[SOLVED] Seafile CE and Collabora CODE

Seafile Server
1

Hi,

I have Seafile running on my own server (Ubuntu 20.04) and would like to integrate Collabora (CODE).

Seafile has been setup as described in the documentation (with SQLite and NGINX ssl termination).
Collabora CODE has been setup from packages (no Docker) as described on the Collabora pages.

I can’t edit docx files though.

Collabora is up and running, I can get the XML file through /hosting/discovery from outside, so passing through NGINX ssl works fine. BUT whenver I try to edit a docx file I get a dialog telling me that the file will be passed through an insecure connection (though the called address is clearly https). EDIT: see answer below for details on the request sent by Seafile.

After clicking ‘Continue’ an empty site is opened with a seafile/server watermark

This is my NGINX config for Collabora:

collabora.conf 
server {
    listen 443 ssl http2;
    server_name collabora.aetherrauschen.de;
    ssl_certificate     /etc/letsencrypt/live/aetherrauschen.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/aetherrauschen.de/privkey.pem;
    server_tokens off;

    # static files
    location ^~ /loleaflet {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Capabilities
    location ^~ /hosting/capabilities {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/lool/(.*)/ws$ {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/lool {
        proxy_pass https://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_pass https://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }
}

Relevant parts of seahub_settings.py:

seahub_settings.py 
[...]
OFFICE_SERVER_TYPE = 'CollaboraOffice'
ENABLE_OFFICE_WEB_APP = True
OFFICE_WEB_APP_BASE_URL = 'https://collabora.aetherrauschen.de/hosting/discovery'
WOPI_ACCESS_TOKEN_EXPIRATION = 30 * 60   # seconds
OFFICE_WEB_APP_FILE_EXTENSION = ('odp', 'ods', 'odt', 'xls', 'xlsb', 'xlsm', 'xlsx','ppsx', 'ppt', 'pptm', 'pptx', 'doc', 'docm', 'docx')
ENABLE_OFFICE_WEB_APP_EDIT = True
OFFICE_WEB_APP_EDIT_FILE_EXTENSION = ('odp', 'ods', 'odt', 'xls', 'xlsb', 'xlsm', 'xlsx','ppsx', 'ppt', 'pptm', 'pptx', 'doc', 'docm', 'docx')

And finally relevant parts of /etc/loolwsd/loolwsd.xml

loolwsd.xml 
    <ssl desc="SSL settings">
        <enable type="bool" desc="Controls whether SSL encryption between browser and loolwsd is enabled (do not disable for production deployment). If default is false, must first be compiled with SSL support >
        <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination>
        <cert_file_path desc="Path to the cert file" relative="false">/etc/loolwsd/cert.pem</cert_file_path>
        <key_file_path desc="Path to the key file" relative="false">/etc/loolwsd/key.pem</key_file_path>
        <ca_file_path desc="Path to the ca file" relative="false">/etc/loolwsd/ca-chain.cert.pem</ca_file_path>
        <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
        <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
            <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
            <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
            <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
            <pin></pin>
            </pins>
        </hpkp>
    </ssl>


   <storage desc="Backend storage">
        <filesystem allow="false" />
        <wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true">
            <host desc="Regex pattern of hostname to allow or deny." allow="true">127.0.0.1</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">collabora\.aetherrauschen\.de</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">seafile\.aetherrauschen\.de</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="false">192\.168\.1\.1</host>
            <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
            <reuse_cookies desc="When enabled, cookies from the browser will be captured and set on WOPI requests." type="bool" default="false">false</reuse_cookies>
            <locking desc="Locking settings">
                <refresh desc="How frequently we should re-acquire a lock with the storage server, in seconds (default 15 mins) or 0 for no refresh" type="int" default="900">900</refresh>
            </locking>
        </wopi>
        <ssl desc="SSL settings">
            <as_scheme type="bool" default="true" desc="When set we exclusively use the WOPI URI's scheme to enable SSL for storage">true</as_scheme>
            <enable type="bool" desc="If as_scheme is false or not set, this can be set to force SSL encryption between storage and loolwsd. When empty this defaults to following the ssl.enable setting"></enabl>
            <cert_file_path desc="Path to the cert file" relative="false"></cert_file_path>
            <key_file_path desc="Path to the key file" relative="false"></key_file_path>
            <ca_file_path desc="Path to the ca file. If this is not empty, then SSL verification will be strict, otherwise cert of storage (WOPI-like host) will not be verified." relative="false"></ca_file_path>
            <cipher_list desc="List of OpenSSL ciphers to accept. If empty the defaults are used. These can be overriden only if absolutely needed."></cipher_list>
        </ssl>
    </storage>

I’m wondering, if maybe the <ssl> settings In the <storage> part my be the cause of my problem.

