Proxy settings

Server part of Collabora Online (loolwsd daemon) is listening on port 9980 by default, and clients should be able to communicate with it through port 9980. Sometimes it is not possible, for example a corporate firewall can allow only ports of well known services, such as port 80 (HTTP) and port 443 (HTTPS). The loolwsd daemon is configurable. It can use other ports than 9980. Port can be set by the command line option --port. However we cannot use for example port 443, when a web server is running on the same server, which is already bound to port 443. Reverse proxy setup is also required, when you would like to setup load balancing.

Reverse proxy with Apache 2 webserver

We assume that loolwsd and Apache2 are running on the same server: collaboraonline.example.com. For this to work, you have to setup follow the steps below:

  • Set the server name in Collabora Online configuration

  • Enable the required Apache2 modules

  • Add reverse proxy settings to Apache2 configuration file

Configure Collabora Online

Collabora Online configuration file is /etc/loolwsd/loolwsd.xml. Look for the setting server_name, which is empty by default, and enter the host name here, for example collaboraonline.example.com. This is necessary, because the proxy will redirect request to localhost. Answers from loolwsd server must contain the original host name, otherwise the connection will fail.

Required Apache2 modules

Apache2 web server is modular. We need to enable the required modules for this reverse proxy setup. We can use the a2enmod command to enable modules. If a module has been enabled already, nothing happens.

  • Enable proxy in general: a2enmod proxy

  • Enable proxy for HTTP protocol: a2enmod proxy_http

  • Enable SSL support: a2enmod proxy_connect

  • Enable proxy of websockets: a2enmod proxy_wstunnel

On CentOS / RHEL there is no a2enmod available. Enabling the modules has to be done by adjusting a config file and add the LoadModule oneself. See server-world.info on CentOS.

Reverse proxy settings in Apache2 config (SSL)

These lines should be inserted into <VirtualHost> definition of the site.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
 ########################################

 # Reverse proxy for Collabora Online
 #

 ########################################


 AllowEncodedSlashes NoDecode
 SSLProxyEngine On
 ProxyPreserveHost On


 # cert is issued for collaboraonline.example.com and we proxy to localhost
 SSLProxyVerify None
 SSLProxyCheckPeerCN Off
 SSLProxyCheckPeerName Off


 # static html, js, images, etc. served from loolwsd
 # loleaflet is the client part of Collabora Online
 ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
 ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet


 # WOPI discovery URL
 ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
 ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery


 # Capabilities
 ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
 ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities

 # Main websocket
 ProxyPassMatch      "/lool/(.*)/ws$"      wss://127.0.0.1:9980/lool/$1/ws nocanon


 # Admin Console websocket
 ProxyPass           /lool/adminws wss://127.0.0.1:9980/lool/adminws


 # Download as, Fullscreen presentation and Image upload operations
 ProxyPass           /lool https://127.0.0.1:9980/lool
 ProxyPassReverse    /lool https://127.0.0.1:9980/lool

Reverse proxy settings in Apache2 config (SSL termination)

These lines should be inserted into <VirtualHost> definition of the site. Basically the configuration is the same as , but in this case we have HTTP-only connection between the proxy and the Collabora Online server.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 ########################################

 # Reverse proxy for Collabora Online
 #

 ########################################


 AllowEncodedSlashes NoDecode
 ProxyPreserveHost On


 # static html, js, images, etc. served from loolwsd
 # loleaflet is the client part of Collabora Online
 ProxyPass           /loleaflet http://127.0.0.1:9980/loleaflet retry=0
 ProxyPassReverse    /loleaflet http://127.0.0.1:9980/loleaflet


 # WOPI discovery URL
 ProxyPass           /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
 ProxyPassReverse    /hosting/discovery http://127.0.0.1:9980/hosting/discovery


 # Capabilities
 ProxyPass           /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
 ProxyPassReverse    /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities


 # Main websocket
 ProxyPassMatch      "/lool/(.*)/ws$"      ws://127.0.0.1:9980/lool/$1/ws nocanon


 # Admin Console websocket
 ProxyPass           /lool/adminws ws://127.0.0.1:9980/lool/adminws


 # Download as, Fullscreen presentation and Image upload operations
 ProxyPass           /lool http://127.0.0.1:9980/lool
 ProxyPassReverse    /lool http://127.0.0.1:9980/lool

