Caddy + Nextcloud (fpm) + Collabora - individual containers and docker-compose

peracchi · May 10, 2022, 1:29am

Made the change, Nextcloud opened.

I could login.

1st thing I noticed was the lack of images on notifications icons…

I could “Download and enable” Collabora Online but not

click “Use your own server”, check “Disable certificate verification (insecure)” and enter the same URL you are using to access your Nextcloud; in my case it would be “https://nextcloud.local.cites.aop” and click “Save”

Also, on the “Overview” page that was without any warnings, now has

“You are accessing your instance over a secure connection, however your instance is generating insecure URLs. This most likely means that you are behind a reverse proxy and the overwrite config variables are not set correctly.”

francislavoie · May 10, 2022, 1:50am

At this point, just sounds like nextcloud config issues.

peracchi · May 10, 2022, 1:50am

Yes, I will read some more documentation. Thanks!

peracchi · May 21, 2022, 3:05pm

Hi @francislavoie!

Only one piece of the puzzle is missing!

It has something to do with not remote_ip but I couldn’t find the cause, I just confirmed that turning off not remote_ip everything works as it should.

I don’t remember where I saw the example but I liked it and started using it. It makes me comfortable during testing, before releasing for “production”.

(vips_only) {
        @fuck_off_world {
                not remote_ip x.y.z.w/32 a.b.c.d/32
        }
        respond @fuck_off_world 403
}

And, for example, at my Nextcloud block:

nextcloud.cites.aop {

  --->  import vips_only  <---

        encode gzip

        redir /.well-known/carddav /remote.php/dav 301
        redir /.well-known/caldav /remote.php/dav 301
        redir /.well-known/webfinger /index.php/.well-known/webfinger 301
        redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

        header {
                Strict-Transport-Security max-age=31536000;
        }

        @collabora {
                path /browser/*
                path /hosting/discovery
                path /hosting/capabilities
                path /cool/*
        }

        reverse_proxy @collabora http://nextcloud-collabora:9980

        reverse_proxy http://nextcloud-web:80

}

This way I can conduct the tests only from my notebook and my cell phone (4G). I confirm that access is denied and does not work by trying to access from another cell phone (4G).

In this specific case of Collabora integrated with Nextcloud, Collabora only works (opens) if import vips_only is commented out. If it is activated the bellow screen appears:

The answer must be in the logs but I’m not seeing or knowing how to find it.

Nothing appears on Collabora logs (expected, for some reason Caddy must be blocking access).

Server: COOLWSD HTTP Server 21.11.4.2
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: ynRUgRArnuiDYcRxmT3OjpLb2Sk=
| ./net/WebSocketHandler.hpp:891
wsd-00001-00032 2022-05-21 11:51:14.370292 -0300 [ prisoner_poll ] TRC  #22: Wrote 201 bytes of 201 buffered data| ./net/Socket.hpp:1430
wsd-00001-00032 2022-05-21 11:51:14.370301 -0300 [ prisoner_poll ] INF  ChildProcess ctor [35].| wsd/COOLWSD.hpp:58
wsd-00001-00032 2022-05-21 11:51:14.370308 -0300 [ prisoner_poll ] TRC  #22 resetting thread affinity while in transit (was 0x7fd290249700)| ./net/Socket.hpp:329
wsd-00001-00032 2022-05-21 11:51:14.370324 -0300 [ prisoner_poll ] TRC  Calling addNewChild in disposition's move thing to add to NewChildren| wsd/COOLWSD.cpp:3177
wsd-00001-00032 2022-05-21 11:51:14.370330 -0300 [ prisoner_poll ] TRC  Adding one child to NewChildren| wsd/COOLWSD.cpp:523
wsd-00001-00032 2022-05-21 11:51:14.370336 -0300 [ prisoner_poll ] INF  Have 1 spare child after adding [35].| wsd/COOLWSD.cpp:527
wsd-00001-00032 2022-05-21 11:51:14.370342 -0300 [ prisoner_poll ] TRC  Notifying NewChildrenCV| wsd/COOLWSD.cpp:530
wsd-00001-00032 2022-05-21 11:51:14.370390 -0300 [ prisoner_poll ] TRC  Removing socket #22 (at 2 of 3) from prisoner_poll| net/Socket.cpp:473
wsd-00001-00032 2022-05-21 11:51:14.370404 -0300 [ prisoner_poll ] TRC  #20: setupPollFds getPollEvents: 0x1| net/Socket.hpp:852
wsd-00001-00001 2022-05-21 11:51:14.370407 -0300 [ coolwsd ] TRC  Have 1 new children.| wsd/COOLWSD.cpp:4995
wsd-00001-00001 2022-05-21 11:51:14.370449 -0300 [ coolwsd ] INF  WSD initialization complete: setting log-level to [warning] as configured.| wsd/COOLWSD.cpp:5011
Ready to accept connections on port 9980.

