Preview generation not working from a LAN hosted Collabora instance unless allow_local_remote_servers=true is set

[krzys-h]

Describe the bug
I have a Collabora instance hosted on an URL such as https://office.example.com, where the domain resolves to a local IP. This causes the previews to not work - the preview generation fails with an error LocalServerException: Host violates local access rules

I would consider this a bug, since the builtin Imaginary integration permits a local server to be used for thumbnails without enabling this flag, see
https://github.com/nextcloud/server/blob/1612d025cf21ac0ae70327c46dd59be66c096627/lib/private/Preview/Imaginary.php#L167

To Reproduce
Steps to reproduce the behavior:

1. Configure a Collabora server on a domain that resolves to a local IP (making sure not to include a trailing slash in the config ;) see Preview generation not working when wopi_url has a trailing slash #3434)
2. Create a new .docx file, or upload one
3. Look at the directory listing - the preview is missing

Expected behavior
The preview generation should work

Server details

Operating system: Ubuntu 22.04.3 LTS, running the official nextcloud:apache docker image

Web server: Apache from the docker image, behind a Traefik reverse proxy

Database: mysql

PHP version: 8.2.14

Nextcloud version: 28.0.1

Version of the richdocuments app 8.3.1

Version of Collabora Online 23.05.7.2

Configuration of the richdocuments app

{
    "apps": {
        "richdocuments": {
            "disable_certificate_verification": "",
            "doc_format": "ooxml",
            "enabled": "yes",
            "installed_version": "8.3.1",
            "public_wopi_url": "https:\/\/office.example.com",
            "types": "prevent_group_restriction",
            "wopi_url": "https:\/\/office.example.com"
        }
    }
}

Logs

Nextcloud log (data/nextcloud.log)

