Différences entre les versions de « Collabora CODE »

De Linux Server Wiki
Aller à la navigation Aller à la recherche
Ligne 76 : Ligne 76 :
 
==Exemple de proxy apache==
 
==Exemple de proxy apache==
  
Notez que cette configuration est valide si votre instance Collabora utilise un certificat SSL (autosigné ou non). Reportez vous à https://www.collaboraoffice.com/code/apache-reverse-proxy/ pour les autres cas de figure.
+
Notez que cette configuration est valide si votre instance Collabora utilise un certificat SSL (autosigné ou non). Reportez vous à https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html pour les autres cas de figure.
  
 
<pre>
 
<pre>
Ligne 89 : Ligne 89 :
 
   SSLCertificateKeyFile /path/to/private/key
 
   SSLCertificateKeyFile /path/to/private/key
  
  # Encoded slashes need to be allowed
+
AllowEncodedSlashes NoDecode
  AllowEncodedSlashes NoDecode
+
SSLProxyEngine On
 +
ProxyPreserveHost On
  
  # Container uses a unique non-signed certificate
 
  SSLProxyEngine On
 
  SSLProxyVerify None
 
  SSLProxyCheckPeerCN Off
 
  SSLProxyCheckPeerName Off
 
  
  # keep the host
+
# cert is issued for collaboraonline.example.com and we proxy to localhost
  ProxyPreserveHost On
+
SSLProxyVerify None
 +
SSLProxyCheckPeerCN Off
 +
SSLProxyCheckPeerName Off
  
  # static html, js, images, etc. served from loolwsd
 
  # loleaflet is the client part of Collabora Online
 
  ProxyPass          /loleaflet https://192.168.30.30:9980/loleaflet retry=0
 
  ProxyPassReverse    /loleaflet https://192.168.30.30:9980/loleaflet
 
  
  # WOPI discovery URL
+
# static html, js, images, etc. served from coolwsd
  ProxyPass          /hosting/discovery https://192.168.30.30:9980/hosting/discovery retry=0
+
# browser is the client part of Collabora Online
  ProxyPassReverse    /hosting/discovery https://192.168.30.30:9980/hosting/discovery
+
ProxyPass          /browser https://192.168.30.30:9980/browser retry=0
 +
ProxyPassReverse    /browser https://192.168.30.30:9980/browser
  
  # Capabilities
 
  ProxyPass          /hosting/capabilities https://192.168.30.30:9980/hosting/capabilities retry=0
 
  ProxyPassReverse    /hosting/capabilities https://192.168.30.30:9980/hosting/capabilities
 
  
  # Main websocket
+
# WOPI discovery URL
  ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.30.30:9980/lool/$1/ws nocanon
+
ProxyPass          /hosting/discovery https://192.168.30.30:9980/hosting/discovery retry=0
 +
ProxyPassReverse    /hosting/discovery https://192.168.30.30:9980/hosting/discovery
  
  # Admin Console websocket
 
  ProxyPass  /lool/adminws wss://192.168.30.30:9980/lool/adminws
 
  
  # Download as, Fullscreen presentation and Image upload operations
+
# Capabilities
  ProxyPass          /lool https://192.168.30.30:9980/lool
+
ProxyPass          /hosting/capabilities https://192.168.30.30:9980/hosting/capabilities retry=0
  ProxyPassReverse    /lool https://192.168.30.30:9980/lool
+
ProxyPassReverse    /hosting/capabilities https://192.168.30.30:9980/hosting/capabilities
 +
 
 +
# Main websocket
 +
ProxyPassMatch      "/cool/(.*)/ws$"      wss://192.168.30.30:9980/cool/$1/ws nocanon
 +
 
 +
# Admin Console websocket
 +
ProxyPass          /cool/adminws wss://192.168.30.30:9980/cool/adminws
 +
 
 +
# Download as, Fullscreen presentation and Image upload operations
 +
ProxyPass          /cool https://192.168.30.30:9980/cool
 +
ProxyPassReverse    /cool https://192.168.30.30:9980/cool
 +
# Compatibility with integrations that use the /lool/convert-to endpoint
 +
ProxyPass          /lool https://192.168.30.30:9980/cool
 +
ProxyPassReverse    /lool https://192.168.30.30:9980/cool
 
</VirtualHost>
 
</VirtualHost>
 
</pre>
 
</pre>

Version du 12 décembre 2021 à 12:31

Exemple d'installation de Collabora CODE sur un serveur/vm dédié, accessible derrière un serveur proxy situé sur votre instance nextcloud.
Nextcloud est donc installé sur un autre serveur/vm.
L'accès à l'instance Collabora se fera via un serveur proxy situé sur le serveur/vm hébergeant nextcloud.

