I did some digging on HAProxy to get Nextcloud to run with Collabora behind HAProxy.
I found some of the config in Putting the snap behind a reverse proxy is deprecated or has no effect.
Should I update it and are you interested in me extending the article (or writing a new one) on how to get Collabora working with Nextcloud?
Please do! I suggest we start with a new one dedicated to getting Collabora working, but once we have that taking bits of it to update the existing document would also be helpful.
Great, I put together a first draft offline and will refine it on Wednesday evening when I have more time.
I also opened an issue concerning a message in Nextcloud's self check before realising it might be an upstream issue with Nextcloud itself so I closed it again (#803). But maybe I am wrong. My thinking is this:
When GETTING nextcloud.example.com/.well-known/caldav the underlying Apache or Nextcloud redirects to nextcloud.example.com:444/remote.php/dav/.
Either, the self check should be able to handle the added port or maybe we can change something in the apache config to make this work.
I don't have any experience with snap building so I could not test if added redirect rules in Apache's config would do the trick.
I did not have much time to look into it in more detail but maybe you have an idea if it is an upstream problem or not. If so, I can raise the issue there, otherwise I can edit this post, cut out the information about the issue and reopen #803.
Here is the new Wiki page. I tested it with a new VPS and it works just fine. In the end it got a bit shaky with SSL which never happened before but I got it back up with just restarting components.
I followed the instructions on your wiki page. Opening https://office.domain.com:443 gives the error Error code: SSL_ERROR_RX_RECORD_TOO_LONG. However https://office.domain.com:9443 returns "OK" and works in NC Collabora App when provided with Port 9443.
I will get back to you this evening. For now, could you check the output of
openssl s_client -connect yourdomain.tld:443 if an SSL certificate is present?
I've had that error when my cert was missing.
Also, please supply the server OS (+version), HAProxy version and NC version you are using.
openssl outputs
CONNECTED(00000004)
139695223981888:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 340 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
anyway, there is a correctly named .pem file in /etc/haproxy/certs/
OS: Ubuntu 18.04
HA-Proxy version 1.8.8-1ubuntu0.2 2018/10/02
NC version 13.0.8
I can reproduce the error on a newly created VPS. I will look into why the certificate isn't send back to the client.
I think I had the same problem when testing the tutorial but it went away after a server reboot.
Now however, that doesn't seem to be the case.
This is weird. When connecting to nextcloud.domain.com:443 I also don't get a cert back. But surfing it with the browser works just fine. There is most definitely something wrong with HAProxy configuration.
Ideas for solving the problem are appreciated.
There is a line missing in the haproxy.cfg on the Wiki page:
backend https-term
mode tcp # <- this one is missing
server terminator 127.0.0.1:9443
So adding mode tcp to backend https-term should solve the issue
I didn't notice before because in my original config I did not set http mode in the default section.
@kyrofa Could you edit the Wiki page I don't have permission to do so.
Sorry @srottschaefer, not sure how that got checked again, you should have permission now.
thanks @srottschaefer, this solved the problem!
The article is updated. I guess the issue can be closed then.
Thank you, @srottschaefer!
Thanks @srottschaefer for this update on the wiki. It works great for non-experts in server management.
Will it make sense to do the same with OnlyOffice? It's a question quite popular and I'm pretty sure it will help a lot of people.
I am no expert in server management I just put some effort into understanding the matter because I wanted to run Nextcloud and Collabora on the same system. But as far as I see it you probably can use most of the config to achieve the same thing with OnlyOffice.
I can try to help if you need but expect some delays since I am very busy currently.
I also have an updated configuration without the mixed SSL setup. SSL is now handled exclusively by HAProxy which simplifies the whole process a bit.
Most helpful comment
Here is the new Wiki page. I tested it with a new VPS and it works just fine. In the end it got a bit shaky with SSL which never happened before but I got it back up with just restarting components.