{"reqId":"iTXJcM5uVkYJEoG3pRHi","level":1,"time":"2024-01-21T17:41:23+00:00","remoteAddr":"10.10.10.10","user":"krzys_h","app":"richdocuments","method":"GET","url":"/core/preview?fileId=2121735&x=32&y=32&mimeFallback=true&a=0","message":"Failed to convert file to preview","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36","version":"28.0.1.1","exception":{"Exception":"OCP\\Http\\Client\\LocalServerException","Message":"Host violates local access rules","Code":0,"Trace":[{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php","line":64,"function":"OC\\Http\\Client\\{closure}","class":"OC\\Http\\Client\\DnsPinMiddleware","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":31,"function":"__invoke","class":"GuzzleHttp\\PrepareBodyMiddleware","type":"->","args":["*** sensitive parameters replaced ***","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php","line":71,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php","line":63,"function":"__invoke","class":"GuzzleHttp\\RedirectMiddleware","type":"->","args":["*** sensitive parameters replaced ***","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/HandlerStack.php","line":75,"function":"GuzzleHttp\\{closure}","class":"GuzzleHttp\\Middleware","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":331,"function":"__invoke","class":"GuzzleHttp\\HandlerStack","type":"->","args":["*** sensitive parameters replaced ***","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":168,"function":"transfer","class":"GuzzleHttp\\Client","type":"->","args":["*** sensitive parameters replaced ***","*** sensitive parameters replaced ***"]},{"file":"/var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php","line":187,"function":"requestAsync","class":"GuzzleHttp\\Client","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Http/Client/Client.php","line":301,"function":"request","class":"GuzzleHttp\\Client","type":"->","args":["*** sensitive parameters replaced ***","https://office.example.com/lool/convert-to/png",["/var/www/html/data/files_external/rootcerts.crt",25,[["Closure"]],false,[["Nowy dokument (2).docx",null]],[false],["Nextcloud Server Crawler","gzip"],true]]},{"file":"/var/www/html/custom_apps/richdocuments/lib/Preview/Office.php","line":94,"function":"post","class":"OC\\Http\\Client\\Client","type":"->","args":["https://office.example.com/lool/convert-to/png",[25,false,[["Nowy dokument (2).docx",null]]]]},{"file":"/var/www/html/lib/private/Preview/ProviderV1Adapter.php","line":53,"function":"getThumbnail","class":"OCA\\Richdocuments\\Preview\\Office","type":"->","args":["Nowy dokument (2).docx",1024,1024,false,["OC\\Files\\View"]]},{"file":"/var/www/html/lib/private/Preview/GeneratorHelper.php","line":64,"function":"getThumbnail","class":"OC\\Preview\\ProviderV1Adapter","type":"->","args":[["OC\\Files\\Node\\File"],1024,1024]},{"file":"/var/www/html/lib/private/Preview/Generator.php","line":361,"function":"getThumbnail","class":"OC\\Preview\\GeneratorHelper","type":"->","args":[["OC\\Preview\\ProviderV1Adapter"],["OC\\Files\\Node\\File"],1024,1024]},{"file":"/var/www/html/lib/private/Preview/Generator.php","line":337,"function":"generateProviderPreview","class":"OC\\Preview\\Generator","type":"->","args":[["OC\\Files\\SimpleFS\\SimpleFolder"],["OC\\Files\\Node\\File"],1024,1024,false,true,"application/vnd.openxmlformats-officedocument.wordprocessingml.document",""]},{"file":"/var/www/html/lib/private/Preview/Generator.php","line":143,"function":"getMaxPreview","class":"OC\\Preview\\Generator","type":"->","args":[["OC\\Files\\SimpleFS\\SimpleFolder"],[],["OC\\Files\\Node\\File"],"application/vnd.openxmlformats-officedocument.wordprocessingml.document",""]},{"file":"/var/www/html/lib/private/Preview/Generator.php","line":110,"function":"generatePreviews","class":"OC\\Preview\\Generator","type":"->","args":[["OC\\Files\\Node\\File"],[[32,32,true,"fill"]],"application/vnd.openxmlformats-officedocument.wordprocessingml.document"]},{"file":"/var/www/html/lib/private/PreviewManager.php","line":187,"function":"getPreview","class":"OC\\Preview\\Generator","type":"->","args":[["OC\\Files\\Node\\File"],32,32,true,"fill",null]},{"file":"/var/www/html/core/Controller/PreviewController.php","line":173,"function":"getPreview","class":"OC\\PreviewManager","type":"->","args":[["OC\\Files\\Node\\File"],32,32,true,"fill"]},{"file":"/var/www/html/core/Controller/PreviewController.php","line":141,"function":"fetchPreview","class":"OC\\Core\\Controller\\PreviewController","type":"->","args":[["OC\\Files\\Node\\File"],32,32,false,true,"fill",true]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"getPreviewByFileId","class":"OC\\Core\\Controller\\PreviewController","type":"->","args":[2121735,32,32,false,true,"fill",true]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OC\\Core\\Controller\\PreviewController"],"getPreviewByFileId"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OC\\Core\\Controller\\PreviewController"],"getPreviewByFileId"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OC\\Core\\Controller\\PreviewController","getPreviewByFileId",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["core.Preview.getPreviewByFileId"]]},{"file":"/var/www/html/lib/base.php","line":1069,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/core/preview"]},{"file":"/var/www/html/index.php","line":39,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/Http/Client/DnsPinMiddleware.php","Line":150,"message":"Failed to convert file to preview","CustomMessage":"Failed to convert file to preview"}}

[joshtrichards]

Makes sense to me.

Have you attempted it with the suggested change in place?

The change would go here:

richdocuments/lib/Preview/Office.php

Lines 80 to 85 in cd6399a

	$client = $this->clientService->newClient();
	$options = [
	'timeout' => 25,
	// FIXME: Can be removed once https://github.com/CollaboraOnline/online/issues/6983 is fixed upstream
	'expect' => false,
	];

If it works for you, submit a PR please :)

[krzys-h]

I did not, because I've seen more occurrences of this throughout the code and wasn't sure whether the same fix may be needed there. For example, here is a really similar pattern in RemoteService, whatever it's used for. It even explicitly uses the internal URL, which probably should be in LAN.

richdocuments/lib/Service/RemoteService.php

Lines 24 to 33 in 0f55477

	$client = $this->clientService->newClient();
	try {
	$response = $client->put(
	$this->appConfig->getCollaboraUrlInternal(). '/cool/extract-link-targets',
	$this->getRequestOptionsForFile($file)
	);
	} catch (Exception $e) {
	$this->logger->warning('Failed to fetch extract-link-targets', ['exception' => $e]);
	return [];
	}

But here on the other hand, the code already sets allow_local_address correctly when fetching the Collabora server capabilities:

richdocuments/lib/Service/CapabilitiesService.php

Lines 160 to 161 in 0f55477

	$client = $this->clientService->newClient();
	$options = ['timeout' => 45, 'nextcloud' => ['allow_local_address' => true]];