Dans cet exemple:

  • Une VM collabora avec l'IP 192.168.30.30
  • VM nextcloud avec l'IP 192.168.30.15 ainsi qu'une IP publique accessible depuis internet (188.165.180.60, avec l'hostname nextcloud.domain.tld)
  • L'hostname collabora.domain.tld renvoi lui aussi vers l'ip publique de nextcloud (188.165.180.60) (le même serveur servira de proxy)

1 Installation et configuration de Collabora CODE sur la VM dédié à Collabora

1.1 Installation du logiciel

cd /usr/share/keyrings
sudo wget https://collaboraoffice.com/downloads/gpg/collaboraonline-release-keyring.gpg

Créez le fichier /etc/apt/sources.list.d/collaboraonline.sources contenant :

Types: deb
URIs: https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian11
Suites: ./
Signed-By: /usr/share/keyrings/collaboraonline-release-keyring.gpg
apt update 
apt install coolwsd code-brand

1.2 Configuration

Génération du certificat (basé sur https://github.com/CollaboraOnline/Docker-CODE/blob/master/scripts/start-libreoffice.sh)

openssl genrsa -out /etc/coolwsd/root.key.pem 2048
openssl req -x509 -new -nodes -key /etc/coolwsd/root.key.pem -days 9131 -out /etc/coolwsd/ca-chain.cert.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=Dummy Authority"
openssl genrsa -out /etc/coolwsd/key.pem 2048 -key /etc/coolwsd/key.pem
openssl req -key /etc/coolwsd/key.pem -new -sha256 -out /etc/coolwsd/localhost.csr.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost"
openssl x509 -req -in /etc/coolwsd/localhost.csr.pem -CA /etc/coolwsd/ca-chain.cert.pem -CAkey /etc/coolwsd/root.key.pem -CAcreateserial -out /etc/coolwsd/cert.pem -days 9131

Sécurisation du certificat

chgrp cool /etc/coolwsd/key.pem
chmod g+r /etc/coolwsd/key.pem

Dans le fichier /etc/coolwsd/coolwsd.xml remplacez la ligne :

<host allow="true" desc="Regex pattern of hostname to allow or deny.">localhost</host>

par :

<host allow="true" desc="Regex pattern of hostname to allow or deny.">nextcloud\.domain\.tld</host>

Dans le fichier /etc/coolwsd/coolwsd.xml définissez la valeur server_name à collabora.domain.tld. Dans cet exemple la ligne devient :

<server_name default="" desc="External hostname:port of the server running coolwsd. If empty, it's derived from the request (please set it if this doesn't work). Must be specified when behind a reverse-proxy or when the hostname is not reachable directly." type="string">collabora.domain.tld</server_name>

Définissez le mot-de-passe admin :

loolconfig set-admin-password

Note sur coolwsd.xml :

  • Les IP/hosts dans storage/wopi peuvent toutes êtres supprimées sauf nextcloud\.domain\.tld (avec les \)
  • Les IPs dans net/post_allow peuvent toutes êtres supprimées au profit de l'adresse IP du proxy (192.168.30.15)

Relancez le service :

systemctl restart coolwsd

Logs :

journalctl -u coolwsd

2 Sur le serveur nextcloud

2.1 Exemple de proxy apache

Notez que cette configuration est valide si votre instance Collabora utilise un certificat SSL (autosigné ou non). Reportez vous à https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html pour les autres cas de figure.

<VirtualHost *:443>
  ServerName collabora.domain.tld
  Options -Indexes

  # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
  SSLEngine on
  SSLCertificateFile /path/to/signed_certificate
  SSLCertificateChainFile /path/to/intermediate_certificate
  SSLCertificateKeyFile /path/to/private/key

 AllowEncodedSlashes NoDecode
 SSLProxyEngine On
 ProxyPreserveHost On


 # cert is issued for collaboraonline.example.com and we proxy to localhost
 SSLProxyVerify None
 SSLProxyCheckPeerCN Off
 SSLProxyCheckPeerName Off


 # static html, js, images, etc. served from coolwsd
 # browser is the client part of Collabora Online
 ProxyPass           /browser https://192.168.30.30:9980/browser retry=0
 ProxyPassReverse    /browser https://192.168.30.30:9980/browser


 # WOPI discovery URL
 ProxyPass           /hosting/discovery https://192.168.30.30:9980/hosting/discovery retry=0
 ProxyPassReverse    /hosting/discovery https://192.168.30.30:9980/hosting/discovery


 # Capabilities
 ProxyPass           /hosting/capabilities https://192.168.30.30:9980/hosting/capabilities retry=0
 ProxyPassReverse    /hosting/capabilities https://192.168.30.30:9980/hosting/capabilities

 # Main websocket
 ProxyPassMatch      "/cool/(.*)/ws$"      wss://192.168.30.30:9980/cool/$1/ws nocanon

 # Admin Console websocket
 ProxyPass           /cool/adminws wss://192.168.30.30:9980/cool/adminws

 # Download as, Fullscreen presentation and Image upload operations
 ProxyPass           /cool https://192.168.30.30:9980/cool
 ProxyPassReverse    /cool https://192.168.30.30:9980/cool
 # Compatibility with integrations that use the /lool/convert-to endpoint
 ProxyPass           /lool https://192.168.30.30:9980/cool
 ProxyPassReverse    /lool https://192.168.30.30:9980/cool
</VirtualHost>

3 Configuration de l'application Collabora de Nextcloud

  • Définissez l'hostname à https://collabora.domain.tld
  • cochez la case Disable certificate verification si votre proxy utilise un certificat autosigné

Une page d'administration de l'instance collabora est accessible à https://collabora.domain.tld/loleaflet/dist/admin/admin.html

4 Documentation officielle

https://www.collaboraoffice.com/code-install-and-test/
https://www.collaboraoffice.com/code/linux-packages/
https://sdk.collaboraonline.com/docs/installation/Proxy_settings.html