Talk Only works on local network

[rpm5099]

Hi all, I am a total loss here and without spending a lot more time than I can dedicate to it I am hoping someone can steer me in the right direction. I have Nx AIO running behind a pfsense with haproxy, wss enabled, all functionality working except for talk and collabora (as evidenced here - https://nextcloud.[mydomain]/settings/admin/richdocuments). The domain nextcloud.[mydomain] is running on 443 behind haproxy and port 3478 tcp/udp is natted to the nx aio server. Talk calls are unable to connect from outside, only locally on the LAN. This does me no good at all because I can yell really loud. The STUN server is set to nextcloud.[mydomain]:3478 and the TURN server is set to nextcloud.[mydomain]:3478 and tests successfully.

I am very familiar with networking and firewalls, but I must be missing something basic in terms of what we are going for here with AIO - I don't want or need a "high performance" VPS based talk server, and I am not using a Cloudflare proxy or any other kind of proxy external to my network. This seems like it should be very straight forward, but I am getting nowhere. Please let me know if I can provide any other information, and I appreciate any input.

I am getting these messages from the talk container:

2025-04-08T10:08:31.028068399Z [WARN] Janus is deployed on a private address (172.18.0.3) but you didn't specify any STUN server! Expect trouble if this is supposed to work over the internet and not just in a LAN...
2025-04-08T10:08:31.029223531Z natsclient.go:104: Connection established to nats://127.0.0.1:4222 (XXXXXXXXX...)
2025-04-08T10:08:31.029483140Z grpc_common.go:176: WARNING: No GRPC server certificate and/or key configured, running unencrypted
2025-04-08T10:08:31.029497540Z grpc_common.go:178: WARNING: No GRPC CA configured, expecting unencrypted connections
2025-04-08T10:08:31.029503183Z backend_storage_static.go:73: Backend backend-1 added for https://nextcloud.[mydomain]/
2025-04-08T10:08:31.029672927Z hub.go:224: Using a maximum of 8 concurrent backend connections per host
2025-04-08T10:08:31.029686443Z hub.go:231: Using a timeout of 10s for backend connections
2025-04-08T10:08:31.029691917Z hub.go:264: No trusted proxies configured, only allowing for [127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]

and this from the nx container:

$docker exec -it --user www-data nextcloud-aio-nextcloud php occ config:list spreed
{
    "apps": {
        "spreed": {
            "installed_version": "20.1.5",
            "enabled": "yes",
            "types": "dav,prevent_group_restriction",
            "turn_servers": "***REMOVED SENSITIVE VALUE***",
            "stun_servers": "***REMOVED SENSITIVE VALUE***",
            "recording_servers": "***REMOVED SENSITIVE VALUE***",
            "signaling_token_privkey_es256": "***REMOVED SENSITIVE VALUE***",
            "signaling_token_pubkey_es256": "***REMOVED SENSITIVE VALUE***",
            "federation_enabled": "yes",
            "signaling_servers": "***REMOVED SENSITIVE VALUE***",
            "project_access_invalidated": "1"
        }
    }
}

[rpm5099]

Quick update to this, the problem with Talk was the settings in config.php under trusted_proxies - I fat fingered an IP. So that is working now. I also figured out the problem with collabora but I'm not seeing a solution anywhere, the permissions are bad on the container:

frk-00014-00014 2024-05-20 07:45:42.985917 +1200 [ coolforkit ] ERR  Capability cap_sys_chroot is not set for the coolforkit program.| kit/ForKit.cpp:229
frk-00014-00014 2024-05-20 07:45:42.985964 +1200 [ coolforkit ] ERR  Capability cap_fowner is not set for the coolforkit program.| kit/ForKit.cpp:229
frk-00014-00014 2024-05-20 07:45:42.986004 +1200 [ coolforkit ] ERR  Capability cap_chown is not set for the coolforkit program.| kit/ForKit.cpp:229
Capabilities are not set for the coolforkit program.

