Proxy Onlyoffice to traefik server

Hi there,
I have a webserver A running apache and exposed to the external world (ports 80/443) and a server B (IP 192.168.1.2) running onlyoffice and traefik both as docker. I have a domain name for onlyoffice that points to A and I would like to proxy that request to server B, where Onlyoffice runs under traefik. Everything’s ok using unencrypted connection to port 80. Problems arise with SSL, as I get 404 error.
Here is my apache configuration file:

<IfModule mod_ssl.c>
  <VirtualHost *:443>

     ServerAdmin mymail@myprovider.com
     ServerName domain.ddns.net
     ServerAlias www.domain.ddns.net

LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/domain.ddns.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.ddns.net/privkey.pem

## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256$
SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder on

SetEnvIf Host "^(.*)$" THE_HOST=$1
RequestHeader setifempty X-Forwarded-Proto https
RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
ProxyAddHeaders Off

ProxyPass / "http://192.168.1.2/"
ProxyPassReverse / "http://192.168.1.2/"

LogLevel error proxy:trace5
  #  LogLevel error
    ErrorLog /mypath/onlyoffice_apache_error.log
    CustomLog /mypath/onlyoffice_apache_access.log combined

  </VirtualHost>
</IfModule>

Here is my onlyoffice docker-compose file:

version: '3.7'
services:
  onlyoffice-documentserver:
    container_name: onlyoffice
    image: onlyoffice/documentserver:latest
    networks:
      - traefik
    stdin_open: true
    tty: true
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.onlyoffice.rule=Host(`domain.ddns.net`)"
      - "traefik.http.routers.onlyoffice.entrypoints=web"
      - "traefik.http.routers.onlyoffice.middlewares=onlyoffice-headers"
      - "traefik.http.services.onlyoffice.loadbalancer.server.port=80"

      ## Middleware definition
      # Headers for onlyoffice, https://github.com/ONLYOFFICE/onlyoffice-nextcloud/issues/151
      - "traefik.http.middlewares.onlyoffice-headers.headers.customrequestheaders.X-Forwarded-Proto=http"
      - "traefik.http.middlewares.onlyoffice-headers.headers.accesscontrolalloworiginlist=*"
    volumes:
      - /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data
      - /app/onlyoffice/DocumentServer/log:/var/log/onlyoffice
      - /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice
      - /app/onlyoffice/DocumentServer/db:/var/lib/postgresql

networks:
  traefik:
    external: true

Thank you in advance to whom may help.

Hello @Jack
Could you please run a test? Please change X-Forwarded-Proto header from ‘http’ to ‘https’ in Traefik config file.
By the way, try to add this header:

  • “traefik.http.routers.onlyoffice-documentserver.middlewares=onlyoffice-headers”

I did as you said, but now I get Service error.

Service Unavailable

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Apache/2.4.38 (Raspbian) Server at mydomain Port 443

Hello @Jack
Sorry for the late reply. We tried to reproduce the situation with your provided configs. But we are stuck at the moment.
Could you please provide us with your Traefik config files.

Here they are:
traefik.toml

[api]
  insecure = true
[entryPoints]
  [entryPoints.web]
    address = ":80"
#    [entryPoints.web.http.redirections.entryPoint]
#      to = "websecure"
#      scheme = "https"

  [entryPoints.websecure]
    address = ":443"

[certificatesResolvers.myresolver.acme]
  email = "mymail@mydomain.com"
  storage = "acme.json"
  [certificatesResolvers.myresolver.acme.httpChallenge]
    entryPoint = "web"

[providers.docker]
  watch = true
  exposedByDefault = false
  network = "traefik"

[providers.file]
  filename = "/etc/traefik/traefik_dynamic.toml"

traefik_dynamic.toml

[http.routers.api]
  rule = "Host(`myhost.local`)"
  entrypoints = ["web"]
  service = "api@internal"

How exactly did you check the SSL issue? I mean, did you check it by domain name or IP address from your local network? Or you checked it from ‘outside’ through your Apache server via http?

I am not sure I correctly got what you mean. I obtained SSL certificate on server A running certbot from CLI. Tried to get OO via browser using domain name (https://mydomain.com) and got the above mentioned HTTP 404 error. It is as if it could not find the right output path on OO server B.

Could you please run a test? Change these lines in your Apache config files:

ProxyPass / "http://192.168.1.2/"
ProxyPassReverse / "http://192.168.1.2/"

to domain names instead of ip addresses. Will the issue change?

The issue now says: “ERR_TOO_MANY_REDIRECTS”

It looks like redirect loop. Please follow my steps (but prepare whole server backup first):

Change this line in Traefik config line:

“traefik.http.routers.onlyoffice.rule=Host(domain.ddns.net)”

To

“traefik.http.routers.onlyoffice.rule=Host(traefik.onlyoffice)”

Or try to resolve it via DNS. You have to add some A-record like this: 192.168.1.2 - traefik.onlyoffice.

So both servers will know that such IP address has that name.

Also go to Apache config file and set the name:

ProxyPass / "http://traefik.onlyoffice/"

ProxyPassReverse / "http://traefik.onlyoffice/"

But I’m a little bit confused by your settings. I mean that I don’t understand why you use Traefik. You can remove Traefik and there will be no issues. Or remove Apache and use Traefik only.

What is your final goal of Traefik usage?

By the way, just crossed my mind, there’s a good title about Traefik configuration: How To Use Traefik v2 as a Reverse Proxy for Docker Containers on Ubuntu 20.04 | DigitalOcean

Please take a look at it, I hope it will be useful.