Logs of nextcloud-web container, waiting for something from Caddy (I suppose).

172.18.0.2 - - [21/May/2022:14:55:06 +0000] "POST /ocs/v2.php/apps/files/api/v1/templates/create HTTP/1.1" 200 228 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0" "x.y.z.w"
172.18.0.2 - - [21/May/2022:14:55:06 +0000] "PROPFIND /remote.php/dav/files/admin/another%20document.odt HTTP/1.1" 207 608 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0" "x.y.z.w"
172.18.0.2 - - [21/May/2022:14:55:06 +0000] "PROPFIND /remote.php/dav/files/admin/another%20document.odt HTTP/1.1" 207 580 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0" "x.y.z.w"
172.18.0.2 - - [21/May/2022:14:55:06 +0000] "GET /core/preview?fileId=249&c=b604ca84667508e668f797c612ee5595&x=250&y=250&forceIcon=0&a=0 HTTP/1.1" 404 2 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0" "x.y.z.w"
172.18.0.2 - - [21/May/2022:14:55:06 +0000] "GET /apps/richdocuments/index?fileId=249&requesttoken=EWF1rtQXJitZogky5Twm%2FtQnMm5Xtw0FikF%2FghjwRqU%3D%3AZAcjwOBYa1428msBkHBwhoZieCcFgHtH3jAWyUGCCcM%3D&path=%2Fanother%20document.odt HTTP/1.1" 200 5131 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0" "x.y.z.w"
172.18.0.2 - - [21/May/2022:14:55:07 +0000] "GET /core/js/oc.js?v=dace1232 HTTP/1.1" 200 3730 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0" "x.y.z.w"
172.18.0.2 - - [21/May/2022:14:55:07 +0000] "GET /cron.php HTTP/1.1" 200 51 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0" "x.y.z.w"

And Caddy logs during the “Loading new document.odt…”.

