Ns8-collabora an other services behind a reverse proxy : is it supported at all?

pagaille · July 27, 2025, 7:33am

Hi,

Trying to use nextcloud with the collabora app hosted on the same server. The server itself is behind a nethsec, I configured a reverse proxy which works (I can log into collabora’s admin interface).

I guess there is some socket issue ?

Relevant logs :

browser console : WebSocket connection to 'wss://collabora.lebrass.be/cool/https%3A%2F%2Fdrive.lebrass.be%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F4533723_ocmnms1625ia%3Faccess_token%3DnTprN8XI7k4Qukd7r3tuNTGgeEAC8pVL%26access_token_ttl%3D0/ws?WOPISrc=https%3A%2F%2Fdrive.lebrass.be%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F4533723_ocmnms1625ia&compat=/ws' failed: There was a bad response from the server.
Traefik log on the server (which is a worker node btw) :

2025-07-27T09:12:41+02:00 [2:traefik2:traefik] 192.168.0.10 (lan IP of the nethsec) - - 
    [27/Jul/2025:07:12:41 +0000] "POST /browser/636e10a2b1/cool.html?WOPISrc=https%3A%2F%2Fdrive.lebrass.be%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F5703667_ocmnms1625ia&lang=fr&closebutton=1&revisionhistory=1 HTTP/1.1" 200 16124 "-" "-" 1878 "collabora2-https@file" "http://127.0.0.1:20001" 1ms

2025-07-27T09:12:41+02:00 [2:traefik2:traefik] 192.168.0.10 - - 
    [27/Jul/2025:07:12:41 +0000] "GET /cool/https:/drive.lebrass.be/index.php/apps/richdocuments/wopi/files/5703667_ocmnms1625ia%3Faccess_token=aVLsDZxlOO7AFUtpepMPqFYpTQX2r6wJ&access_token_ttl=0/ws?WOPISrc=https%3A%2F%2Fdrive.lebrass.be%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F5703667_ocmnms1625ia&compat=/ws HTTP/1.1" 400 0 "-" "-" 1879 "collabora2-https@file" "http://127.0.0.1:20001" 0ms`

mrmarkuz · July 27, 2025, 9:23am

Which error do you get when you click save in the Nextcloud Office app settings?

Please check if there’s a port forward for HTTPS 443/tcp to the NS8 configured on the NethSec as it disables the reverse proxy but it may still work.

pagaille · July 27, 2025, 2:35pm

Tried to set the FQDN as 10.5.4.2 in /etc/hosts. Must be another inter-container story

The collabora container is on the same machine. I could move it to another worker which is not behind a gateway but I believe that it should be a supported scenario.

Still it doesn’t work when opening a file :

Indeed ! Been there

pagaille · July 27, 2025, 5:59pm

Actually I wonder if running ns8 services behind a reverse proxy is supported :

From my experiments :

rspamd works / EDIT : this module is not behind a reverse proxy

Collabora works partially (admin page but socket problem)
SFTPGo not working

SOGo not working
phpmyadmin not working

Did it, worked immediately.

mrmarkuz · July 28, 2025, 6:34am

Usually a reverse proxy like the nethsec nginx should work.
Please check the proxy destination URLs on the NethSec, some may work using https, other may need http.

davidep · July 28, 2025, 6:55am

To fully support a scenario of NS8 behind another frontend HTTP proxy, this hidden feature is required: Trust of forwarded headers in Traefik · Issue #7305 · NethServer/dev · GitHub

Follow the QA instructions to configure the frontend proxy IP.

pagaille · July 28, 2025, 8:19am

Thanks both of you.

I tried to api-cli run module/traefik1/set-trusted-proxies --data '{"proxies":["192.168.0.10"]}' but it doesn’t work yet.

Not sure how I can try @mrmarkus’s suggestion.

My config is :

internet → nethsec (0.10) → leader node (some modules) (0.185) → worker node (other modules) (0.178)

Right now nethsec is configured as follow :

I also defined another one to try redirecting to http

altcloud gives me “too many redirects” when trying https://altcloud.lebrass.be/phpmyadmin (nb : don’t try, I disabled it)

Not sure where and what to look to grasp what’s wrong.

EDIT : phpmyadmin listens to 443 (just tried) so the first reverse proxy definition should work I guess.

mrmarkuz · July 28, 2025, 8:54am

altcloud can only work if the nextcloud FQDN is also set to altcloud.
Does it make a difference when you connect from WAN or LAN?
Does your node has the same FQDN as Nextcloud?

EDIT:

I tested it and it works.

On the NethSec are certificates and reverse proxies for following FQDNs.
All are pointing to https://192.168.0.10 which is the NS8 IP. If you have more nodes it needs to point to the right node where the app is installed.
If the node has some internal name like node.internaldomain.local it doesn’t matter but the app FQDNs need to be set correctly in the app settings on NS8. The external clients get to the NethSec anyway.

DNS must resolve the FQDNs. If you want to setup internal DNS entries for those FQDNs then they need to point to the NethSec so the clients get the valid certificate.

Node FQDN: node.domain.tld
Nextcloud FQDN: nextcloud.domain.tld
Collabora FQDN: collabora.domain.tld

phpmyadmin: node.domain.tld/phpmyadmin
cluster-admin: node.domain.tld/cluster-admin

Reachable from LAN and WAN.

I noticed that you allowed 0.0.0.0/0 for the reverse proxies on the NethSec. That’s not needed as it’s the default.

davidep · July 29, 2025, 7:16am

Maybe you need it also for Traefik on the worker node, e.g. traefik2

Every node is a separate HTTP server. A ns8 cluster from outside is just a bunch of nodes, who’s its leader doesn’t matter