HTTPS reverse proxy gives nodeJS - error downloadFile error code 401

Do you want to: Request troubleshooting assistance with setting up the document server behind Nginx reverse proxy and https.
Document Server version: 7.1.0-215 Community
Type of installation of the Document Server (docker, deb/rpm, exe): deb
OS: Ubuntu 22.04 LTS
Browser version: any
Onlyoffice-nuxeo integrator plugin version: 2.0.0. Built from from git repo.

Am not able to edit document through Nuxeo front end when using https. OnlyOffice convertor fails with:
(from /var/log/onlyoffice/documentserver/convertor/out.log)
[2022-06-06T15:58:57.298] [ERROR] nodeJS - error downloadFile:url=https://morgan
.example.com/nuxeo/nxfile/default/8d7fbc30-4587-4233-9efb-1279f467d55b/file:con
tent/can users.xlsx?token=805faaf5-cd2c-4642-b698-e08a28e5b4c9;attempt=1;code:un
defined;connect:undefined;(id=OGQ3ZmJjMzAtNDU4Ny00MjMzLTllZmItMTI3OWY0NjdkNTViX1
85LTA=)
Error: Error response: statusCode:401; headers:{“server”:“nginx”,“date”:“Mon, 06
Jun 2022 19:58:57 GMT”,“content-type”:“text/html;charset=UTF-8”,“transfer-encod
ing”:“chunked”,“connection”:“keep-alive”,“x-frame-options”:“SAMEORIGIN”,“referre
r-policy”:“strict-origin-when-cross-origin”,“x-ua-compatible”:“IE=10; IE=11”,“ca
che-control”:“private, max-age=0”,“x-content-type-options”:“nosniff”,“content-se
curity-policy”:“img-src data: blob: *; default-src blob: *; script-src ‘unsafe-i
nline’ ‘unsafe-eval’ data: *; style-src ‘unsafe-inline’ *; font-src data: *”,“x-
xss-protection”:“1; mode=block”,“expires”:“Mon, 06 Jun 2022 19:58:57 GMT”,“set-c
ookie”:[“JSESSIONID=AF7A5188FC20D45CF3C2B4265D073EF2.nuxeo; Path=/; Secure; Http
Only; SameSite=Lax”],“vary”:“accept-encoding”,“content-encoding”:“gzip”};
at Request.fResponse (/snapshot/server/build/server/Common/sources/utils.js)
at Request.emit (events.js:400:28)
at Request.onRequestResponse (/snapshot/server/build/server/Common/node_modu
les/request/request.js:1059:10)
at ClientRequest.emit (events.js:400:28)
at HTTPParser.parserOnIncomingClient (_http_client.js:647:27)
at HTTPParser.parserOnHeadersComplete (_http_common.js:126:17)
at TLSSocket.socketOnData (_http_client.js:515:22)
at TLSSocket.emit (events.js:400:28)
at addChunk (internal/streams/readable.js:290:12)
at readableAddChunk (internal/streams/readable.js:265:9)
at TLSSocket.Readable.push (internal/streams/readable.js:204:10)
at TLSWrap.onStreamRead (internal/stream_base_commons.js:188:23)

The JSESSIOID in the logs matches the cookie value in the browser.

There are no errors and am able to edit the same document using http.

Am using the stock Nginx includes/ds-*.conf and http-common.conf files. The ds.conf is modified version of ds,conf.tmpl with cert values and block to cover Nuxeo.

Both applications are on the same box.

Is there some trick that I’m missing here?

Hello @avi
Please take a look at these proxy config examples. I hope it will be useful: Using ONLYOFFICE Docs behind the proxy - ONLYOFFICE
Probably the issue is related to proxy settings.

Thanks for the response. Have followed the steps from the link prior to posting. If it helps, here is the content of ds.conf.

include /etc/nginx/includes/http-common.conf;

#Normal HTTP host
server {
listen 0.0.0.0:80;
server_name _;
server_tokens off;

#Redirects all traffic to the HTTPS host
root /nowhere; ## root doesn’t have to be a valid path since we are redirecting
rewrite ^ https://$host$request_uri? permanent;
}

#HTTP host for internal services
server {
listen 127.0.0.1:80;
server_name localhost;
server_tokens off;

include /etc/nginx/includes/ds-common.conf;
include /etc/nginx/includes/ds-docservice.conf;
}

