[RCA has been located, see bottom]

Describe the bug As a noob, I'm trying to set a fresh new Nextcloud-Office server. I installed RichDocuments and RichDocumentsCode app, went to admin dashboard to set online server URL.

I click save, it works. But I refresh the page, it send /discovery query to wrong URL, and received mixed-content error.

To Reproduce Steps to reproduce the behavior:

Install RichDocuments and RichDocumentsCode app
Go to admin dashboard, locate server URL, click save
Looks like it works
Click refresh, it's broken (F12 shows it's sending discovery to completely wrong URL)

Expected behavior It should just works.

Screenshots

I click save, it looks good:

I refresh the page, it still use bad URL:

Client details:

OS: Any OS
Browser : Any Browser
Version [e.g. 22]
Device: Desktop

Server details

Operating system: Ubuntu 2204 running Nextcloud Docker nextcloud:29.0.10

Web server: Docker nextcloud:29.0.10 built-in

Database: sqlite

PHP version: Docker nextcloud:29.0.10 built-in

Nextcloud version: Docker nextcloud:29.0.10 built-in

Version of the richdocuments app

Version of Collabora Online

Configuration of the richdocuments app

root@drive-git-server /s/nextcloud# docker exec -u 33 -ti rdrive ./occ config:list richdocuments
{
    "apps": {
        "richdocuments": {
            "installed_version": "8.4.11",
            "enabled": "yes",
            "types": "prevent_group_restriction",
            "wopi_url": "https:\/\/drive.recolic.cc\/custom_apps\/richdocumentscode\/proxy.php?req=",
            "disable_certificate_verification": "yes",
            "wopi_allowlist": "",
            "public_wopi_url": "http:\/\/drive.recolic.cc",
            "wopi_callback_url": ""
        }
    }
}

RCA

I can easily tell what's going wrong: The web dashboard doesn't set public_wopi_url. It only set wopi_url which is not used at all.

Could someone help fix the frontend admin UI, to make sure public_wopi_url also got updated correctly?
Could someone help update this guide ( https://github.com/nextcloud/richdocuments/blob/main/docs/install.md#configure-the-app-from-the-commandline ), to mention updating public_wopi_url ?

Let's make it easy for other noobs. Thanks!!

Update Apr 13: Renamed: Wrong public WOPI url: Ignored user configuration and used wrong detection

Looks like it's not as simple as a configuration issue. See discussion below.

It ignored user configuration, ignored any explicit URL config, but using its own unreliable "detected" URL, which caused many many errors behind reverse proxy + https.

Context: How I deploy nextcloud

I did docker run ... -p 3083:80 -v ... nextcloud, with nginx reverse proxy like this:

    server {
        listen       [::]:443 ssl http2;
        listen       443 ssl http2;
        server_name  drive.recolic.net drive.recolic.cc;
        ssl_certificate ...;
        location / {
                proxy_pass http://127.0.0.1:3083;

                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;

                proxy_set_header X-Scheme $scheme;

                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                add_header Front-End-Https on;
        }

Apr 23 Update: this issue has been fixed by adjusting nginx configuration

See discussion below.

Apr 01 '25 00:04 recolic

Another potential bug: when I update wopi_allowlist from admin UI, it automatically reset public_wopi_url to bad value again.

I have to manually fix public_wopi_url after every config change.

I think this might be related to my nginx reverse proxy & some auto detection code?

Apr 01 '25 00:04 recolic

Very useful the command Recolic shared, so I checked the value on wopi_allowlist inside the occ and what I had in the config.php file. Because I had this warning:

WOPI request denied from (mypublicip) as it does not match the configured ranges: (ip ranges)

So After i update the ips values in both sites, i got fixed the issue.

I used:

Check the IP configured in OCC: docker exec -u 33 -ti nextcloud-aio-nextcloud ./occ config:list richdocuments

It should shows the same as configured inside config.php if not, run the following: docker exec -u 33 -ti nextcloud-aio-nextcloud ./occ config:app:set richdocuments wopi_allowlist --value="YOURPUBLICIP"

Then configure the same in the config.php go to config/config.php and at the end add: 'wopi_allowlist' => 'YOURIPSRANGES'

After that I am able to open office documents inside nextcloud with collabora.

Im not a expert on nextcloud so I found that solution online and it worked for me.

Apr 01 '25 11:04 vicolmenares

I tested again with fresh latest nextcloud docker + nginx reverse proxy. Looks like built-in CODE server works out-of-box (behind http-only reverse proxy)

Not sure what went wrong.. probably this issue only applies if upgraded from old version.

update: looks like public url is no longer necessary in latest app. But it still doesn't work because of some 500 token error.

update: 500 token error solved by clear all app data following this guide https://github.com/nextcloud/richdocuments/issues/3742#issuecomment-2163964324, but app doesn't start anymore after that.

update: app doesn't start error has been resolved by creating a fake ./remoteData/capabilities file, now app started, but still cannot open document because of Content-Security-Policy error.

