Wrong protocol for TemplateSource URL when using nextcloud behind a proxy

[k-jell]

Describe the bug
I run nextcloud behind a proxy (traefik) which does SSL-termination and another proxy for authentification:

browser ---> Traefik (https termination) ---> Auth Proxy ---> Nextcloud

collabora is setup in a similar way. But internally collabora and nextcloud can communicate over http using the internal ip addresses.

I have set overwriteprotocol to https. Now whenever I create a new document using the "New" Button and try to open it for the first time I get an error:

Failed to read document from storage, please try to load the document again.

Please check the Collabora Online server log for more details and make sure that Nextcloud can be reached from there.

The problem is that collabora gets the wrong URL from nextcloud (https instead of http which is used for the internal communication between collabora and nextcloud):

wsd-00009-00075 2024-04-11 13:40:45.834391 +0000 [ docbroker_004 ] DBG  WOPI::CheckFileInfo: {"BaseFileName":"New document (1).odt","DisableCopy":false,"DisableExport":false,"DisablePrint":false,"DownloadAsPostMessage":false,"EnableInsertRemoteImage":true,"EnableRemoteLinkPicker":true,"EnableShare":true,"HideExportOption":false,"HidePrintOption":false,"HideUserList":"","IsUserLocked":false,"LastModifiedTime":"2024-04-11T13:40:34.000000Z","OwnerId":"admin.example","PostMessageOrigin":"https://nextcloud28.example.org/","Size":1268,"SupportsLocks":false,"SupportsRename":true,"TemplateSource":"https://10.66.60.1:9968/index.php/apps/richdocuments/wopi/template/112?access_token=FtHZIfsoGHjVmfG6EJ8uLmagI7CAkxJY","UserCanNotWriteRelative":false,"UserCanRename":true,"UserCanWrite":true,"UserExtraInfo":{"avatar":"https://10.66.60.1:9968/avatar/admin.example/64","is_admin":true},"UserFriendlyName":"admin.example","UserId":"admin.example","UserPrivateInfo":{"ZoteroAPIKey":""},"Version":"0"}| wsd/Storage.cpp:835

Then collabora fails to open the document (see logs).

If I disable overwriteprotocol it does work, but this brings other problems (the authproxy redirect having the wrong scheme - I am using the sociallogin app).

All other communication with collabora works fine.

This is where the URL is set:

richdocuments/lib/Controller/WopiController.php

Lines 196 to 199 in 7c5bc7a

	if ($wopi->hasTemplateId()) {
	$templateUrl = 'index.php/apps/richdocuments/wopi/template/' . $wopi->getTemplateId() . '?access_token=' . $wopi->getToken();
	$templateUrl = $this->urlGenerator->getAbsoluteURL($templateUrl);
	$response['TemplateSource'] = $templateUrl;

But we explicitly set the wopi_callback_url so I think that should be used instead of the generated URL here.

Expected behavior
Create document and being able to open it without error. Correct IP is sent to collabora.
Nextcloud version:

Server details

Operating system:

Web server:

Database:

PHP version:

Nextcloud version:
28.0.3
Version of the richdocuments app
8.3.2
Version of Collabora Online
23.05.8.2.1
Configuration of the richdocuments app

{
    "apps": {
        "richdocuments": {
            "disable_certificate_verification": "yes",
            "enabled": "yes",
            "installed_version": "8.3.3",
            "public_wopi_url": "https:\/\/collabora.example.org",
            "types": "prevent_group_restriction",
            "wopi_callback_url": "http:\/\/10.66.60.1:9968",
            "wopi_url": "http:\/\/10.66.60.1:9948"
        }
    }
}

Logs

Collabora log

wsd-00009-00167 2024-04-11 16:07:14.247072 +0000 [ docbroker_00b ] ERR  WOPI::GetFile [https://10.66.60.1:9968/index.php/apps/richdocuments/wopi/template/113?access_token=ysFUCxMxIewOUV8SpCJak3iCFsxKKLZj] failed with Status Code: 0 (Unknown)| wsd/Storage.cpp:1149
wsd-00009-00167 2024-04-11 16:07:14.247105 +0000 [ docbroker_00b ] ERR  Could not download template from [https://10.66.60.1:9968/index.php/apps/richdocuments/wopi/template/113?access_token=ysFUCxMxIewOUV8SpCJak3iCFsxKKLZj]. Error: WOPI::GetFile [https://10.66.60.1:9968/index.php/apps/richdocuments/wopi/template/113?access_token=ysFUCxMxIewOUV8SpCJak3iCFsxKKLZj] failed: | wsd/Storage.cpp:1045
wsd-00009-00167 2024-04-11 16:07:14.247164 +0000 [ docbroker_00b ] ERR  loading document exception: WOPI::GetFile [https://10.66.60.1:9968/index.php/apps/richdocuments/wopi/template/113?access_token=ysFUCxMxIewOUV8SpCJak3iCFsxKKLZj] failed: | wsd/DocumentBroker.cpp:2679
wsd-00009-00167 2024-04-11 16:07:14.247190 +0000 [ docbroker_00b ] ERR  Failed to add session to [http%3A%2F%2F10.66.60.1%3A9968%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F149_ock7mh6x4x26] with URI [http://10.66.60.1:9968/index.php/apps/richdocuments/wopi/files/149_ock7mh6x4x26?access_token=ysFUCxMxIewOUV8SpCJak3iCFsxKKLZj&access_token_ttl=0]: WOPI::GetFile [https://10.66.60.1:9968/index.php/apps/richdocuments/wopi/template/113?access_token=ysFUCxMxIewOUV8SpCJak3iCFsxKKLZj] failed: | wsd/DocumentBroker.cpp:2641
wsd-00009-00167 2024-04-11 16:07:14.247214 +0000 [ docbroker_00b ] ERR  Storage error while starting session on http%3A%2F%2F10.66.60.1%3A9968%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F149_ock7mh6x4x26 for socket #18. Terminating connection. Error: WOPI::GetFile [https://10.66.60.1:9968/index.php/apps/richdocuments/wopi/template/113?access_token=ysFUCxMxIewOUV8SpCJak3iCFsxKKLZj] failed: | wsd/COOLWSD.cpp:5434
wsd-00009-00167 2024-04-11 16:07:14.247311 +0000 [ docbroker_00b ] ERR  #18: Socket write returned -1 (EPIPE: Broken pipe)| net/Socket.hpp:1445
wsd-00009-00167 2024-04-11 16:07:14.255385 +0000 [ docbroker_00b ] ERR  #26: Read failed, have 0 buffered bytes (ECONNRESET: Connection reset by peer)| net/Socket.hpp:1137
wsd-00009-00167 2024-04-11 16:07:14.255415 +0000 [ docbroker_00b ] WRN  #26: Unassociated Kit (158) disconnected unexpectedly| wsd/COOLWSD.cpp:3851

[juliushaertl]

Thanks a lot for reporting and providing such a insightful issue.

I prepared a fix for this in #3580, testing is very welcome :)