#HTTPS host
server {
listen 0.0.0.0:443 ssl;
server_name _;
server_tokens off;
root /usr/share/nginx/html;
include /etc/nginx/includes/ds-*.conf;

ssl_certificate /etc/nginx/ssl/wildcard_chained.crt;
ssl_certificate_key /etc/nginx/ssl/wildcard.key;

ssl_verify_client off;

ssl_ciphers “EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH”;

ssl_protocols TLSv1.2;
ssl_session_cache builtin:1000 shared:SSL:10m;

ssl_prefer_server_ciphers on;

#add_header Strict-Transport-Security max-age=31536000;
#add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

#Nuxeo block
ignore_invalid_headers off;
location ^~ /nuxeo/ {
proxy_cookie_path ~^/. /;
proxy_http_version 1.1;
proxy_headers_hash_bucket_size 256;
add_header nuxeo-virtual-host https://morgan.example.com/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host morgan.example.com;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection “upgrade”;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080/nuxeo/;
proxy_redirect $scheme://$host:$server_port/ /nuxeo/;
access_log /var/log/nginx/nuxeo-access.log;
error_log /var/log/nginx/nuxeo-error.log;
}
}
*** EOF

Contents of /etc/nginx/includes/http-common.conf

upstream docservice {
server localhost:8000 max_fails=0 fail_timeout=0s;
}

upstream example {
server localhost:3000;
}

map $http_host $this_host {
“” $host;
default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
“” $scheme;
}

map $http_x_forwarded_host $the_host {
default $http_x_forwarded_host;
“” $this_host;
}

map $http_upgrade $proxy_connection {
default upgrade;
“” close;
}

#proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
***EOF

Is there a flag to tell OnlyOffice the connection is over https? There are zero errors when using http and still being reverse proxied by Nginx.

Disabled SAML on Nuxeo end and was able to edit the document in OnlyOffice. No changes in OO or Nginx configuration.

Edit: Anyone have any ideas if SAML integration issue is on OnlyOffice side or not?

Edit: Anyone have any ideas if SAML integration issue is on OnlyOffice side or not?

Is it possible to run a test? Disable proxy and re-check the SAML issue? This way we will exclude the influence of proxy settings on the situation.

Could not test with removing Nginx out of the equation and accessing OnlyOffice within Nuxeo + SAML. Due to the connector using “OfficeWeb/apps/api/documents/api.js”. Resulting in 404. Nginx redirects this to “7.1.1-23/web-apps”.

Was able to reproduce the error with Nginx providing proxy for OnlyOffice to handle the redirect for the above URL.
[2022-06-09T07:09:13.500] [ERROR] nodeJS - error downloadFile:url=http://morgan:8080/nuxeo/nxfile/default/8d7fbc30-4587-4233-9efb-1279f467d55b/file:content/can users.xlsx?token=805faaf5-cd2c-4642-b698-e08a28e5b4c9;attempt=3;code:undefined;connect:undefined;(id=OGQ3ZmJjMzAtNDU4Ny00MjMzLTllZmItMTI3OWY0NjdkNTViX18xOS0y)
Error: Error response: statusCode:401; headers:{“x-frame-options”:“SAMEORIGIN”,“referrer-policy”:“strict-origin-when-cross-origin”,“x-ua-compatible”:“IE=10; IE=11”,“cache-control”:“private, max-age=0”,“x-content-type-options”:“nosniff”,“content-security-policy”:“img-src data: blob: *; default-src blob: *; script-src ‘unsafe-inline’ ‘unsafe-eval’ data: *; style-src ‘unsafe-inline’ *; font-src data: *”,“x-xss-protection”:“1; mode=block”,“expires”:“Thu, 09 Jun 2022 11:09:13 GMT”,“set-cookie”:[“JSESSIONID=41CAE68E9E863838E1139F484D3D4404.nuxeo; Path=/nuxeo; HttpOnly; SameSite=Lax”],“vary”:“accept-encoding”,“content-encoding”:“gzip”,“content-type”:“text/html;charset=UTF-8”,“transfer-encoding”:“chunked”,“date”:“Thu, 09 Jun 2022 11:09:13 GMT”,“keep-alive”:“timeout=20”,“connection”:“keep-alive”};
at Request.fResponse (/snapshot/server/build/server/Common/sources/utils.js)
at Request.emit (events.js:400:28)
at Request.onRequestResponse (/snapshot/server/build/server/Common/node_modules/request/request.js:1059:10)
at ClientRequest.emit (events.js:400:28)
at HTTPParser.parserOnIncomingClient (_http_client.js:647:27)
at HTTPParser.parserOnHeadersComplete (_http_common.js:126:17)
at Socket.socketOnData (_http_client.js:515:22)
at Socket.emit (events.js:400:28)
at addChunk (internal/streams/readable.js:290:12)
at readableAddChunk (internal/streams/readable.js:265:9)
at Socket.Readable.push (internal/streams/readable.js:204:10)
at TCP.onStreamRead (internal/stream_base_commons.js:188:23)

