Nextcloud 30.0.2 / OnlyOffice / Swag Reverse Proxy - "refused to connect." error

Do you want to: Ask a how-to question
Document Server version:
Type of installation of the Document Server: docker
Connector version: 8.2.2.22 shown when I click save the config on Nextcloud / Version 9.5.0 App version shown on Nextcloud
DMS (platform) version:
OS: Ubuntu 22.04.5 LTS
Browser version: Edge Version 131.0.2903.70

Hi everyone,

Since a recent upgrade of my Nextcloud stack, OnlyOffice does not work. I tried to update everything I could, but nothing worked. I found this which was the exact timing when the issues started but it seems that it has not solved itself. I used Gemini to help me debugging but after hours I am still stuck. I added the “add_header Content-Security-Policy “frame-ancestors ‘self’ https://oo.whatever.com;”;” entry in my swag config file but this has not helped. I am not sure what is next. Would anyone able to help? My domain is on OVH registrar. Nextcloud is on the same network than OnlyOffice and Swag. Thank you in advance.

Here is what I get from the access.log of swag when I try to access an xls file:

192.168.10.67 - - [01/Dec/2024:21:06:45 +0100] "GET /apps/onlyoffice/729343?filePath=%2FCloudDrive%2FMemories%2FUSA_Hawaii_2024%2FUSA_Hawaii_2024_Planning.xlsx HTTP/2.0" 200 8064 "https://n.wathever.com/apps/files/favorites/526683?dir=/CloudDrive/Memories/USA_Hawaii_2024" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"

192.168.10.67 - - [01/Dec/2024:21:06:45 +0100] "GET /web-apps/apps/api/documents/api.js HTTP/2.0" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"

192.168.10.67 - - [01/Dec/2024:21:06:45 +0100] "GET /ocs/v2.php/search/providers?from=%2Fapps%2Fonlyoffice%2F729343%3FfilePath%3D%252FCloudDrive%252FMemories%252FUSA_Hawaii_2024%252FUSA_Hawaii_2024_Planning.xlsx HTTP/2.0" 200 472 "https://n.wathever.com/apps/onlyoffice/729343?filePath=%2FCloudDrive%2FMemories%2FUSA_Hawaii_2024%2FUSA_Hawaii_2024_Planning.xlsx" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"

192.168.10.67 - - [01/Dec/2024:21:06:45 +0100] "GET /ocs/v2.php/apps/onlyoffice/api/v1/config/729343?filePath=%2FCloudDrive%2FMemories%2FUSA_Hawaii_2024%2FUSA_Hawaii_2024_Planning.xlsx HTTP/2.0" 200 2107 "https://n.wathever.com/apps/onlyoffice/729343?filePath=%2FCloudDrive%2FMemories%2FUSA_Hawaii_2024%2FUSA_Hawaii_2024_Planning.xlsx" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"

192.168.10.67 - - [01/Dec/2024:21:06:45 +0100] "GET /ocs/v2.php/apps/user_status/api/v1/user_status HTTP/2.0" 200 181 "https://n.wathever.com/apps/onlyoffice/729343?filePath=%2FCloudDrive%2FMemories%2FUSA_Hawaii_2024%2FUSA_Hawaii_2024_Planning.xlsx" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"

192.168.10.67 - - [01/Dec/2024:21:06:45 +0100] "POST /contactsmenu/contacts HTTP/2.0" 200 2300 "https://n.wathever.com/apps/onlyoffice/729343?filePath=%2FCloudDrive%2FMemories%2FUSA_Hawaii_2024%2FUSA_Hawaii_2024_Planning.xlsx" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"

192.168.10.67 - - [01/Dec/2024:21:06:45 +0100] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/2.0" 200 81 "https://n.wathever.com/apps/onlyoffice/729343?filePath=%2FCloudDrive%2FMemories%2FUSA_Hawaii_2024%2FUSA_Hawaii_2024_Planning.xlsx" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"

192.168.10.67 - - [01/Dec/2024:21:06:47 +0100] "GET /index.php/apps/files/preview-service-worker.js HTTP/2.0" 200 0 "https://n.wathever.com/index.php/apps/files/preview-service-worker.js" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"

Hello there.
Your access.log looks normal to me. Have you tried a different browser or can you purge cache on edge and try again?
Personally I stay 1 version behind on Nextcloud. It saves me some headache with those kind of early bugs or configuration issues.