{"level":"debug","ts":1653144905.844074,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"nextcloud-web:80","total_upstreams":1}
{"level":"debug","ts":1653144906.0483022,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"nextcloud-web:80","duration":0.204131792,"request":{"remote_ip":"x.y.z.w","remote_port":"53604","proto":"HTTP/2.0","method":"POST","host":"nextcloud.cites.aop","uri":"/ocs/v2.php/apps/files/api/v1/templates/create","headers":{"Sec-Fetch-Mode":["cors"],"Accept-Encoding":["gzip, deflate, br"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"],"X-Forwarded-Host":["nextcloud.cites.aop"],"Sec-Fetch-Site":["same-origin"],"Content-Length":["36"],"Accept":["application/json, text/plain, */*"],"Te":["trailers"],"Origin":["https://nextcloud.cites.aop"],"Accept-Language":["en-US,en;q=0.8,pt-BR;q=0.5,pt;q=0.3"],"X-Forwarded-Proto":["https"],"X-Forwarded-For":["x.y.z.w"],"Content-Type":["application/json"],"Requesttoken":["EWF1rtQXJitZogky5Twm/tQnMm5Xtw0FikF/ghjwRqU=:ZAcjwOBYa1428msBkHBwhoZieCcFgHtH3jAWyUGCCcM="],"Cookie":[],"Sec-Fetch-Dest":["empty"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"nextcloud.cites.aop"}},"headers":{"Content-Length":["228"],"X-Request-Id":["TjtqmSq1uy7uo0OxWrdh"],"Content-Encoding":["gzip"],"X-Content-Type-Options":["nosniff"],"X-Download-Options":["noopen"],"Server":["nginx"],"Connection":["keep-alive"],"Pragma":["no-cache"],"Cache-Control":["no-cache, no-store, must-revalidate"],"Content-Security-Policy":["default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'"],"Feature-Policy":["autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'"],"X-Frame-Options":["SAMEORIGIN"],"Date":["Sat, 21 May 2022 14:55:06 GMT"],"Content-Type":["application/json; charset=utf-8"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"Referrer-Policy":["no-referrer"],"X-Robots-Tag":["none","none"],"X-Permitted-Cross-Domain-Policies":["none"],"X-Xss-Protection":["1; mode=block"]},"status":200}
{"level":"debug","ts":1653144906.2103868,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"nextcloud-web:80","total_upstreams":1}
{"level":"debug","ts":1653144906.3033574,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"nextcloud-web:80","duration":0.092877782,"request":{"remote_ip":"x.y.z.w","remote_port":"53604","proto":"HTTP/2.0","method":"PROPFIND","host":"nextcloud.cites.aop","uri":"/remote.php/dav/files/admin/another%20document.odt","headers":{"Content-Type":["application/xml; charset=utf-8"],"Content-Length":["684"],"Te":["trailers"],"X-Forwarded-Host":["nextcloud.cites.aop"],"Accept":["*/*"],"Sec-Fetch-Dest":["empty"],"Accept-Language":["en-US,en;q=0.8,pt-BR;q=0.5,pt;q=0.3"],"Origin":["https://nextcloud.cites.aop"],"Requesttoken":["EWF1rtQXJitZogky5Twm/tQnMm5Xtw0FikF/ghjwRqU=:ZAcjwOBYa1428msBkHBwhoZieCcFgHtH3jAWyUGCCcM="],"X-Requested-With":["XMLHttpRequest"],"Cookie":[],"Depth":["0"],"X-Forwarded-For":["x.y.z.w"],"X-Forwarded-Proto":["https"],"Accept-Encoding":["gzip, deflate, br"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"nextcloud.cites.aop"}},"headers":{"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"Content-Security-Policy":["default-src 'none';"],"Referrer-Policy":["no-referrer"],"Content-Type":["application/xml; charset=utf-8"],"Dav":["1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nextcloud-checksum-update, nc-calendar-search, nc-enable-birthday-calendar"],"Cache-Control":["no-store, no-cache, must-revalidate"],"Vary":["Brief,Prefer"],"X-Xss-Protection":["1; mode=block"],"Server":["nginx"],"Connection":["keep-alive"],"Pragma":["no-cache"],"X-Request-Id":["7Hgj4o3tzgN98H1bxx9z"],"X-Debug-Token":["7Hgj4o3tzgN98H1bxx9z"],"Content-Encoding":["gzip"],"X-Content-Type-Options":["nosniff"],"X-Download-Options":["noopen"],"X-Frame-Options":["SAMEORIGIN"],"X-Robots-Tag":["none"],"Date":["Sat, 21 May 2022 14:55:06 GMT"],"X-Permitted-Cross-Domain-Policies":["none"]},"status":207}