Unfortunately could not determine if proxy setting it the root cause. Anything else you would like me to try?

Will try and build the OnlyOffice-nuxeo connector code from git after updating the link to api.js.

Modified onlyoffice-nuxeo-core/src/main/resources/skin/views/onlyedit/index.ftl from the git repo and updated the api.js url on line 46.

Am now able to access OO through Nuxeo+SAML without Nginx running. Can confirm the issue not related to reverse proxy.

From /var/log/onlyoffice/documentserver/convertor/out.log:
[2022-06-09T09:02:39.442] [ERROR] nodeJS - error downloadFile:url=http://morgan:8080/nuxeo/nxfile/default/8d7fbc30-4587-4233-9efb-1279f467d55b/file:content/can users.xlsx?token=805faaf5-cd2c-4642-b698-e08a28e5b4c9;attempt=3;code:undefined;connect:undefined;(id=OGQ3ZmJjMzAtNDU4Ny00MjMzLTllZmItMTI3OWY0NjdkNTViX18xOS0y)
Error: Error response: statusCode:401; headers:{“x-frame-options”:“SAMEORIGIN”,“referrer-policy”:“strict-origin-when-cross-origin”,“x-ua-compatible”:“IE=10; IE=11”,“cache-control”:“private, max-age=0”,“x-content-type-options”:“nosniff”,“content-security-policy”:“img-src data: blob: *; default-src blob: *; script-src ‘unsafe-inline’ ‘unsafe-eval’ data: *; style-src ‘unsafe-inline’ *; font-src data: *”,“x-xss-protection”:“1; mode=block”,“expires”:“Thu, 09 Jun 2022 13:02:39 GMT”,“set-cookie”:[“JSESSIONID=C8A779F531259EB55E8010D0AF25E667.nuxeo; Path=/nuxeo; HttpOnly; SameSite=Lax”],“vary”:“accept-encoding”,“content-encoding”:“gzip”,“content-type”:“text/html;charset=UTF-8”,“transfer-encoding”:“chunked”,“date”:“Thu, 09 Jun 2022 13:02:39 GMT”,“keep-alive”:“timeout=20”,“connection”:“keep-alive”};
at Request.fResponse (/snapshot/server/build/server/Common/sources/utils.js)
at Request.emit (events.js:400:28)
at Request.onRequestResponse (/snapshot/server/build/server/Common/node_modules/request/request.js:1059:10)
at ClientRequest.emit (events.js:400:28)
at HTTPParser.parserOnIncomingClient (_http_client.js:647:27)
at HTTPParser.parserOnHeadersComplete (_http_common.js:126:17)
at Socket.socketOnData (_http_client.js:515:22)
at Socket.emit (events.js:400:28)
at addChunk (internal/streams/readable.js:290:12)
at readableAddChunk (internal/streams/readable.js:265:9)
at Socket.Readable.push (internal/streams/readable.js:204:10)
at TCP.onStreamRead (internal/stream_base_commons.js:188:23)

Relevant lines from nuxeo.conf
nuxeo.url=http://morgan:8080/nuxeo
onlyoffice.url.api=http://morgan:8088/web-apps/apps/api/documents/api.js
onlyoffice.docserv.url=http://morgan:8088/

Hello @avi
We are glad that the issue is solved.
A few more things. Do I understand you right that default index.ftl file prevents SAML authentication? (in the scenario where we excluded the effect of the proxy server)
If so, please let us know how exactly you modified line 46 to resolve it.

Just to clarify the original issue remains unresolved. That is, we cannot implement SAML in Nexeo without breaking the ability to edit documents in OnlyOffice.