Content-Security-Policy: The page’s settings blocked the loading of a resource (form-action) at 
http://drive.recolic.cc/custom_apps/richdocumentscode/proxy.php?req=/browser/b7ba9a23ba/cool.html?WOPISrc=https%3A%2F%2Fdrive.recolic.cc%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F308504_oca5n8eadtqi&lang=en&closebutton=1 
because it violates the following directive: “form-action 'self' https://drive.recolic.cc/”

update: looks like it's the broken public URL detection again... it detected correct URL https:// but still using http://

Apr 14 '25 01:04 recolic

same error after setting public_WOPI_url .. looks like the error is somewhere else.

Refused to send form data to 'http://drive.recolic.cc/custom_apps/richdocumentscode/proxy.php?req=/browser/b7ba9a23ba/cool.html?WOPISrc=https%3A%2F%2Fdrive.recolic.cc%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F308504_oca5n8eadtqi&lang=en&closebutton=1' 
because it violates the following Content Security Policy directive: "form-action 'self' https://drive.recolic.cc".

Apr 14 '25 02:04 recolic

why do we make this "WOPI" url so complex? there're at least 4 different "url"s in this issue.

we already have "nextcloud public url" in config.php, have "wopi url" in app config, have another "wopi public url" in config, why there's one more "url" in coolwsd.xml? it's not cool at all.

Could we just make a single configuration entry? Just ask the user for URL, and use it everywhere. Nothing could go wrong. Stop doing random buggy detection.

Apr 14 '25 02:04 recolic

update: the error above could be solved by manually patch apps/richdocuments/js/richdocuments-viewer.js: search for urlsrc and modify to de.get('urlsrc').replace(/^http:/, 'https:').

but still getting other CSP errors after this one. Need to patch proxy.php also.

Apr 14 '25 02:04 recolic

Could someone give a suggestion about how to hardcode the same http:// => https:// replacement in proxy.php?

Apr 14 '25 02:04 recolic

I'm confused by what the problem is exactly -- you are trying to use https but http is being used? Also, it wouldn't really be possible to have one URL to configure in many different setups. For example, I run things in a Docker compose setup, so the Nextcloud callback URL that Collabora has to use to connect with Nextcloud must be configured differently than the URL my browser would use.

Apr 14 '25 17:04 elzody

I'm confused by what the problem is exactly -- you are trying to use https but http is being used? Also, it wouldn't really be possible to have one URL to configure in many different setups. For example, I run things in a Docker compose setup, so the Nextcloud callback URL that Collabora has to use to connect with Nextcloud must be configured differently than the URL my browser would use.

Yes. Currently the problem is, my explicit WOPI public url configuration was ignored, and it insists using incorrectly detected URL (http://)

Apr 15 '25 00:04 recolic

I think we are facing the same issue https://github.com/nextcloud/richdocuments/issues/4611

Apr 16 '25 18:04 tony-engineering

Have you tried setting the callback URL to the desired URL? I explained it here on the other issue mentioned: https://github.com/nextcloud/richdocuments/issues/4611#issuecomment-2810657189

You shouldn't need to manually edit any of the files -- that isn't a long-term solution.

Apr 16 '25 20:04 elzody

Have you tried setting the callback URL to the desired URL? I explained it here on the other issue mentioned: #4611 (comment)

You shouldn't need to manually edit any of the files -- that isn't a long-term solution.

Thanks for the information. But it didn't work in my first attempt

I double checked richdocuments config. It turns into http:// again...

Apr 16 '25 20:04 recolic

try to put this as value http://drive.recolic.cc see my reply here https://github.com/nextcloud/richdocuments/issues/4611#issuecomment-2810768779

Apr 16 '25 21:04 tony-engineering

try to put this as value http://drive.recolic.cc see my reply here #4611 (comment)

emm looks like it doesn't help in my case

Your Collabora public URL is correctly detected as https://, but not in my case.