{"level":"debug","ts":1653144906.4756792,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"nextcloud-web:80","total_upstreams":1}
{"level":"debug","ts":1653144906.4895573,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"nextcloud-web:80","total_upstreams":1}
{"level":"debug","ts":1653144906.5883212,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"nextcloud-web:80","duration":0.096054542,"request":{"remote_ip":"x.y.z.w","remote_port":"53604","proto":"HTTP/2.0","method":"PROPFIND","host":"nextcloud.cites.aop","uri":"/remote.php/dav/files/admin/another%20document.odt","headers":{"Sec-Fetch-Dest":["empty"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["nextcloud.cites.aop"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"],"Depth":["0"],"Accept-Language":["en-US,en;q=0.8,pt-BR;q=0.5,pt;q=0.3"],"X-Requested-With":["XMLHttpRequest"],"Sec-Fetch-Site":["same-origin"],"Cookie":[],"Origin":["https://nextcloud.cites.aop"],"Content-Length":["661"],"Sec-Fetch-Mode":["cors"],"Requesttoken":["EWF1rtQXJitZogky5Twm/tQnMm5Xtw0FikF/ghjwRqU=:ZAcjwOBYa1428msBkHBwhoZieCcFgHtH3jAWyUGCCcM="],"X-Forwarded-For":["x.y.z.w"],"Content-Type":["text/plain;charset=UTF-8"],"Accept":["text/plain,application/xml"],"Te":["trailers"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"nextcloud.cites.aop"}},"headers":{"Server":["nginx"],"Vary":["Brief,Prefer"],"X-Content-Type-Options":["nosniff"],"X-Download-Options":["noopen"],"Date":["Sat, 21 May 2022 14:55:06 GMT"],"Connection":["keep-alive"],"Content-Security-Policy":["default-src 'none';"],"Dav":["1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, nextcloud-checksum-update, nc-calendar-search, nc-enable-birthday-calendar"],"X-Permitted-Cross-Domain-Policies":["none"],"X-Xss-Protection":["1; mode=block"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"X-Debug-Token":["MKamWtZuEC8DQiX5y91S"],"Referrer-Policy":["no-referrer"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["application/xml; charset=utf-8"],"Cache-Control":["no-store, no-cache, must-revalidate"],"Pragma":["no-cache"],"X-Request-Id":["MKamWtZuEC8DQiX5y91S"],"Content-Encoding":["gzip"],"X-Robots-Tag":["none"]},"status":207}
{"level":"debug","ts":1653144906.6449735,"logger":"tls.handshake","msg":"choosing certificate","identifier":"nextcloud.cites.aop","num_choices":1}
{"level":"debug","ts":1653144906.6450276,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"nextcloud.cites.aop","subjects":["nextcloud.cites.aop"],"managed":true,"issuer_key":"acme-staging-v02.api.letsencrypt.org-directory","hash":"8ff87596e3efbf1c77e06f9b695db7522d9218dcad00f554d676c2d3b745cd18"}
{"level":"debug","ts":1653144906.6450381,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["nextcloud.cites.aop"],"managed":true,"expiration":1660870115,"hash":"8ff87596e3efbf1c77e06f9b695db7522d9218dcad00f554d676c2d3b745cd18"}
{"level":"debug","ts":1653144906.6724408,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"nextcloud-web:80","duration":0.196662054,"request":{"remote_ip":"x.y.z.w","remote_port":"53604","proto":"HTTP/2.0","method":"GET","host":"nextcloud.cites.aop","uri":"/core/preview?fileId=249&c=b604ca84667508e668f797c612ee5595&x=250&y=250&forceIcon=0&a=0","headers":{"X-Forwarded-For":["x.y.z.w"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"],"Sec-Fetch-Site":["same-origin"],"Accept":["image/avif,image/webp,*/*"],"Accept-Language":["en-US,en;q=0.8,pt-BR;q=0.5,pt;q=0.3"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Mode":["no-cors"],"Te":["trailers"],"X-Forwarded-Proto":["https"],"Cookie":[],"Sec-Fetch-Dest":["image"],"X-Forwarded-Host":["nextcloud.cites.aop"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"nextcloud.cites.aop"}},"headers":{"Date":["Sat, 