The secondary issue that surfaced was not being able to directly access OnlyOffice through Nuxeo, i.e removing reverse proxy from the equation. This was due to the onlyoffice-nuxeo connector was using /OfficeWeb/apps url instead of the /webapps/apps.
Line 46 in onlyoffice-nuxeo-core/src/main/resources/skin/views/onlyedit/index.ftl

- <script id="scriptApi" type="text/javascript" src="${docUrl}OfficeWeb/apps/api/documents/api.js"></script>
+ <script id="scriptApi" type="text/javascript" src="${docUrl}web-apps/apps/api/documents/api.js"></script>

So Nuxeo+SAML+reverse proxy+OO == receive error code 401.
Nuxeo + SAML + OO - reverse proxy == error code 401
Nuxeo + OO + reverse proxy - SAML == code 200

Please provide us with additional information. Let us know how exactly you enabled SAML on Nuxeo and what Identity Provider you are using for Authentication.

Enabling SAML in Nuxeo:

1. nuxeoctl mp-install nuxeo-saml2-login-package-2021.17-SNAPSHOT.zip
2. create saml-config.xml under nxserver/config with the following content:

> <component name="org.nuxeo.ecm.platform.login.saml.auth">
>     <require>org.nuxeo.ecm.platform.ui.web.auth.WebEngineConfig</require>
>     <require>org.nuxeo.ecm.platform.ui.web.auth.defaultConfig</require>
>     <extension target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
>             point="authenticators">
>         <authenticationPlugin name="SAML_AUTH" enabled="true"
>                             class="org.nuxeo.ecm.platform.auth.saml.SAMLAuthenticationProvider">
>         <loginModulePlugin>Trusting_LM</loginModulePlugin>
>         <needStartingURLSaving>true</needStartingURLSaving>
>         <parameters>
>             <parameter name="name">SAML SSO</parameter>
>             <parameter name="metadata">nxserver/config/metadata-idp.xml</parameter>
>             <parameter name="userResolverCreateIfNeeded">false</parameter>
>             <parameter name="userResolverUpdate">false</parameter>
>         </parameters>
>         </authenticationPlugin>
>     </extension>
> <extension
>   target="org.nuxeo.usermapper.service.UserMapperComponent"
>   point="mapper">
>   <mapper name="saml" type="js">
>     <mapperScript>
>       searchAttributes.put("username", userObject.getNameID().getValue());
>       userAttributes.put("email", userObject.getNameID().getValue());
>     </mapperScript>
>   </mapper>
> </extension>
> 
> <extension
>   target="org.nuxeo.ecm.platform.ui.web.auth.service.PluggableAuthenticationService"
>   point="chain">
>   <authenticationChain>
>     <plugins>
> 	    <!--   <plugin>BASIC_AUTH</plugin> -->
> 	    <!-- <plugin>FORM_AUTH</plugin> -->
>       <plugin>SAML_AUTH</plugin>
>     </plugins>
>   </authenticationChain>
> </extension>
> 
> <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService" point="corsConfig">
>   <corsConfig name="idp" supportedMethods="POST" allowOrigin="https://saml.example.com">
>    <pattern>/.*</pattern>
>   </corsConfig>
> </extension>
> 
> </component>

3. We are using simplesamlphp as our IdP.

Accessing Nuxeo through SAML worked fine.

Replaced Nuxeo with Seafile and Nextcloud as a test. Both Seafile and Nextcloud were able to successfully edit documents in OnlyOffice. Yes SAML was enabled and configured in both the applications.

Perhaps this is not even an issue with the OnlyOffice addon, but with the Nuxeo platform instead.

Sorry for the late reply.
We need some time to check out the situation. I will update this post when we have something to share.

I’m experiencing the same issue with nuxeo and onlyoffice since 7.2 update, the same error (401, unauthorized returned by nuxeo server on callback)
I dowgraded to 7.1, no problem. I suspect malformed url callback.

Hello @clem
Do you use SAML on Nuxeo too? Please provide us with details about the situation.
If it’s possible, please reproduce the issue > make screenshots and send us whole Document server logs folder.
Also please let us know Nuxeo and connector versions.

Hello @clem and @avi
We’ve released the new version of connector app for Nuxeo where we fixed the issue with SAML. Please check it out: Release v2.1.0 · ONLYOFFICE/onlyoffice-nuxeo · GitHub