the welcome page, but only by providing the location “/welcome” myself. By using your domain only, I get the “302 Found” message or rather an error of “corrupted content” from firefox.
I tested this on my own setup and I get redirected to welcome-page with a valid HTTP 302 header. For now I see only one possible issue here:

  1. Your proxy does not redirect correctly (to my knowledge your config looks solid)
    or
  2. Onlyoffice handels the request wrong, after it gets processed correctly via proxy. But this only affects the domain itself, while requests like “/welcome” get processed correctly.
    or
  3. Since you are on cloudflare, there might be some issue with the cache influencing the redirects, but I’m not an expert on that. This is just for consideration, since the header with the 302 message also carries some info regarding cloudflare-cache.

Thanks for taking a look at it bermuda, much appreciated.
Yeah I checked the default ds.conf files within the containers and they are both the same, so I would think they would redirect in the same way. The IP/port does not change from 8.2.2 image to 8.3.1, since it runs on the same host and uses the same .env file for the configuration which just sets the jwt_secret.

So I guess I am perplexed in what changes from one version to the other. I will do some more troubleshooting as time allows. I see what you mean about adding the /welcome location, it comes up fine.

If I browse directly to http://192.168.50.55:81 it comes up fine, and adds the /welcome location upon connection.

Hello,
ok … that means that onlyoffice-container is set up, running and reachable. So it must be the proxy then.
What I did is, I used your host-address you provided in your proxy-conf and I got that redirect error. Later i tried it again, but I put “/welcome” into the address myself and I got successfully connected.
See for yourself:

https://docs.sovereign-stacks.com
https://docs.sovereign-stacks.com/welcome

But I cannot find anything unusual in your proxy configuration that would explain that behavior.
I myself am still on 8.2.2. The error message from the connector app on nextcloud refers to http and not https. That is also something I don’t really get. You can overwrite the protocol header in your proxy configuration and see if it works then (just to sort that possibility out):

proxy_set_header X-Forwarded-Proto "https";

And yes, it is better to terminate SSL in the proxy. I do it too.

Hmm, try this in your proxy configuration:

location / {
    proxy_pass http://docserver/;
    proxy_http_version 1.1;
}

I think you need “/” at the end, otherwise “location /” does not work, but works with everything else like “/welcome”. That would explain the behavior :slight_smile:

1 Like

Ok, that gets us already some answers. You can change back proxy_set_header X-Forwarded-Proto and go with my last suggestion.

Latest config changes:

upstream docserver {
  server 192.168.50.55:81; # ip of the docserver instance
}

map $http_host $this_host {
    "" $host;
    default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
     default $http_x_forwarded_proto;
     "" $scheme;
}

map $http_x_forwarded_host $the_host {
    default $http_x_forwarded_host;
    "" $this_host;
}

map $http_upgrade $proxy_connection {
  default upgrade;
  "" close;
}

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# testing
# proxy_set_header X-Forwarded-Proto "https";

server {  # OnlyOffice
    listen 0.0.0.0:443 ssl;
    listen [::]:443 ssl;
    server_name docs.sovereign-stacks.com;
    server_tokens off;
    root /usr/share/nginx/html;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_certificate /etc/letsencrypt/live/docs.sovereign-stacks.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/docs.sovereign-stacks.com/privkey.pem; # managed by Certbot

# Fix 'The Logjam Attack'.
#    ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/dh2048_param.pem;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff;

  location / {
    proxy_pass http://docserver/;
    proxy_http_version 1.1;
  }
}

Yeah … if you also proxy via cloudfront, this gives the issue a totally different dimension. Everything points to a working setup to me. It is hard to find some mistake, so the best approach is, to test things one by one and see the result.
The only thing I do differently in my setup, I also rewrite everything coming via http to https. So even if something gets back as http it will be overridden by the proxy. You can check you default config for the site and see what the server directive for http (80) does. I simply rewrite the request to https:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name myserver.xyz;

    root /config/www;
    index index.html index.htm index.php;

    location / {
        return 301 https://$host$request_uri;
        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
    }
    #... (more stuff, not important to show now)

This is just in case the whole http-error is really because nextcloud tries to access your onlyoffice-host via http.

Yes, this does not look like a sane syntax to me. This might be the real issue here. Let’s wait and see how this plays out.
This is exactly what I see in debugging console in firefox when I go to your domain:

http://docs.sovereign-stacks.com, docs.sovereign-stacks.com/welcome/

1 Like

Hello,
just tried it in firefox. I now get redirected to the welcome page. Seems the redirect is working now. Check your connector app. It should work now.

UPDATE:
Healthcheck also returns “true”.

2 Likes

You should always flush the cache when testing changes. In Firefox I press CTRL+F5 to do that. Otherwise you end up with cached stuff from your browser’s temp.

Reverted the config to a slightly more modern basic redirect configuration and now it comes up fine.

Sharing for anyone that may run across the same issues with their nginx proxy:

# HTTP (port 80) server block
server {
    listen 80;
    server_name docs.sovereign-stacks.com;

    return 301 https://$host$request_uri;
}

# HTTPS (port 443) server block
server {
    listen 443 ssl;
    server_name docs.sovereign-stacks.com;
    ssl_certificate /etc/letsencrypt/live/docs.sovereign-stacks.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/docs.sovereign-stacks.com/privkey.pem; # managed by Certbot
    ssl_protocols TLSv1.2 TLSv1.3;
    # ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';  
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://192.168.50.55:81/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Big thanks to everyone that replied and the sanity check!

1 Like