Manually editing /etc/coolwsd/coolwsd.xml within the collabora container to disable jail isolation fixes the issue:

<security>
...
<capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">false</capabilities>
...

But obviously this is not desirable. I couldn't find if there was a fix for this, there doesn't seem to be any way to push settings like this from the master container to the collabora container. It seems like that is on purpose, but it really ties the hands of anyone attempting to stop-gap problems like this until there is an update. If I'm missing something please let me know, any input is appreciated.

[szaimen]

I fear you need to test yourself. Currently not having access to my test instance bur the syntax looks okay I would say

[rpm5099]

There's an example given below the box on the page:

--o:net.content_security_policy="frame-ancestors *.example.com:*;"

I made the settings I passed model after that, so the fact that they are not working must mean that they are not getting passed through to the box.

If anyone know the correct format for settings in that box to get successfully passed through to coolwsd.xml please enlighten me.

[jimmyrmrz-Lame]

Quick update to this, the problem with Talk was the settings in config.php under trusted_proxies - I fat fingered an IP. So that is working now.

Hello @rpm5099 , I'm struggling with nextcloud talk may you help? What changes did you make under trusted_proxies. I am currently dealing with a similar issue in which Nextcloud talk only works on my local network. I checked my config.php file and this is what I have under trusted_proxies,
'trusted_proxies' =>
array (
0 => '127.0.0.1',
1 => '::1',
10 => '172.16.8.0/16',

For more context, I access my Nextcloud instance via a pangolin tunnel (pangolin is on a vps), and I deployed Nextcloud AIO on TrueNAS using Dockge.

[rpm5099]

I actually finally got this working about a month ago but I didn't take detailed notes on it, figured I would wait and see if it continued to have issues and then haven't used it much. One issue for sure was that I did not have port 3478 NAT port forward through my pfsense firewall to the nextcloud host to correctly to ensure that it always reaches from both internal and external. For the trusted proxies this is what I have right now:

<?php
$CONFIG = array (
  'trusted_proxies' =>
  array (
    0 => '127.0.0.1',   <- loopback
    1 => '::1',         <- loopback
    2 => '10.0.0.122',  <- nextcloud host 
    3 => '10.0.0.1',    <- pfsense firewall
    4 => '10.0.0.7',    <- haproxy virtual ip
    10 => '172.18.0.0/16', <- docker network subnet
  ),

I also had to bad entries in the high-performance backend section of the talk admin page. I have no idea why. The other change I made was to change the stun servers from port 443 to 3478. I created a separate sub domain for the turn server so that I could use split DNS and have both the local and remote clients reach the turn server without going through the haproxy.

Added this to my pfsense dns resolver custom options:

local-zone: "turn.mydomain.net" redirect
local-data: "turn.mydomain.net. A 10.0.0.122"

And this rule to the firewall NAT:

For the stun and turn servers settings in the Nextcloud admin page I have:

# stun
turn.mydomain.net:3478
nextcloud.mydomain.net:3478

#turn
turn: only - turn.mydomain.net:3478 UDP and TCP
turn:only - nextclout.mydomain.net:3478 UDP and TCP

I recommend you install a command line stun client like turnutils_stunclient and test to make sure that you get back the right ip address whether you hit it from inside or outside your network - it's supposed to return the IP that you can be reached at, my changes were to make it so that devices on the lan got a lan address back, and external devices get the public ip of the network. That way talk traffic on the lan/vpn doesn't need to be unnecessarily routed back through the firewall.

Hopefully that is helpful, I know that my firewall setup has complexities that most people don't want to deal with but overall I think the way I have it setup makes it work seamlessly from both inside and outside the network as well as vpn'ed home. That's what I needed. Now after typing this I'll go try to make a talk call and find out it doesn't work, haha.

[jimmyrmrz-Lame]

Thank you so much for the detailed response. I'll try to troubleshoot this again, you included a lot of great details. I am realizing I'm in way over there head lol, I just started my journey with home labbing. Anyways thanks again for your detailed response and I hope it did still work for you haha!