21 May 2022 14:55:06 GMT"],"Connection":["keep-alive"],"Pragma":["no-cache"],"Content-Security-Policy":["default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'"],"X-Frame-Options":["SAMEORIGIN"],"Feature-Policy":["autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'"],"X-Robots-Tag":["none","none"],"Referrer-Policy":["no-referrer"],"X-Xss-Protection":["1; mode=block"],"Content-Type":["application/json; charset=utf-8"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"Cache-Control":["no-cache, no-store, must-revalidate"],"X-Request-Id":["H4ZOSPnx98xyWJk2Mryh"],"X-Download-Options":["noopen"],"X-Permitted-Cross-Domain-Policies":["none"],"Server":["nginx"],"Content-Length":["2"],"X-Content-Type-Options":["nosniff"]},"status":404}
{"level":"debug","ts":1653144906.7963533,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"nextcloud-web:80","total_upstreams":1}
{"level":"debug","ts":1653144906.888603,"logger":"tls.handshake","msg":"choosing certificate","identifier":"nextcloud.cites.aop","num_choices":1}
{"level":"debug","ts":1653144906.8886487,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"nextcloud.cites.aop","subjects":["nextcloud.cites.aop"],"managed":true,"issuer_key":"acme-staging-v02.api.letsencrypt.org-directory","hash":"8ff87596e3efbf1c77e06f9b695db7522d9218dcad00f554d676c2d3b745cd18"}
{"level":"debug","ts":1653144906.8886578,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["nextcloud.cites.aop"],"managed":true,"expiration":1660870115,"hash":"8ff87596e3efbf1c77e06f9b695db7522d9218dcad00f554d676c2d3b745cd18"}
{"level":"debug","ts":1653144906.9338531,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"nextcloud-web:80","duration":0.137387526,"request":{"remote_ip":"x.y.z.w","remote_port":"53604","proto":"HTTP/2.0","method":"GET","host":"nextcloud.cites.aop","uri":"/apps/richdocuments/index?fileId=249&requesttoken=EWF1rtQXJitZogky5Twm%2FtQnMm5Xtw0FikF%2FghjwRqU%3D%3AZAcjwOBYa1428msBkHBwhoZieCcFgHtH3jAWyUGCCcM%3D&path=%2Fanother%20document.odt","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"],"Accept-Encoding":["gzip, deflate, br"],"Cookie":[],"Sec-Fetch-Mode":["navigate"],"X-Forwarded-Host":["nextcloud.cites.aop"],"Accept-Language":["en-US,en;q=0.8,pt-BR;q=0.5,pt;q=0.3"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Dest":["iframe"],"X-Forwarded-For":["x.y.z.w"],"X-Forwarded-Proto":["https"],"Te":["trailers"],"Sec-Fetch-Site":["same-origin"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"nextcloud.cites.aop"}},"headers":{"X-Xss-Protection":["1; mode=block"],"Content-Length":["5131"],"X-Content-Type-Options":["nosniff"],"X-Request-Id":["79HjDdJCroVtkzc3hEPV"],"Pragma":["no-cache"],"Cache-Control":["no-cache, no-store, must-revalidate"],"Content-Security-Policy":["default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src 'self' https://nextcloud.cites.aop;frame-ancestors 'self';worker-src 'self' blob:;form-action 'self' https://nextcloud.cites.aop"],"Server":["nginx"],"Feature-Policy":["autoplay 'self';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'"],"X-Robots-Tag":["none","none"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"Connection":["keep-alive"],"Date":["Sat, 21 May 2022 14:55:06 GMT"],"X-Frame-Options":["SAMEORIGIN"],"X-Download-Options":["noopen"],"Content-Encoding":["gzip"],"Referrer-Policy":["no-referrer"],"X-Permitted-Cross-Domain-Policies":["none"],"Content-Type":["text/html; charset=UTF-8"]},"status":200}