Context: How I run nextcloud

I did docker run ... -p 3083:80 -v ... nextcloud, with nginx reverse proxy like this:

    server {
        listen       [::]:443 ssl http2;
        listen       443 ssl http2;
        server_name  drive.recolic.net drive.recolic.cc;
        ssl_certificate ...;
        location / {
                proxy_pass http://127.0.0.1:3083;

                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;

                proxy_set_header X-Scheme $scheme;

                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                add_header Front-End-Https on;
        }

Apr 16 '25 21:04 recolic

I can see you are missing the "upstream-hash-by", which I believe is required, see my nginx config here
check that when you access you collabora server using HTTP propocol, it returns OK, like it does for me here https://collabora.cloud2.rougeot-ant.one/ (might be offline because Im scaling down nodes at night). It should look like this screenshot

also, try to find right callback url and make a request from collabora -> to nextcloud, like here , it could help you to isolate the issue

Apr 16 '25 21:04 tony-engineering

Thanks so much for your help! I will try to work on this tomorrow

Apr 16, 2025 14:31:10 tony-engineering @.***>:

 [Image]*tony-engineering* left a comment (nextcloud/richdocuments#4650)[https://github.com/nextcloud/richdocuments/issues/4650#issuecomment-2810855729]
I can see you are missing the "upstream-hash-by", which I believe is required, see my nginx config here[https://github.com/CollaboraOnline/online/issues/11294]

check that when you access you collabora server using HTTP propocol, it returns OK, like it does for me here https://collabora.cloud2.rougeot-ant.one/

also, try to find right callback url and make a request from collabora -> to nextcloud, like here[https://github.com/CollaboraOnline/online/issues/11294#issuecomment-2724700572] , it could help you to isolate the issue

— Reply to this email directly, view it on GitHub[https://github.com/nextcloud/richdocuments/issues/4650#issuecomment-2810855729], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AEVTVEBFA3BGKUFA6PDQ3ST2Z3DZVAVCNFSM6AAAAAB2FQIJOWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMJQHA2TKNZSHE]. You are receiving this because you authored the thread.

Apr 16 '25 21:04 recolic

I can see you are missing the "upstream-hash-by", which I believe is required, see my nginx config here

check that when you access you collabora server using HTTP propocol, it returns OK, like it does for me here https://collabora.cloud2.rougeot-ant.one/ (might be offline because Im scaling down nodes at night). It should look like this screenshot
* also, try to find right callback url and make a request from collabora -> to nextcloud, like [here](https://github.com/CollaboraOnline/online/issues/11294#issuecomment-2724700572) , it could help you to isolate the issue

upstream-hash-by is not available in my nginx installation.. looks like it's provided by an optional extension.
check that when you access you collabora server using HTTP propocol, it returns OK: Yes

And I tried to comment out all nginx proxy_set_header settings. The auto-detected URL goes from http://drive.recolic.cc to http://127.0.0.1:XXXXX.

So I believe the error must be related to my nginx configurations. Allow me some time to test more config...

Apr 23 '25 09:04 recolic

I was just trying out random nginx configuration combination... And suddenly, everything works! Now I'm able to edit my docx online.

                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;

                #proxy_set_header X-Scheme $scheme;

                proxy_set_header Host $host;
                #proxy_set_header X-Forwarded-Proto $scheme;
                #proxy_set_header X-Real-IP $remote_addr;
                #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                #add_header Front-End-Https on;

Nextcloud shows

root@drive-git-server ~# docker exec -u 33 -ti rdrive ./occ config:list richdocuments
{
    "apps": {
        "richdocuments": {
            "installed_version": "8.5.6",
            "enabled": "yes",
            "types": "prevent_group_restriction",
            "wopi_url": "https:\/\/drive.recolic.cc\/custom_apps\/richdocumentscode\/proxy.php?req=",
            "disable_certificate_verification": "yes",
            "wopi_callback_url": "http:\/\/drive.recolic.cc",
            "public_wopi_url": "https:\/\/drive.recolic.cc"
        }
    }
}

I don't know why but I would never touch it again in my rest life.

Apr 23 '25 09:04 recolic

I am facing the same issue, bonus weird++

The app opens the first time and then only the first time?! Afterwards it loads indefinitely.

Setting manually public url works...

Otherwise it tries to access https://nextcloud.instance.com/hosting/capabilities thus 404

php occ richdocuments:setup --callback-url "https://my.instance.com"
✓ Set callback url to https://my.instance.com
Checking configuration
🛈 Configured WOPI URL: https://my.instance.com/apps/richdocumentscode/proxy.php?req=
🛈 Configured public WOPI URL: https://my.instance.com/richdocumentscode/proxy.php?req=
🛈 Configured callback URL: https://my.instance.com

✓ Fetched /hosting/discovery endpoint
✓ Valid mimetype response
✓ Valid capabilities entry
✓ Fetched /hosting/capabilities endpoint
✓ Detected WOPI server: Collabora Online Development Edition 24.04.13.3

Collabora URL (used for Nextcloud to contact the Collabora server):
  https://my.instance.com/apps/richdocumentscode/proxy.php?req=
Collabora public URL (used in the browser to open Collabora):
  https://my.instance.com
Callback URL (used by Collabora to connect back to Nextcloud):
  https://my.instance.com

May 09 '25 11:05 baptisterajaut

as mentioned by @elzody here , the feature to choose callback URL in the UI will be implemented. Might help for your issue

May 11 '25 13:05 tony-engineering