[rpm5099]

The Collabora additional options field on the mastercontainer ui does not successfully pass through settings to the Collabora container, somehow this functionality appears to be broken. I've tried both of the variants below and it has zero affect on what ends up in the environment variables of the Collabora container or coolwsd.xml. The path from how it gets submitted via the web ui and makes it into coolwsd.xml is so convoluted that someone who is more familiar with AIO is going to be able to track down where the problem is much faster than myself.

Tried in web ui:

--o:security.capabilities=false --o:security.secomp=false
--o:security.capabilities="false" --o:security.secomp="false"

Env vars on the Collabora container:

cool@c1e7603b93e4:/$ env
extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true --o:security.seccomp=true --o:remote_font_config.url=https://nextcloud.[domain]/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+
dictionaries=de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru
HOSTNAME=c1e7603b93e4
PWD=/
TZ=America/New_York
HOME=/opt/cool
DONT_GEN_SSL_CERT=1
TERM=xterm
SHLVL=1
LC_CTYPE=C.UTF-8
aliasgroup1=https://nextcloud.[domain]:443
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
server_name=nextcloud.[domain]
_=/usr/bin/env
cool@c1e7603b93e4:/$ whoami
cool

Within container.json in the Collabora section:

"extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true %COLLABORA_SECCOMP_POLICY% --o:remote_font_config.url=https://%NC_DOMAIN%/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+"

Looks pretty clear this is what needs to get set...somehow: %COLLABORA_SECCOMP_POLICY%.

Security section of /etc/coolwsd/coolwsd.xml - capabilities should be set to false, it is not:

    <security desc="Altering these defaults potentially opens you to significant risk">
      <seccomp desc="Should we use the seccomp system call filtering." type="bool" default="true">true</seccomp>

      <!-- deprecated: If capabilities is 'false', coolwsd will assume mount_namespaces of 'true' to achieve
           this goal, only avoiding chroot for process isolation if linux namespaces are unavailable -->
      <capabilities desc="Should we require capabilities to isolate processes into chroot jails" type="bool" default="true">true</capabilities>

      <jwt_expiry_secs desc="Time in seconds before the Admin Console's JWT token expires" type="int" default="1800">1800</jwt_expiry_secs>
      <enable_macros_execution desc="Specifies whether the macro execution is enabled in general. This will enable Basic and Python scripts to execute both installed and from documents. If it is set to false, the macro_security_level is ignored. If it is set to true, the mentioned entry specified the level of macro security." type="bool" default="false">false</enable_macros_execution>
      <macro_security_level desc="Level of Macro security. 1 (Medium) Confirmation required before executing macros from untrusted sources. 0 (Low, not recommended) All macros will be executed without confirmation." type="int" default="1">1</macro_security_level>
      <enable_websocket_urp desc="Should we enable URP (UNO remote protocol) communication over the websocket. This allows full control of the Kit child server to anyone with access to the websocket including executing macros without confirmation or running arbitrary shell commands in the jail." type="bool" default="false">false</enable_websocket_urp>
      <enable_metrics_unauthenticated desc="When enabled, the /cool/getMetrics endpoint will not require authentication." type="bool" default="false">false</enable_metrics_unauthenticated>
      <server_signature desc="Whether to send server signature in HTTP response headers" type="bool" default="false">false</server_signature>
    </security>

[szaimen]

Can you post the output of sudo docker inspect nextcloud-aio-collabora here?

[rpm5099]

