Configuration
The postinstall script of coolwsd package added a non-privileged user to the system: cool . Collabora Online service will be run by cool user. Also the service was registered to systemd, enabled on system start and started. Useful commands:
systemctl enable coolwsd– enable coolwsd on system startsystemctl disable coolwsd– disable coolwsd on system startsystemctl status coolwsd– check status of coolwsdsystemctl stop coolwsd– stop coolwsd servicesystemctl start coolwsd– start coolwsd servicesystemctl restart coolwsd– stop then start coolwsd servicejournalctl -u coolwsd– read the log produced by coolwsd
Collabora Online has to be configured before use. Most of the options have sensible defaults.
Collabora online has layered configuration, which means that settings are read from /etc/coolwsd/coolwsd.xml but can be overridden by command line switches (for example in systemd’s coolwsd.service file). By using --o:name=value the setting called name can be replaced by value. For example: --o:per_document.max_concurrency=12. This will override the max_concurrency to 12, regardless of what the XML has set.
Default configuration entries and values are set before loading the configuration file from disk. This ensures that an upgrade to the server with new configuration entries will not break the server when the XML is not upgraded, rather, the server will fallback to the defaults when it fails to find the entry in the XML.
The coolwsd service has to be restarted after a change in configuration.
User interface settings
With Collabora Online 6.4 the systems administrator can set the classic menu + toolbar user interface or the new notebookbar user interface. See the user_interface.mode setting in the configuration file.
With Collabora Online 21.11 the use of classic and notebookbar is deprecated , use compact for classic and use tabbed for notebookbar. See the user_interface.mode setting in the configuration file.
Network settings
Collabora Online can use IPv4, IPv6 or both. By default it uses both. See the net.proto setting config file.
It is possible for a coolwsd server to bind to localhost only, which makes sense, when it is used behind a reverse proxy. The corresponding setting is net.listen.
It is possible to use a different service root than the toplevel. If the rules of your organization do not permit running services in the root, you can use a subpath for it, like https://example.org/IT/CollaboraOnline by setting /IT/CollaboraOnline as the net.service_root in the configuration file.
SSL configuration
Collabora Online uses WOPI protocol, which mandates SSL. However, it is possible to run Collabora Online server without SSL, it is configurable. Basically there are 3 modes:
SSL
SSL termination
No SSL
When SSL is enabled, in /etc/coolwsd/coolwsd.xml the path to SSL key, SSL certificate and SSL CA certificate has to be given in the ssl block. This also implies that it is recommended to run coolwsd from a server which name is in DNS (e.g. hostname.example.com), and it has proper SSL certificate. Restart coolwsd, check the status of the service, and if it is running, you can try if you can connect to it via SSL:
curl -v https://hostname.example.com:9980/hosting/discovery
If it fails, you have to debug SSL settings.
For testing purposes it is OK to use self signed certificates. Since Collabora Online 2.1 we no longer ship self signed certificate for localhost, for security reasons. You can create the necessary files yourself. The following example creates a certificate for hostname.example.com by a newly created dummy certificate authority. The resulting .pem files are copied to default configuration directory of coolwsd.
1 mkdir -p /opt/ssl/
2 cd /opt/ssl/
3 mkdir -p certs/ca
4 openssl genrsa -out certs/ca/root.key.pem 2048
5 openssl req -x509 -new -nodes -key certs/ca/root.key.pem -days 9131 -out certs/ca/root.crt.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=Dummy Authority"
6 mkdir -p certs/{servers,tmp}
7 mkdir -p "certs/servers/hostname.example.com"
8 openssl genrsa -out "certs/servers/hostname.example.com/privkey.pem" 2048 -key "certs/servers/hostname.example.com/privkey.pem"
9 openssl req -key "certs/servers/hostname.example.com/privkey.pem" -new -sha256 -out "certs/tmp/hostname.example.com.csr.pem" -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=hostname.example.com"
10 openssl x509 -req -in certs/tmp/hostname.example.com.csr.pem -CA certs/ca/root.crt.pem -CAkey certs/ca/root.key.pem -CAcreateserial -out certs/servers/hostname.example.com/cert.pem -days 9131
11 mv certs/servers/hostname.example.com/privkey.pem /etc/coolwsd/key.pem
12 mv certs/servers/hostname.example.com/cert.pem /etc/coolwsd/cert.pem
13 mv certs/ca/root.crt.pem /etc/coolwsd/ca-chain.cert.pem
The SSL termination option in the config file enables integration of Collabora Online with SSL termination proxies, which handle incoming SSL connections, decrypt the SSL and pass on the unencrypted request to the server. In this setup only the proxy server has to have proper SSL settings, Collabora Online server is hidden behind it, and Collabora Online communicates unencrypted with the proxy.