Hi,

Thank you for your reply.

I tried from the nextcloud android mobile app on my Pixel and I get:

Webpage not available
The webpage at https://oo.whatever.com/8.2.2-db87ecc9ab59a42258f39bd153df8bbe/web-apps/apps/spreadsheeteditor/mobile/index.html?_dc=8.2.2-22&lang=en&customer=ONLYOFFICE&type=mobile&frameEditorId=iframeEditor&isForm=false&compact=true&parentOrigin=https://n.whatever.com&uitheme=theme-dark&fileType=xlsx could not be loaded because:

net::ERR_BLOCKED_BY_RESPONSE

Last time, I could at lease find other threads on the net meaning that is a known bug but this time nothing so I suspect something else.

Should I post it on Nextcloud forum maybe if you think it is more a Nextcloud issue?

Any other idea?
Thanks

Basically, every issue is worth an investigation. But when people try all sorts of tips they find on the web the potential to further break their config is higher in my opinion.

Do you still have a working setup? Can you revert to the last working state? From what I have read by the link you provided, this particular/similar “issue” was solved with connector app 9.5.0, which you are already using. You have mentioned that the issue occurred after you updated to NC 30.X. I believe that more people have done that and have no issue at all.

Can you access the Onlyoffice service on your server directly (see the welcome page)?

If you use docker, this is potentially easier to maintain and investigate. When you update your services, edited config files usually don’t update. In some cases there are changes that must be done manually. When I check my logs I usually see warnings about outdated config files when I access them via portainer.

Do you also run swag and Nextcoud in containers?

[EDIT]
You could try to open a document again and check your “browser console” for errors. I have no experience with Edge as I personally use Firefox. There I have to press “F12” (or choose “Investigate” with the context dialogue [right mouse click]), go to Network-tab and reload the page to see the result of all the connections made to that particular destination. Errors are easy to spot then and are way more informative.

[EDIT]
By the way, the response header you mentioned, seems to be wrong in my opinion. It doesn’t look like it is intended for nginx configurations, but rather like it was taken from apache and added anyway.

add_header Content-Security-Policy “frame-ancestors ‘self’ https://oo.whatever.com;”;

For an nginx configuration this should look like this:

add_header X-Frame-Options "allow-from https://*.your.domain" always;

[EDIT]
Just checked, “Content-Security-Policy” is a valid header for nginx too so it can be used, but the syntax is little bit different, see:

add_header Content-Security-Policy "frame-ancestors 'self' *.whatever.com;";

Thank you for your complete reply. Here is my answers:

Basically, every issue is worth an investigation. But when people try all sorts of tips they find on the web the potential to further break their config is higher in my opinion.

I totally agree! I have carefully note the change I have made to revert them in case.

Do you still have a working setup? Can you revert to the last working state? From what I have read by the link you provided, this particular/similar “issue” was solved with connector app 9.5.0, which you are already using. You have mentioned that the issue occurred after you updated to NC 30.X. I believe that more people have done that and have no issue at all.

I cannot really go back despite I have full vm proxmox backup where I can restore the entire VM on a specific date. I could do that but then I would need to migrate data from my Nextcloud server (I use DAVx for contacts and calendars synchs). I would rather not revert. However, I could start a new instance in parallel maybe and see if I can reproduce the issue. I would try first to see if there is not a fix to apply.

Can you access the Onlyoffice service on your server directly (see the welcome page)?

Yes I see it with both the internal IP:8181 or from the oo. whatever. com

If you use docker, this is potentially easier to maintain and investigate. When you update your services, edited config files usually don’t update. In some cases there are changes that must be done manually. When I check my logs I usually see warnings about outdated config files when I access them via portainer.

I see what you mean and I started to update all the swag config files that were outdated. There were listed when I started my containers in the log. I have no more files to update now.