Currently the options are set to --o:security.seccomp=false

[
  {
    "Id": "8d287fe37f77df30604307ad006f7d703c1ce01bbcc9c00214fbe91d01d269b1",
    "Created": "2025-04-11T20:07:45.677184947Z",
    "Path": "/start-collabora-online.sh",
    "Args": [
      "--o:security.seccomp=false"
    ],
    "State": {
      "Status": "running",
      "Running": true,
      "Paused": false,
      "Restarting": false,
      "OOMKilled": false,
      "Dead": false,
      "Pid": 2273568,
      "ExitCode": 0,
      "Error": "",
      "StartedAt": "2025-04-11T20:07:45.750698859Z",
      "FinishedAt": "0001-01-01T00:00:00Z",
      "Health": {
        "Status": "healthy",
        "FailingStreak": 0,
        "Log": [
          {
            "Start": "2025-04-11T16:07:51.026565063-04:00",
            "End": "2025-04-11T16:07:51.101733398-04:00",
            "ExitCode": 0,
            "Output": ""
          },
          {
            "Start": "2025-04-11T16:08:21.102919874-04:00",
            "End": "2025-04-11T16:08:21.19295761-04:00",
            "ExitCode": 0,
            "Output": ""
          },
          {
            "Start": "2025-04-11T16:08:51.193667169-04:00",
            "End": "2025-04-11T16:08:51.266911316-04:00",
            "ExitCode": 0,
            "Output": ""
          },
          {
            "Start": "2025-04-11T16:09:21.267854613-04:00",
            "End": "2025-04-11T16:09:21.347790088-04:00",
            "ExitCode": 0,
            "Output": ""
          },
          {
            "Start": "2025-04-11T16:09:51.348251196-04:00",
            "End": "2025-04-11T16:09:51.436930189-04:00",
            "ExitCode": 0,
            "Output": ""
          }
        ]
      }
    },
    "Image": "sha256:abba92370f15e9d3649ce7c98a60d934283427534ed56c19a253dffcee8cb38a",
    "ResolvConfPath": "/var/lib/docker/containers/8d287fe37f77df30604307ad006f7d703c1ce01bbcc9c00214fbe91d01d269b1/resolv.conf",
    "HostnamePath": "/var/lib/docker/containers/8d287fe37f77df30604307ad006f7d703c1ce01bbcc9c00214fbe91d01d269b1/hostname",
    "HostsPath": "/var/lib/docker/containers/8d287fe37f77df30604307ad006f7d703c1ce01bbcc9c00214fbe91d01d269b1/hosts",
    "LogPath": "/var/lib/docker/containers/8d287fe37f77df30604307ad006f7d703c1ce01bbcc9c00214fbe91d01d269b1/8d287fe37f77df30604307ad006f7d703c1ce01bbcc9c00214fbe91d01d269b1-json.log",
    "Name": "/nextcloud-aio-collabora",
    "RestartCount": 0,
    "Driver": "overlay2",
    "Platform": "linux",
    "MountLabel": "",
    "ProcessLabel": "",
    "AppArmorProfile": "docker-default",
    "ExecIDs": null,
    "HostConfig": {
      "Binds": null,
      "ContainerIDFile": "",
      "LogConfig": {
        "Type": "json-file",
        "Config": {}
      },
      "NetworkMode": "nextcloud-aio",
      "PortBindings": null,
      "RestartPolicy": {
        "Name": "unless-stopped",
        "MaximumRetryCount": 0
      },
      "AutoRemove": false,
      "VolumeDriver": "",
      "VolumesFrom": null,
      "ConsoleSize": [
        0,
        0
      ],
      "CapAdd": [
        "MKNOD",
        "SYS_ADMIN"
      ],
      "CapDrop": [
        "NET_RAW"
      ],
      "CgroupnsMode": "private",
      "Dns": null,
      "DnsOptions": null,
      "DnsSearch": null,
      "ExtraHosts": null,
      "GroupAdd": null,
      "IpcMode": "private",
      "Cgroup": "",
      "Links": null,
      "OomScoreAdj": 0,
      "PidMode": "",
      "Privileged": false,
      "PublishAllPorts": false,
      "ReadonlyRootfs": false,
      "SecurityOpt": [
        "label:disable"
      ],
      "UTSMode": "",
      "UsernsMode": "",
      "ShmSize": 67108864,
      "Runtime": "runc",