If you set both enable and termination settings to false in /etc/coolwsd/coolwsd.xml, then Collabora Online can be used in a HTTP-only environment, without encryption between browser and server. It is not recommended to use Collabora Online in this mode, but for testing only it is OK.
You can set the list of accepted SSL ciphers with the cipher_list setting. The default cipher list is: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH.
Security settings
Security settings are configurable, and coolwsd is allowed to run without seccomp and capabilities. There are some significant security trade-offs here which are now at least configurable. It is recommended to use the defaults. See the security section in /etc/coolwsd/coolwsd.xml.
Validating digital signatures
Collabora Online uses NSS (Mozilla’s Network Security Services) for validation of digital signatures. NSS comes with default configuration that includes a few trusted root CAs, but users may want to import their own trusted root CAs.
The certificates.database_path configuration option in /etc/coolwsd/coolwsd.xml specifies the NSS certificate database that should be used with Collabora Online. This database should be readable by the coolwsd process.
Custom root certificates can be imported into this database. For detailed instructions about creating NSS certificate database and importing certificates, please refer to the manual of the certutil tool, that is provided by mozilla-nss-tools, nss-tools or libnss3-tools package, depending on the Linux distribution.
Backend storage configurations
Currently there are two backend storages are implemented: file system and WOPI.
File system storage is disabled by default, and should not be used in production environment. It is insecure by nature, because it serves any file that the cool user can read from the local file system, including /etc/coolwsd/coolwsd.xml, /etc/passwd and so on. It can be used for testing only. To enable:
<filesystem allow=”true” />
or
--o:storage.filesystem[@allow]=true
WOPI on the other hand is the recommended backend storage. WOPI is Web Application Open Platform Interface, a protocol based on open standard for remote document access with authentication. Collabora Online accepts connection requests only from trusted WOPI hosts. The administrator has to list the host names and/or IP addresses of these trusted WOPI hosts in the storage.wopi block. Please note that connection requests from the same machine are always accepted.
Logging
See the <logging> section in /etc/coolwsd/coolwsd.xml. Set the log level and verbosity to one of: none (turns off logging), fatal, critical, error, warning, notice, information, debug, trace. The default log level is warning. If <color> is set to true, then coolwsd will generate logging information containing console color codes. It is possible to redirect logs to a file. The trace file defined in <trace> section provides extra debug information.
Performance
There are two performance related settings.
One is num_prespawn_children. It is the number of child processes to keep started in advance and waiting for new clients. More prespawn children consume more memory, but server answers more quickly to requests under load. The default is 1.
The other is per_document.max_concurrency which limits the number of threads to use while processing a document. The default here is 4.
Allowed dictionary languages
When there are a lot of spellchecker dictionaries and thesauri installed on a system, it may take considerable time at startup to preload them. Therefore by default, only dictionaries for the following languages are enabled:
allowed_languages setting, you can add or remove language tags as needed. de_DE en_GB en_US es_ES fr_FR it pt_BR pt_PT ru
Admin Console
You can do live monitoring of all the user sessions running on Collabora Online instance. The Admin Console URL is:
https://*hostname*:*port*/browser/dist/admin/admin.html
Port is 9980 by default. It will ask for username and password which is set in the admin_console block of /etc/coolwsd/coolwsd.xml or by --o:admin_console.username=username and --o:admin_console.password=password in coolwsd command line. You must set username and password. Admin Console is disabled if either of these are not set.
