Allow List for WOPI requests
-
@michaelpope Well, the issues is it was working for a couple of months, then just stopped. Absolutely no settings changed, so I expect something in the Nextcloud Cloudron App update or restart changed something.
The screenshot above shows that Nextcloud can access Collabora using that address, so it is difficult to know if this is a causation issue or just coincidence that it also wanted a WOPI value recently, something I'd not seen before.
-
@marcusquinn said in Allow List for WOPI requests:
@michaelpope Well, the issues is it was working for a couple of months, then just stopped. Absolutely no settings changed, so I expect something in the Nextcloud Cloudron App update or restart changed something.
The screenshot above shows that Nextcloud can access Collabora using that address, so it is difficult to know if this is a causation issue or just coincidence that it also wanted a WOPI value recently, something I'd not seen before.
Hmmm... not sure what's up then...
This is going to sound weird... but have you tried a loopback address for the WOPI? Like 127.0.0.1?
-
@michaelpope Thanks for the creative thinking, we never know, huh! I just went to test this idea, and saw the 26.0.2 update has run — and guess what? It's just working again, all by itself. Nothing I did. So, maybe just something an app restart fixed.
I have some minor customisations, just in having the LibreSign bits installed, but nothing unofficial running.
I like to be verbose on issues in these forums, as they are like a Wiki for my future self and the Cloudron hive-mind, for if anything happens again, we have notes.
-
@ntnsndr said in Allow List for WOPI requests:
Using 172.18.0.0/16 worked for me on the WOPI whitelist when using built-in CODE server.
Thank you. I think this is worth mentioning in the CODE setup documentation (https://docs.cloudron.io/apps/collabora/)
-
This setting is locking down the nextcloud host to only accept WOPI requests from collabora on that subnet, which is the local docker network on Cloudron. I have tried this here and setting
172.18.0.0/16
works as expected. Do you have any more information about the issue? -
-
I digged a bit deeper in and here are the logs for two requests for the same document. The first one is with the WOPI adress as documented and the second one it with my external real ipv4 adress. Withe the external real ipv4 adress it works and i can open the documents. i found that here "https://github.com/nextcloud/richdocuments/issues/2685"
With Wopi Adress 172.18.0.0/16:
"GET /index.php/apps/richdocuments/wopi/files/542576_oc2a6lhu6gbc?access_token=vmAdhoDd9DnOnITRqNn235KjCmxEUwjp&access_token_ttl=0 HTTP/1.1" 403 2 "-" "COOLWSD HTTP Agent 24.04.7.1"
"GET /index.php/apps/richdocuments/wopi/files/542576_oc2a6lhu6gbc?access_token=vmAdhoDd9DnOnITRqNn235KjCmxEUwjp&access_token_ttl=0&permission=edit HTTP/1.1" 403 2 "-" "COOLWSD HTTP Agent 24.04.7.1"With Wopi Adress real IPv4 Adress :
"GET /index.php/apps/richdocuments/wopi/files/542576_oc2a6lhu6gbc?access_token=YGfINlPRSbkt7OLGw3VHMxuFSE19cX1v&access_token_ttl=0 HTTP/1.1" 200 853 "-" "COOLWSD HTTP Agent 24.04.7.1"
"GET /index.php/apps/richdocuments/wopi/files/542576_oc2a6lhu6gbc/contents?access_token=YGfINlPRSbkt7OLGw3VHMxuFSE19cX1v&access_token_ttl=0 HTTP/1.1" 200 6345 "-" "COOLWSD HTTP Agent 24.04.7.1" -
I am no WOPI expert and also cannot reproduce this still. A 403 status code would to me more look like the accesstoken (which is different in both requests you pasted) is invalid. But could be that Nextcloud does return a 403 also for blocked IPs. You have to ask the upstream developers for such details.
One idea, can you double check which IP range your local
cloudron
docker network uses? You can do this via SSHdocker network inspect cloudron