      "Isolation": "",
      "CpuShares": 0,
      "Memory": 0,
      "NanoCpus": 0,
      "CgroupParent": "",
      "BlkioWeight": 0,
      "BlkioWeightDevice": null,
      "BlkioDeviceReadBps": null,
      "BlkioDeviceWriteBps": null,
      "BlkioDeviceReadIOps": null,
      "BlkioDeviceWriteIOps": null,
      "CpuPeriod": 0,
      "CpuQuota": 0,
      "CpuRealtimePeriod": 0,
      "CpuRealtimeRuntime": 0,
      "CpusetCpus": "",
      "CpusetMems": "",
      "Devices": null,
      "DeviceCgroupRules": null,
      "DeviceRequests": null,
      "MemoryReservation": 0,
      "MemorySwap": 0,
      "MemorySwappiness": null,
      "OomKillDisable": null,
      "PidsLimit": null,
      "Ulimits": null,
      "CpuCount": 0,
      "CpuPercent": 0,
      "IOMaximumIOps": 0,
      "IOMaximumBandwidth": 0,
      "MaskedPaths": [
        "/proc/asound",
        "/proc/acpi",
        "/proc/interrupts",
        "/proc/kcore",
        "/proc/keys",
        "/proc/latency_stats",
        "/proc/timer_list",
        "/proc/timer_stats",
        "/proc/sched_debug",
        "/proc/scsi",
        "/sys/firmware",
        "/sys/devices/virtual/powercap"
      ],
      "ReadonlyPaths": [
        "/proc/bus",
        "/proc/fs",
        "/proc/irq",
        "/proc/sys",
        "/proc/sysrq-trigger"
      ],
      "Init": true
    },
    "GraphDriver": {
      "Data": {
        "ID": "8d287fe37f77df30604307ad006f7d703c1ce01bbcc9c00214fbe91d01d269b1",
        "LowerDir": "/var/lib/docker/overlay2/2736d909c8e705c6d561f0a78b4571e1738c17c2798b9cace3c5663b39793b39-init/diff:/var/lib/docker/overlay2/54e049179081a24cf7cea2d4562ab88c2f244c63d8be2d6b79a7630fbc142d32/diff:/var/lib/docker/overlay2/5eda1cbee74466e2bf113b29c60f6cac3686c70c692dfe8f254644f7c2029821/diff:/var/lib/docker/overlay2/3af4ea9bf6f23a9be1e053ce25a7687255e7c1ac04d263a377c9e49ed766d3dd/diff:/var/lib/docker/overlay2/dcd967e04aabfee0f8625544bc84e0d3932ff4f7592c59509c3b0603460180f7/diff:/var/lib/docker/overlay2/4d77838f378d8719985704cff5f67be7684854a86dd71bd03844e1433ed66234/diff",
        "MergedDir": "/var/lib/docker/overlay2/2736d909c8e705c6d561f0a78b4571e1738c17c2798b9cace3c5663b39793b39/merged",
        "UpperDir": "/var/lib/docker/overlay2/2736d909c8e705c6d561f0a78b4571e1738c17c2798b9cace3c5663b39793b39/diff",
        "WorkDir": "/var/lib/docker/overlay2/2736d909c8e705c6d561f0a78b4571e1738c17c2798b9cace3c5663b39793b39/work"
      },
      "Name": "overlay2"
    },
    "Mounts": [],
    "Config": {
      "Hostname": "8d287fe37f77",
      "Domainname": "",
      "User": "1001",
      "AttachStdin": false,
      "AttachStdout": false,
      "AttachStderr": false,
      "ExposedPorts": {
        "9980/tcp": {}
      },
      "Tty": false,
      "OpenStdin": false,
      "StdinOnce": false,
      "Env": [
        "aliasgroup1=https://nextcloud.[domain]:443",
        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:mount_jail_tree=false --o:logging.level=warning --o:home_mode.enable=true --o:security.seccomp=true --o:remote_font_config.url=https://nextcloud.[domain]/apps/richdocuments/settings/fonts.json --o:net.post_allow.host[0]=.+",
        "dictionaries=de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru",
        "TZ=America/New_York",
        "server_name=nextcloud.[domain]",
        "DONT_GEN_SSL_CERT=1",
        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
        "LC_CTYPE=C.UTF-8"
      ],
      "Cmd": [
        "--o:security.seccomp=false"
      ],
      "Healthcheck": {
        "Test": [
          "CMD-SHELL",
          "/healthcheck.sh"
        ],
        "StartPeriod": 60000000000,
