Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy protocol #234

Open
Bloodboy1986 opened this issue Aug 16, 2023 · 1 comment
Open

proxy protocol #234

Bloodboy1986 opened this issue Aug 16, 2023 · 1 comment

Comments

@Bloodboy1986
Copy link

Bloodboy1986 commented Aug 16, 2023
edited
Loading

Hello all,

I am using NC 27.0.2 and Collabora Built-in CODE Server 23.5.202 behind a haproxy.

Some time ago I enabled the proxy protocoll in the haproxy and the apache2 configuration of the NC server. Since then the Collabora Built-in CODE server does not work anymore.

If I deactivate the proxy protocol again, the Collabora Built-in CODE server works again.

Is there a way to use the Collabora Built-in CODE Server and the proxy protocol at the same time? :)

The haproxy forwards everything that is meant for the NC/Collabora server to this, the ssl termination also happens there.
Attached the configurations of haproxy and apache2:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 10s
        timeout client  60s
        timeout server  60s
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend http_in
        mode http
        option httplog
        bind *:80       
        option forwardfor
		
        acl host_nextcloud	hdr(host) -i xxx office.xxx
		acl	host_webserver	hdr(host) -i shoppinglist.xxx test.xxx ip.xxx shoppinglist-test.xxx
		acl	host_vpn		hdr(host) -i vpn.xxx
		
        use_backend http_nextcloud if host_nextcloud
		use_backend http_webserver if host_webserver
		use_backend http_vpn	   if host_vpn
		
		#default_backend http_nextcloud2
		
backend http_nextcloud
        mode http
        option httplog
        option forwardfor
        server server1 192.168.222.23:80

backend http_webserver
        mode http
        option httplog
        option forwardfor
        server server1 192.168.222.48:80

backend http_vpn
        mode http
        option httplog
        option forwardfor
        server server1 192.168.222.27:80
		
frontend https_in
        mode tcp
        option tcplog
        bind *:443
        acl tls req.ssl_hello_type 1
        tcp-request inspect-delay 5s
        tcp-request content accept if tls
        
        acl host_nextcloud	req.ssl_sni -i xxx office.xxx
		acl host_webserver	req.ssl_sni -i shoppinglist.xxx ip.xxx shoppinglist-test.xxx test.xxx
		acl host_vpn		req.ssl_sni -i vpn.xxx
		
        use_backend https_nextcloud	if host_nextcloud
		use_backend https_webserver	if host_webserver
		use_backend https_vpn		if host_vpn
		
		#default_backend https_nextcloud2
		
backend https_nextcloud
        mode tcp
        option tcplog
        option ssl-hello-chk
		server server1 192.168.222.23:443
        #server server1 192.168.222.23:443 send-proxy
		#server server1 192.168.222.23:443 send-proxy-v2
		
backend https_webserver
        mode tcp
        option tcplog
        option ssl-hello-chk
        server server1 192.168.222.48:443 send-proxy
		
backend https_vpn
        mode tcp
        option tcplog
        option ssl-hello-chk
        server server1 192.168.222.27:443 send-proxy

<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]
</VirtualHost>

<VirtualHost *:443>
### YOUR SERVER ADDRESS ###

    ServerAdmin admin@xxx
    ServerName xxx

	RemoteIPProxyProtocol Off

### SETTINGS ###
    <FilesMatch "\.php$">
        SetHandler "proxy:unix:/run/php/php8.1-fpm.nextcloud.sock|fcgi://localhost"
    </FilesMatch>

    # Intermediate configuration
    Header add Strict-Transport-Security: "max-age=15552000;includeSubdomains"
    SSLEngine               on
    SSLCompression          off
    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    ServerSignature         off

    # Logs
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ErrorLog ${APACHE_LOG_DIR}/error.log

    DocumentRoot /var/www/nextcloud

    <Directory /var/www/nextcloud>
    Options Indexes FollowSymLinks
    AllowOverride None
    ### include all .htaccess
    Include /var/www/nextcloud/.htaccess
    Include /var/www/nextcloud/config/.htaccess
    Include /mnt/ncdata/.htaccess
    ###
    Require all granted
    Satisfy Any
    </Directory>

    <IfModule mod_dav.c>
    Dav off
    </IfModule>

    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud

    # The following lines prevent .htaccess and .htpasswd files from being
    # viewed by Web clients.
    <Files ".ht*">
    Require all denied
    </Files>

    # Disable HTTP TRACE method.
    TraceEnable off
    # Disable HTTP TRACK method.
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [R=405,L]

    # Avoid "Sabre\DAV\Exception\BadRequest: expected filesize XXXX got XXXX"
    <IfModule mod_reqtimeout.c>
    RequestReadTimeout body=0
    </IfModule>

### LOCATION OF CERT FILES ###

    SSLCertificateChainFile /etc/letsencrypt/live/xxx/chain.pem
    SSLCertificateFile /etc/letsencrypt/live/xxx/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/xxx/privkey.pem
    SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/xxx/dhparam.pem
</VirtualHost>

### EXTRAS ###
    SSLUseStapling On
    SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
    SetEnv proxy-sendcl 1
@joshtrichards
Copy link
Contributor

Offhand I can't think of a reason why only the Built-in CODE would be impacted.

  • What do your Apache logs indicate?
  • What do your Nextcloud logs indicate?
  • What do your browser logs indicate?

You can try going to https://<your_nextcloud_fqdn>/custom_apps/richdocumentscode/proxy.php?status to access RDC status directly during your testing.

(might be apps not custom_apps or even something different depending on your NC apps_paths config.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshtrichards @Bloodboy1986