2024-12-01T19:33:34.555170490Z [mod-init] Running Docker Modification Logic
2024-12-01T19:33:34.885713171Z [mod-init] Adding linuxserver/mods:swag-dashboard to container
2024-12-01T19:33:35.290649156Z [mod-init] linuxserver/mods:swag-dashboard at sha256:7923509263d7e4a92b69xxxx24a97bf06ea6d7d has been previously applied skipping
2024-12-01T19:33:35.326498717Z [migrations] started
2024-12-01T19:33:35.332810423Z [migrations] 01-nginx-site-confs-default: skipped
2024-12-01T19:33:35.332843113Z [migrations] done
2024-12-01T19:33:35.344391276Z usermod: no changes
2024-12-01T19:33:35.345858984Z ───────────────────────────────────────
2024-12-01T19:33:35.345876085Z 
2024-12-01T19:33:35.345882166Z       ██╗     ███████╗██╗ ██████╗
2024-12-01T19:33:35.345887572Z       ██║     ██╔════╝██║██╔═══██╗
2024-12-01T19:33:35.345892534Z       ██║     ███████╗██║██║   ██║
2024-12-01T19:33:35.345897387Z       ██║     ╚════██║██║██║   ██║
2024-12-01T19:33:35.345902203Z       ███████╗███████║██║╚██████╔╝
2024-12-01T19:33:35.345918111Z       ╚══════╝╚══════╝╚═╝ ╚═════╝
2024-12-01T19:33:35.345923595Z 
2024-12-01T19:33:35.345928280Z    Brought to you by linuxserver.io
2024-12-01T19:33:35.345933126Z ───────────────────────────────────────
2024-12-01T19:33:35.346025984Z 
2024-12-01T19:33:35.346038681Z To support the app dev(s) visit:
2024-12-01T19:33:35.347510395Z Certbot: https://supporters.eff.org/donate/support-work-on-certbot
2024-12-01T19:33:35.347717652Z 
2024-12-01T19:33:35.347726450Z To support LSIO projects visit:
2024-12-01T19:33:35.347731452Z https://www.linuxserver.io/donate/
2024-12-01T19:33:35.347736132Z 
2024-12-01T19:33:35.347740743Z ───────────────────────────────────────
2024-12-01T19:33:35.347745679Z GID/UID
2024-12-01T19:33:35.347750261Z ───────────────────────────────────────
2024-12-01T19:33:35.350926081Z 
2024-12-01T19:33:35.350940656Z User UID:    1000
2024-12-01T19:33:35.350949198Z User GID:    1000
2024-12-01T19:33:35.350953944Z ───────────────────────────────────────
2024-12-01T19:33:35.352396901Z Linuxserver.io version: 3.0.1-ls341
2024-12-01T19:33:35.352601717Z Build-date: 2024-11-30T03:34:56+00:00
2024-12-01T19:33:35.352614046Z ───────────────────────────────────────
2024-12-01T19:33:35.352619877Z     
2024-12-01T19:33:35.425788298Z using keys found in /config/keys
2024-12-01T19:33:36.309454396Z Variables set:
2024-12-01T19:33:36.309493549Z PUID=1000
2024-12-01T19:33:36.309499606Z PGID=1000
2024-12-01T19:33:36.309504232Z TZ=Europe/Zurich
2024-12-01T19:33:36.309509150Z URL=whatever.com
2024-12-01T19:33:36.309513853Z SUBDOMAINS=wildcard
2024-12-01T19:33:36.309518558Z EXTRA_DOMAINS=
2024-12-01T19:33:36.309523114Z ONLY_SUBDOMAINS=false
2024-12-01T19:33:36.309527721Z VALIDATION=dns
2024-12-01T19:33:36.309532198Z CERTPROVIDER=
2024-12-01T19:33:36.309536704Z DNSPLUGIN=ovh
2024-12-01T19:33:36.309541142Z EMAIL=xxxxx
2024-12-01T19:33:36.309545770Z STAGING=
2024-12-01T19:33:36.309550391Z 
2024-12-01T19:33:37.648903628Z Using Let's Encrypt as the cert provider
2024-12-01T19:33:37.650034692Z SUBDOMAINS entered, processing
2024-12-01T19:33:37.650052810Z Wildcard cert for whatever.com will be requested
2024-12-01T19:33:37.653212084Z E-mail address entered: xxx@xxx.com
2024-12-01T19:33:37.658846876Z dns validation via ovh plugin is selected
2024-12-01T19:33:37.658991595Z Certificate exists; parameters unchanged; starting nginx
2024-12-01T19:33:37.710081091Z The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
2024-12-01T19:33:37.751924896Z **** Applying the SWAG dashboard mod... ****
2024-12-01T19:33:37.762781654Z **** goaccess already installed, skipping ****
2024-12-01T19:33:37.773607666Z **** libmaxminddb already installed, skipping ****
2024-12-01T19:33:37.779366307Z **** Applied the SWAG dashboard mod ****
2024-12-01T19:33:37.788868110Z [custom-init] No custom files found, skipping...
2024-12-01T19:33:37.814046985Z [ls.io-init] done.
2024-12-01T19:33:37.978003951Z Server ready