Note: it is possible to set up a password that is stored as salted hash in the config file, instead of plain text. This is the recommended way to set up password for the Admin Console. Use the coolconfig utility.
Note: there is support for authentication with PAM, if it is set up for coolwsd in the system. For example, with a simple /etc/pam.d/coolwsd config below, the user which runs coolwsd (‘cool’ in production environment) can login to admin console with normal linux password.
1 auth required pam_unix.so
2 account required pam_unix.so
After entering the correct password you should be able to monitor the live documents opened, total users, memory consumption, document URLs with number of users viewing that document etc. You can also kill the documents directly from the panel which would result in closing the socket connection to the respective document.
The admin-console front-end presents and fetches its data via a defined web socket protocol, which can be used to collect information programatically to integrate with other monitoring and control solutions. For the websocket protocol details of Admin Console, see the Admin Console section in the protocol documentation:
https://github.com/CollaboraOnline/online/blob/master/browser/README
and
https://github.com/CollaboraOnline/online/blob/master/wsd/protocol.txt .
It is simple to subscribe to receive client notifications, query the open documents and change server settings.
Monitoring usage metrics
Collabora Online is capable of providing a wide variety of metrics related to system usage, eg. memory or CPU use, number of running kit processes or views in document sessions etc. The metrics can be retrieved in Prometheus-compatible format via the following URL:
https://*hostname*:*port*/cool/getMetrics
The URL uses the same authentication as the admin console. The available metrics are listed at: https://github.com/CollaboraOnline/online/blob/master/wsd/metrics.txt .
Feature Locking
Collabora Online provides a way to lock the user out from using certain features or make them read-only users. When a user clicks on a feature that is locked, the user will be prompted with a popup with details about unlocking. To disable any feature you can specify its UNO command in the locked_commands field. When a locked user is treated with read-only permission locked_commands option is ignored. Other related options can be found in coolwsd.xml. To mark a user locked, the WOPI client should return CheckFileInfo containing a field IsUserLocked with a boolean value.
To make the locked users read-only set is_lock_readonly setting to true.
To allow/deny feature_lock per WOPI host:
<locked_hosts desc="Allow/deny feature-locked hosts. When allowed, the below host specification overrides the CheckFileInfo response." allow="true">
<fallback desc="What to do if the given host is not covered by any rule in locked_hosts" read_only="true" disabled_commands="true"/>
<host desc="Regex pattern of hostname to set as full-featured or locked." read_only="false" disabled_commands="false">pattern1</host>
</locked_hosts>
Please note that locked_hosts allow should be true to enable allow/deny feature_lock per WOPI host. If host pattern does not match for locked_host the fallback setting will be applied.
This also overwrites the isUserLocked CheckFileInfo response.
isUserLocked is passed and locked_hosts’s allow=true then COOL will follow the locked_hosts settings i.e. if host is mentioned in locked_hosts then it will follow that settings else it will follow fallback settingsis_lock_readonly is set to true COOL will make all the locked_host readonly who has disabled_commands set to trueFeature Restriction
Collabora provides a way to completely disable/hide certain features from the user. You can specify the feature’s UNO command to disable it in restricted_commands. To mark a user restricted, the WOPI client should return CheckFileInfo containing a field IsUserRestricted with a boolean value.
Multihost Configuration
To use multiple host and aliases with one COOL server you have to set alias_groups mode attribute to ‘groups’ and define group for each intergrator’s instance.
<alias_groups desc="default mode is 'first' it allows only the first host when groups are not defined. set mode to 'groups' and define group to allow multiple host and its aliases" mode="groups">
<!-- If you need to use multiple wopi hosts, please change the mode to "groups" and
add the hosts below. If one host is accessible under multiple ip addresses
or names, add them as aliases. -->
<group>
<host desc="hostname to allow or deny." allow="true">https://host1:443</host>
</group>
<group>
<host desc="hostname to allow or deny." allow="true">https://host2:443</host>
<alias desc="regex pattern of aliasname">https://aliasname[0-9]{1}:443</alias>
</group>
<!-- More "group"s possible here -->
</alias_groups>
You can add multiple groups. Here host1 and host2 can be any service COOL has integration with Available integrations.