        "Retries": 9
      },
      "Image": "ghcr.io/nextcloud-releases/aio-collabora:beta",
      "Volumes": null,
      "WorkingDir": "",
      "Entrypoint": [
        "/start-collabora-online.sh"
      ],
      "OnBuild": null,
      "Labels": {
        "author": "Collabora Productivity Ltd.",
        "com.centurylinklabs.watchtower.enable": "false",
        "commit.history.core": "https://git.libreoffice.org/core/+log/cp-24.04.13-2",
        "commit.history.online": "https://github.com/CollaboraOnline/online/commits/cp-24.04.13-2",
        "description": "Collabora Online is a powerful collaborative Office suite that supports all major document, spreadsheet and presentation file formats, which you can integrate into your own infrastructure. Collabora Online provides data security and sovereignty, and is ideally suited to the demands of a modern distributed working environment. Delivering a familiar look and feel, Collabora Online represents a real alternative to other big-brands solutions, giving you control and flexibility.",
        "release.notes": "https://www.collaboraonline.com/code-24-04-release-notes/",
        "version": "24.04.13.2"
      }
    },
    "NetworkSettings": {
      "Bridge": "",
      "SandboxID": "38346b418eb46720da45e824937cdf6067c45efc7f4bdf56f7241a85508be625",
      "SandboxKey": "/var/run/docker/netns/38346b418eb4",
      "Ports": {
        "9980/tcp": null
      },
      "HairpinMode": false,
      "LinkLocalIPv6Address": "",
      "LinkLocalIPv6PrefixLen": 0,
      "SecondaryIPAddresses": null,
      "SecondaryIPv6Addresses": null,
      "EndpointID": "",
      "Gateway": "",
      "GlobalIPv6Address": "",
      "GlobalIPv6PrefixLen": 0,
      "IPAddress": "",
      "IPPrefixLen": 0,
      "IPv6Gateway": "",
      "MacAddress": "",
      "Networks": {
        "nextcloud-aio": {
          "IPAMConfig": null,
          "Links": null,
          "Aliases": null,
          "MacAddress": "ae:73:91:20:e2:80",
          "DriverOpts": null,
          "GwPriority": 0,
          "NetworkID": "c7b86fa391bc4aab099356b8cdbef0056a2e2c0d66912cc76b17a63786acc045",
          "EndpointID": "a48ca092b699135303f613156eda5f43430712b4be51b5b36216db61f17909b0",
          "Gateway": "172.18.0.1",
          "IPAddress": "172.18.0.3",
          "IPPrefixLen": 16,
          "IPv6Gateway": "",
          "GlobalIPv6Address": "",
          "GlobalIPv6PrefixLen": 0,
          "DNSNames": [
            "nextcloud-aio-collabora",
            "8d287fe37f77"
          ]
        }
      }
    }
  }
]

[szaimen]

Cmd": [
        "--o:security.seccomp=false"
      ],

So it seems like only rhe seccomp value was passed. Did you try out more?

[rpm5099]

Yes, I've tried every variation - each setting on it's own, both together, in different order, with/without quotes, colon instead of equals, etc. Nothing gets passed through and effectively activated.

I should add that I deleted the container and recreated it between testing some variations of the options but not all of them. I wasn't sure if that was required to make them effective, but if it is required then resetting and changing the options in the gui should probably delete the container.

[rpm5099]

@szaimen Simon I really appreciate your help, I would like to get this figured out. Should I open an issue for it? I noticed you marked the question as answered, do you think you've figured out what is going on? Thanks again.

[szaimen]

Should I open an issue for it?

No, lets keep the discussion here.

[rpm5099]

No problem. Please let me know if there's anything I should try or other information I can provide.