Do you also run swag and Nextcoud in containers?
Yes, I have a host with docker and I manager my containers through portainer.

Just checked, “Content-Security-Policy” is a valid header for nginx too so it can be used, but the syntax is little bit different, see:

I updated the config file and after I restarted the swag container, IT WORKS (ctrl + click to relaod) THANK YOU SO MUCH! I spent hours on this one (4h yesterday and few more here and there before). I checked the F12 dev tools and I could see this before the config change:

errormessage1119×276 22.7 KB

I still had the issue on the mobile app so I re-installed it and it now works too (I assume I could have deleted the cache of the app instead)!

Here is my final swag config file for onlyoffice:

## Version 2023/02/05
# make sure that your <container_name> container is named <container_name>
# make sure that your dns has a cname set for <container_name>

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name oo.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        add_header Content-Security-Policy "frame-ancestors 'self' *.whatever.com;";

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.10.23;
        set $upstream_port 8181;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    # location ~ (/<container_name>)?/api {
    #     include /config/nginx/proxy.conf;
    #     include /config/nginx/resolver.conf;
    #     set $upstream_app <container_name>;
    #     set $upstream_port <port_number>;
    #     set $upstream_proto <http or https>;
    #     proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    #
    # }
}

Anyway, thank you again for this! You are like a sniper that could target it in one shoot! Well done!

I will close this ticket!

Hello,
glad to read, you got it sorted out. But you did most of the heavy lifting yourself. You correctly located the culprit to be connected to possible changes with the handling of CSP. So you basically connected all the dots already.

I just learned via my own experience, that proxy rules can stay in browser cache for quite some time and cause this kinda behavior too. So my first guess was to use a clean browser (or purge the cache) and go from there. After studying your approach I had that hunch with the directive. It looked not like it was meant for nginx but rather like something for apache. Anyway, it was close enough

By the way, this was still just a quick and dirty solution. You might read up on that little bit more to suit it better to your setup. Basically you are allowing everything coming from “*.whathever.com” to be allowed in i-frames. You can apply more strict rules or less strict ones, depending on what you need. Since I myself use subfolders and not subdomains, I guess I will not face that myself

Thank you for the additional explanation! I see that the dirty fix is not the optimal way to do. I need to investigate the subfolder way but I want to enjoy that moment a bit more for now that it works

Thank you again!
Best

PS: I don’t know how to close this ticket but maybe you can on your end?

Hello again,
the solution still works, but you might have to check it and eventually align with your setup. Using a subdomain is as good as using a subfolder. Is just a matter of what suits you best. In my own case, I can’t register a subdomain, so I configured everything to be run on a subfolder. Basically, if you run everything on a docker environment on one host, you don’t even need either of them. You can set up Onlyoffice internally with no exposure to any external network. You have to set up your proxy with virtual path. You find that in the documentation.

Don’t worry, the moderation team will close the topic next chance they have.

Okay, I understand. That would be best indeed not to expose it as you explained especially if it not needed! I will investigate it in the future setup.

All the best

Hello @Coconut_Tree

I am glad the issue was resolved. Closing topic as solved.

Special thanks to @bermuda for assistance. Good job!