Reverse proxy with Nginx webserver

Add a new server block to your nginx config for collaboraonline.example.com.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
server {
 listen       443 ssl;
 server_name  collaboraonline.example.com;


 ssl_certificate /path/to/certificate;
 ssl_certificate_key /path/to/key;


 # static files
 location ^~ /loleaflet {
   proxy_pass https://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }


 # WOPI discovery URL
 location ^~ /hosting/discovery {
   proxy_pass https://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }


 # Capabilities
 location ^~ /hosting/capabilities {
   proxy_pass https://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }


 # main websocket
 location ~ ^/lool/(.*)/ws$ {
   proxy_pass https://127.0.0.1:9980;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
   proxy_set_header Host $http_host;
   proxy_read_timeout 36000s;
 }


 # download, presentation and image upload
 location ~ ^/lool {
   proxy_pass https://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }


 # Admin Console websocket
 location ^~ /lool/adminws {
   proxy_pass https://127.0.0.1:9980;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
   proxy_set_header Host $http_host;
   proxy_read_timeout 36000s;
 }
}

Load balancing

In order for Collaborative Editing to function correctly, it is vital to ensure that all users editing the same document end up being served by the same Collabora Office instance. Using the WOPI protocol, the https URL includes a unique identifier (WOPISrc) for use with this document. Thus load balancing can be done by using WOPISrc – ensuring that all URLs that contain the same WOPISrc are sent to the same Collabora Office instance.

Note: All load balanced nodes must run the same version of Collabora Online. Currently it is not possible to run different versions on different nodes, e.g. upgrade Collabora Online on one node, and leave the old version on another node. The WOPI discovery.xml served by Collabora Online through the load balancer contains version specific URLs.

Example with HAProxy

In this example we will do load balancing between two Collabora Online server instances, which are running in docker containers. Load balancing is based on WOPISrc URL parameter.

The browser reaches the proxy with HTTPS protocol. The proxy terminates the HTTPS connection and passes traffic to backends via HTTP. Therefore in Collabora Online’s config file, in /etc/loolwsd/loolwsd.xml , or in the command line which starts loolwsd daemon, SSL should be disabled, and SSL termination should be enabled.

add the following blocks to /etc/haproxy/haproxy.cfg
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
frontend loolwsd
  bind *:443 ssl crt /path/to/your/certificate_and_key.pem
  mode http
  default_backend loolwsd
backend loolwsd
  timeout tunnel 3600s
  mode http
  balance url_param WOPISrc check_post
  hash-type consistent
  server loolwsd01 127.0.0.1:9993
  server loolwsd02 127.0.0.1:9994

Start Docker containers as described above, with -p 127.0.0.1:9993:9980 and -p 127.0.0.1:9994:9980.

Example with Nginx

Just like in the previous section (HAProxy), the Nginx load balancer also utilizes the WOPISrc URL parameter. In this example SSL settings are managed by Certbot (see https://letsencrypt.org/). The load balancer server listens on standard HTTPS port 443, and HTTP port 80 is redirected to HTTPS port 443. The loolwsd servers are reached through port 9980 directly (private network). The address for the outside world (for WOPI hosts) is loolwsd.public.example.com.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
upstream loolwsd {
  zone loolwsd 64k;
  hash $arg_WOPISrc;

  server loolwsd1.private:9980;
  server loolwsd2.private:9980;
}

server {
  listen 80 default_server;
  listen 443 ssl; # managed by Certbot
  ssl_certificate /etc/letsencrypt/live/1b255632-ce4b-4581-9e80-16f701c27034.pub.cloud.scaleway.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/1b255632-ce4b-4581-9e80-16f701c27034.pub.cloud.scaleway.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

  if ($scheme != "https") {
    return 301 https://$host$request_uri;
  } # managed by Certbot

  server_name loolwsd.public.example.com;

  location / {
    proxy_pass                 http://loolwsd;
    proxy_set_header           Host $host;
    proxy_http_version         1.1;
    proxy_set_header           Upgrade $http_upgrade;
    proxy_set_header           Connection "upgrade";
    client_max_body_size       0;
  }
}

robots.txt

When you use Collabora Online behind a reverse proxy, add Disallow: /loleaflet/* to your robots.txt file.