I dont get any errors in the logs though.

2

After much experimenting (changing NGINX and loolwsd.xml) and upon closer inspection I found that browser console prints the following for the request:

Laden von gemischten aktiven Inhalten "http://collabora.aetherrauschen.de/loleaflet/0b3211b/loleaflet.html?WOPISrc=https%3A%2F%2Fseafile.aetherrauschen.de%2Fapi2%2Fwopi%2Ffiles%2F7...&ui=de-DE&rs=de-DE" wurde blockiert.

The ‘http://collabora…’ part seems wrong, as now everything is configured to use HTTPS.

After using the request above, the Collabora log shows the following errors:

log entries 
Jul 02 23:50:40 v22017115111555301 loolwsd[236711]: wsd-236711-236747 2021-07-02 21:50:40.354167 [ websrv_poll ] WRN  client - server version mismatch, disabling browser cache. Expected: 51b8716| wsd/FileServer.cpp:288
Jul 02 23:50:40 v22017115111555301 loolwsd[236711]: wsd-236711-236821 2021-07-02 21:50:40.778186 [ docbroker_001 ] WRN  Waking up dead poll thread [HttpSynReqPoll], started: false, finished: false| ./net/Socket.hpp:671
Jul 02 23:50:40 v22017115111555301 loolwsd[236711]: wsd-236711-236821 2021-07-02 21:50:40.800747 [ docbroker_001 ] ERR  WOPI::CheckFileInfo failed for URI [https://seafile.aetherrauschen.de/api2/wopi/files/...]: 401 Unauthorized. Headers:         Server: nginx /         Date: Fri, 02 Jul 2021 21:50:40 GMT /         Content-Type: application/json; charset=utf-8 /         Content-Length: 2 /         Connection: keep-alive /         Allow: GET, POST, HEAD, OPTIONS /         Vary: Accept-Language, Cookie /         Content-Language: en /         Strict-Transport-Security: max-age=31536000; includeSubDomains /         Body: [{}]| wsd/Storage.cpp:723
Jul 02 23:50:40 v22017115111555301 loolwsd[236711]: wsd-236711-236821 2021-07-02 21:50:40.806312 [ docbroker_001 ] ERR  loading document exception: WOPI::CheckFileInfo failed: {}| wsd/DocumentBroker.cpp:1854
Jul 02 23:50:40 v22017115111555301 loolwsd[236711]: wsd-236711-236821 2021-07-02 21:50:40.806395 [ docbroker_001 ] ERR  Failed to add session to [/api2/wopi/files/...] with URI [https://seafile.aetherrauschen.de/api2/wopi/files/...]: WOPI::CheckFileInfo failed: {}| wsd/DocumentBroker.cpp:1816
Jul 02 23:50:40 v22017115111555301 loolwsd[236711]: wsd-236711-236821 2021-07-02 21:50:40.806609 [ docbroker_001 ] ERR  No DocBroker found, or DocBroker marked to be destroyed. Terminating session ToClient-009| wsd/ClientSession.cpp:348
Jul 02 23:50:40 v22017115111555301 loolwsd[236711]: wsd-236711-236821 2021-07-02 21:50:40.806709 [ docbroker_001 ] ERR  No DocBroker found, or DocBroker marked to be destroyed. Terminating session ToClient-009| wsd/ClientSession.cpp:348
Jul 02 23:50:42 v22017115111555301 loolwsd[236711]: wsd-236711-236821 2021-07-02 21:50:42.824690 [ docbroker_001 ] ERR  Invalid or unknown session [009] to remove.| wsd/DocumentBroker.cpp:1893
Jul 02 23:50:42 v22017115111555301 loolwsd[236711]: wsd-236711-236821 2021-07-02 21:50:42.824759 [ docbroker_001 ] ERR  No socket associated with WebSocketHandler 0x7f5b0000e600 to send Close Frame to.| ./net/WebSocketHandler.hpp:175
Jul 02 23:50:42 v22017115111555301 loolwsd[236711]: wsd-236711-236732 2021-07-02 21:50:42.825696 [ prisoner_poll ] WRN  Prisoner connection disconnected but without valid socket.| wsd/LOOLWSD.cpp:2231
3

It seems that my NGINX config caused the problem: I still had a redirect form http to https in there. After removing it, everything worked.