Remote/Dynamic Configuration
These changes can be now done without restarting Collabora server. Collabora server will request a JSON response to the remote server every 60 second and if there is new changes in JSON it will overwrite coolwsd.xml settings. Thus, adding the respective WOPI hosts and locked_hosts to the allow/deny list. The configuration will take effect the next time a document gets open.
Note: Collabora uses ETag header to identify whether the JSON is changed from last request or not. Therefore it is recommended to add ETag header in JSON response of remote server
Enable remote server configuration by adding url
<remote_config >
<remote_url desc="remote server to which you will send request to get remote config in response" type="string" default="">https://server_url_endpoint</remote_url>
</remote_config>
JSON format
Configuration will be overwritten if JSON response has been changed
{
"kind": "configuration",
"remote_font_config":
{
"url": "https://.../fonts.json"
},
"storage":
{
"wopi":
{
"alias_groups":
{
"mode" : "groups",
"groups":
[
{ "host": "scheme://hostname:port", "allow": "true" , "aliases": ["scheme://aliasname1:port", "scheme://alias-regex-pattern:port”]},
]
}
}
},
"feature_locking":
{
"locked_hosts":
{
"allow":"true",
"hosts":
[
{ "host": "pattern1", "read_only": true, "disabled_commands": true },
{ "host": "pattern2", "read_only": false, "disabled_commands": true },
]
},
// unlock dialog customization
"unlock_image": "https://<hostname>/static/<image_endpoint>",
"translations":
[
{
"language": "de",
"unlock_title": "Gehen Sie zur Detailseite und entdecken Sie alle Funktionen:",
"writer_unlock_highlights": "Überprüfen und schreiben Sie mit Leichtigkeit",
"calc_unlock_highlights": "Machen Sie sich ein besseres Bild von Ihren Daten",
"impress_unlock_highlights": "Bringen Sie Ihre nächste Präsentation auf den Punkt",
"draw_unlock_highlights": "Zeichne und organisiere dich",
},
// more translations possible
]
},
}
Please note that JSON response is checked every minute for changes. Every block in JSON is optional i.e. you can use any of the
remote_font_config, storage, feature_locking JSON individually.
JSON config will overwrite values given in coolwsd.xml file i.e.
groups tag will overwrite all host tags in wopi section.
locked_hosts allow should be true to enable allow/deny feature_lock per WOPI host. If host pattern does not match for locked_host, the fallback setting will be applied.
unlock_image and translations will overwrite respective xml:value pair in feature_locking section
Enable download and availability of more fonts by pointing to a font configuration file
<remote_font_config>
<url desc="URL of optional JSON file that lists fonts to be included in Online" type="string" default="">https://someserver/path/file.json</url>
</remote_font_config>
Remote font configuration JSON format
The JSON file pointed to by the above should have contents like in this example
{
"kind": "fontconfiguration",
"server": "Some pretty name",
"fonts": [
{
"uri": "https://somehost/path/f1.ttf"
},
{
"uri": "https://someotherhost/path/f2.ttf",
"stamp": "foo3"
},
{
"uri": "https://whatever/path/x42.ttf"
}
]
}
The JSON file is re-downloaded and scanned whenever it has changed. This is checked once a minute.
If an element in the fonts array has a stamp property then the
font file will be re-downloaded and taken into use whenever the stamp
has been changed. (And the old version of the font is forgotten.) The
stamp can be any string, its contents is not interpreted in any way.
The only thing checked is whether it changes. If no stamp property is
provided, the web server in question is queried once a minute to check
whether the font file has been updated.
The name of a font file is irrelevant. The name of the font is read from the contents of the file. The file should be a TrueType or OpenType font.
Other settings
See /etc/coolwsd/coolwsd.xml for other settings, everything is documented there.