{"level":"debug","ts":1653144907.1015801,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"nextcloud-web:80","total_upstreams":1}
{"level":"debug","ts":1653144907.1609292,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"nextcloud-web:80","duration":0.059212132,"request":{"remote_ip":"x.y.z.w","remote_port":"53604","proto":"HTTP/2.0","method":"GET","host":"nextcloud.cites.aop","uri":"/core/js/oc.js?v=dace1232","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Mode":["no-cors"],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"],"Accept":["*/*"],"Cookie":[],"Sec-Fetch-Dest":["script"],"Accept-Language":["en-US,en;q=0.8,pt-BR;q=0.5,pt;q=0.3"],"X-Forwarded-For":["x.y.z.w"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["nextcloud.cites.aop"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"nextcloud.cites.aop"}},"headers":{"Content-Length":["3730"],"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"],"Cache-Control":["no-cache, no-store, must-revalidate"],"Server":["nginx"],"X-Request-Id":["hLKPjQhUzy3c0nKdb9V9"],"Referrer-Policy":["no-referrer"],"Connection":["keep-alive"],"Content-Security-Policy":["default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'"],"X-Robots-Tag":["none","none"],"Date":["Sat, 21 May 2022 14:55:07 GMT"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"Feature-Policy":["autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'"],"X-Content-Type-Options":["nosniff"],"Content-Disposition":["inline; filename=\"\""],"X-Permitted-Cross-Domain-Policies":["none"],"X-Download-Options":["noopen"],"Content-Type":["text/javascript;charset=UTF-8"],"Pragma":["no-cache"]},"status":200}
{"level":"debug","ts":1653144907.5466614,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"nextcloud-web:80","total_upstreams":1}
{"level":"debug","ts":1653144907.597155,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"nextcloud-web:80","duration":0.050405907,"request":{"remote_ip":"x.y.z.w","remote_port":"53604","proto":"HTTP/2.0","method":"GET","host":"nextcloud.cites.aop","uri":"/cron.php","headers":{"Te":["trailers"],"Accept-Language":["en-US,en;q=0.8,pt-BR;q=0.5,pt;q=0.3"],"Sec-Fetch-Site":["same-origin"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0"],"Requesttoken":["+RioGwcrjQ3c23Y6EEGhJWBNXKvsoxQz7WeuFncJxxw=:jH7+dTNkwHizixQJZQ33XTIIFuK+lGJxuRbHXS57iHo="],"X-Forwarded-For":["x.y.z.w"],"Ocs-Apirequest":["true"],"Sec-Fetch-Dest":["empty"],"X-Forwarded-Host":["nextcloud.cites.aop"],"Cookie":[],"X-Forwarded-Proto":["https"],"Accept-Encoding":["gzip, deflate, br"],"Accept":["*/*"],"X-Requested-With":["XMLHttpRequest"],"Sec-Fetch-Mode":["cors"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"nextcloud.cites.aop"}},"headers":{"Date":["Sat, 21 May 2022 14:55:07 GMT"],"Connection":["keep-alive"],"Vary":["Accept-Encoding"],"Pragma":["no-cache"],"X-Permitted-Cross-Domain-Policies":["none"],"Content-Security-Policy":["default-src 'self'; script-src 'self' 'nonce-RmRZQUdiMjMwT3RTQzhFUnd0MFptQXI1b0xVSjZHaERuS2tySksycFhuYz06WUxCV2Q0bjRuWjQ5VzZNaXQ1RlA0Rmk4NnZ4YjN4NEJ5TmhDYi9UYkVSRT0='; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *; object-src 'none'; base-uri 'self';"],"Referrer-Policy":["no-referrer"],"X-Content-Type-Options":["nosniff"],"X-Robots-Tag":["none"],"Content-Encoding":["gzip"],"Cache-Control":["no-store, no-cache, must-revalidate"],"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"],"Server":["nginx"],"Content-Type":["application/json; charset=utf-8"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"],"X-Download-Options":["noopen"]},"status":200}

P.S.: I tried the forwarded argument of remote_ip but that doesn’t help.

francislavoie · May 21, 2022, 3:59pm

Turn on access logging with the log directive, it’ll show your every individual request and their IP address.

Does collabora have a certain cloud integration where they have their own servers try to reach your instance for whatever reason? You might be blocking those requests that are “required” for it to work. Just a hunch. I know nothing about collabora.

peracchi · May 21, 2022, 4:45pm

I will use log directive and try to discover.

I also suspect of this. Some sort of “reverse phone-home”.

In the meantime, two quick questions.

the bellow block will get one certificate valid for three subjects OR three certificates, on separate folders, for each subject?

mail.cites.aop, mail.domain-b.aop, mail.domain-c.aop {
        tls <email> {
                dns cloudflare <token>
                key_type rsa4096
        }
        reverse_proxy http://roundcube:80
}

recently the command

docker exec -w /etc/caddy caddy caddy fmt --overwrite && \
  docker exec -w /etc/caddy caddy caddy reload

is not working. Caddy in the container only applies changes to local Caddyfile if I issue a docker-compose restart command. I don’t know if it is related to newer versions of Caddy.

Bellow is how I setup my Caddy container.

cat << 'EOF' | tee ~/docker/caddy/tmp/Dockerfile > /dev/null
FROM caddy:2.5.1-builder-alpine AS builder
RUN xcaddy build --with github.com/caddy-dns/cloudflare
FROM caddy:2.5.1-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
EOF

cat << 'EOF' | tee ~/docker/caddy/docker-compose.yml > /dev/null
version: "3.7"
services:

  caddy:
    build: ./tmp
    hostname: caddy
    container_name: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./sites:/srv
      - ./Caddyfile:/etc/caddy/Caddyfile
      - data:/data
      - config:/config

volumes:
  data:
  config:

networks:
  default:
    name: caddy_net
    external: true
EOF

Then I start it with docker-compose up -d && clear ; docker logs -f caddy

francislavoie · May 21, 2022, 5:18pm

Always one cert per domain. Caddy doesn’t do multi-SAN certs for various reasons.

peracchi:

recently the command
docker exec -w /etc/caddy caddy caddy fmt --overwrite && \
  docker exec -w /etc/caddy caddy caddy reload
is not working. Caddy in the container only applies changes to local Caddyfile if I issue a docker-compose restart command. I don’t know if it is related to newer versions of Caddy.

Reload was broken in v2.5.0 I think. Use v2.5.1.

It’s either that or your docker volume isn’t syncing back properly for some reason.

peracchi · May 21, 2022, 5:25pm

I’m using Caddy 2.5.1.

I suspect this, will look in Docker groups/support.

Now I need to learn how to use more than one certificate in Postfix!

I think that is something called SNI…

francislavoie · May 22, 2022, 2:28pm

TLS-SNI (Server Name Identification) is the mechanism where the client tells the server the domain name it’s trying to connect to, during the TLS handshake (because the usual HTTP header Host is inside of the HTTP payload which is encrypted, SNI brings that piece of information earlier so the server can choose the right cert). SNI is not relevant for email/postfix.

peracchi · May 22, 2022, 9:48pm

Hi @francislavoie!

For some application it is. Before I was using certbot to generate my certificates and only importing them into Caddy. With certbot I was generating a multi-SAN for my Postfix, where I do testing/learning with three domains.

But I learned how to do TLS-SNI in Postfix and Dovecot. I think that now is even better than before, Caddy manages all certs for me and each domain has his own certificate.

But it wasn’t so easy find/learn the how to do.

Postfix

create a file in /etc/postfix with one line per domain containing domain private_key certificate, example: /etc/postfix/domain_ssl.map

mail.domain-a.com /path/to/mail.domain-a.com.key /path/to/mail.domain-a.com.crt
mail.domain-b.com /path/to/mail.domain-b.com.key /path/to/mail.domain-b.com.crt
mail.domain-c.com /path/to/mail.domain-c.com.key /path/to/mail.domain-c.com.crt

execute cd /etc/postfix && postmap -F domain_ssl.map to create the db file
add tls_server_sni_maps = hash:/etc/postfix/domain_ssl.map to /etc/postfix/main.cf
restart the Postfix

Dovecot

create a file in /etc/dovecot/conf.d/11-ssl.conf with a content like:

local_name mail.domain-a.com {
  ssl_cert = </path/to/mail.domain-a.com/mail.domain-a.com.crt
  ssl_key = </path/to/mail.domain-a.com/mail.domain-a.com.key
}

local_name mail.domain-a.com {
  ssl_cert = </path/to/mail.domain-b.com/mail.domain-b.com.crt
  ssl_key = </path/to/mail.domain-b.com/mail.domain-b.com.key
}

local_name mail.domain-a.com {
  ssl_cert = </path/to/mail.domain-c.com/mail.domain-c.com.crt
  ssl_key = </path/to/mail.domain-c.com/mail.domain-c.com.key
}

restart Dovecot

Then you can verify that both Postfix and Dovecot are using the right certificates with:

openssl s_client -servername mail.domain-a.com -connect mail.domain-a.com:465 (SMTP via SSL - Postfix)

openssl s_client -servername mail.domain-a.com -connect mail.domain-a.com:993 (IMAP via SSL - Dovecot)

system · June 2, 2022, 12:18am

This topic was automatically closed after 30 days. New replies are no longer allowed.