NC32 - WOPI error: Invalid WOPI proof #5351
Description
Describe the bug
I have found exactly the same behavior as pretty much described here with our pre production: #4952
Our setup includes Large deployment where Collabora workers are behind HAProxy. In test env there are 2 small worker nodes for Collabora on VMs (no docker).
To Reproduce
Everything is working fine with Nextcloud 31. Allow list for WOPI requests is the same. Tried with 0.0.0.0/0 or empty, same behavior.
After update to Nextcloud 32 behavior is as follows.
There are office 6 documents that I use for testing. 5 of them do not work and 1 works when both backends are online or vice versa. 5 work 1 does not open. When I click on "Save" on "Allow list for WOPI requests" this can toggle even without any changes. Number of tested docs are just random but to describe behavior.
Just to mention again on Nextcloud 31 with exactly the same configuration everything works without "Invalid WOPI proof" errors from nextcloud.log
User facing error is "Unauthorized WOPI host. Please try again later and report to your administrator if the issue persists."
Important thing maybe to note is:
- If I stop collabora worker 1 and I click "Save" under "Allow list for WOPI requests" so worker 2 remains - everything works. All 6 documents open properly.
- If I stop collabora worker 2 and I click "Save" under "Allow list for WOPI requests" so worker 1 remains - everything works. All 6 documents open properly.
"Save" refreshes "something" as if I stop collabora worker 2 and restart collabora worker 1 error will be there. Up until I click "Save" and it all works with single backend.
Expected behavior
When both backends are online there should be no "Invalid WOPI proof" error.
Workarounds
When I did as suggested here:
#4952 (comment)
Pretty much commented those 3 lines in lib/Middleware/WOPIMiddleware.php
if (!$isProofValid) {
throw new WopiException('Invalid WOPI proof');
}
Everything works as expected. :)
Additional workaround would be to use single backend server but that is not possible and defies the purpose of scaling.
Server details
Operating system:
Rocky Linux 9.5
Web server:
Apache/2.4.62
Database:
PG
PHP version:
8.3.28
Nextcloud version:
Nextcloud Hub 25 Autumn (32.0.5 Enterprise)
Version of the richdocuments app
9.0.2
Version of Collabora Online
24.04.17.3
Configuration of the richdocuments app
# occ config:list richdocuments
{
"apps": {
"richdocuments": {
"doc_format": "ooxml",
"disable_certificate_verification": "",
"public_wopi_url": "https:\/\/xxxxxxxxxxxxxxxxxx",
"types": "filesystem,prevent_group_restriction",
"wopi_allowlist": "x.x.x.x\/24",
"installed_version": "9.0.2",
"wopi_url": "https:\/\/xxxxxxxxxxxx",
"enabled": "yes",
"external_apps": ""
}
}
}
Logs
Nextcloud log (data/nextcloud.log)
{"reqId":"aYnQOX_FZa2pXvzoeb5NIAAAAEk","level":3,"time":"2026-02-09T12:16:57+00:00","remoteAddr":"xxxx","user":"--","app":"richdocuments","method":"GET","url":"/index.php/apps/richdocuments/wopi/files/xxxxxx?access_token=xxxxx&access_token_ttl=0&permission=edit","scriptName":"/index.php","message":"WOPI error: Invalid WOPI proof","userAgent":"COOLWSD HTTP Agent 24.04.17.3","version":"32.0.5.1","exception":{"Exception":"OCA\\Richdocuments\\Exceptions\\WopiException","Message":"Invalid WOPI proof","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/AppFramework/Middleware/MiddlewareDispatcher.php","line":73,"function":"beforeController","class":"OCA\\Richdocuments\\Middleware\\WOPIMiddleware","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":110,"function":"beforeController","class":"OC\\AppFramework\\Middleware\\MiddlewareDispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":153,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":321,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1061,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":25,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/apps/richdocuments/lib/Middleware/WOPIMiddleware.php","Line":106,"message":"WOPI error: Invalid WOPI proof","exception":{},"CustomMessage":"WOPI error: Invalid WOPI proof"}}
Coolwsd log
Feb 09 13:18:53 xxxx coolwsd[650793]: wsd-650793-650806 2026-02-09 13:18:53.130397 +0100 [ websrv_poll ] ERR #29: WOPI::CheckFileInfo failed for URI [https://urlofinstance.com/index.php/apps/richdocuments/wopi/files/xxxxxxx?access_token=xxxx&access_token_ttl=0]: 500 (Internal Server Error) Internal Server Error. Headers: date: Mon, 09 Feb 2026 12:18:53 GMT / server: Apache/2.4.62 (Rocky Linux) OpenSSL/3.2.2 / x-request-id: xxxxxxxx / cache-control: no-cache, no-store, must-revalidate / content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none' / feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none' / x-robots-tag: noindex, nofollow / set-cookie: xxxxxxx=xxxxxx; path=/; secure; HttpOnly; SameSite=Lax / x-content-type-options: nosniff / x-frame-options: SAMEORIGIN / x-permitted-cross-domain-policies: none / referrer-policy: no-referrer / content-length: 2 / content-type: application/json; charset=utf-8 / strict-transport-security: max-age=63072000 Body: [[]]| wsd/wopi/CheckFileInfo.cpp:106
Feb 09 13:18:53 xxxxx coolwsd[650793]: wsd-650793-650806 2026-02-09 13:18:53.130433 +0100 [ websrv_poll ] ERR #29: Failed or timed-out CheckFileInfo [https://urlofinstance.com/index.php/apps/richdocuments/wopi/files/xxxxxxx?access_token=xxxxx&access_token_ttl=0]| wsd/wopi/CheckFileInfo.cpp:120
Feb 09 13:18:53 xxxx coolwsd[650793]: wsd-650793-650806 2026-02-09 13:18:53.141106 +0100 [ websrv_poll ] ERR #27: CheckFileInfo failed for [https%3A%2F%2Furlofinstance.com%3A443%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2Fxxxxxxx], State::Fail| wsd/RequestVettingStation.cpp:354
Feb 09 13:18:53 xxxxx coolwsd[650793]: wsd-650793-650806 2026-02-09 13:18:53.281945 +0100 [ websrv_poll ] ERR #29: WOPI::CheckFileInfo failed for URI [https://urlofinstance.com/index.php/apps/richdocuments/wopi/files/xxxxxxx?access_token=xxxxx&access_token_ttl=0&permission=edit]: 500 (Internal Server Error) Internal Server Error. Headers: date: Mon, 09 Feb 2026 12:18:53 GMT / server: Apache/2.4.62 (Rocky Linux) OpenSSL/3.2.2 / x-request-id: xxxxxxxx / cache-control: no-cache, no-store, must-revalidate / content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none' / feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none' / x-robots-tag: noindex, nofollow / set-cookie: xxxxxxx=xxxxxxx; path=/; secure; HttpOnly; SameSite=Lax / x-content-type-options: nosniff / x-frame-options: SAMEORIGIN / x-permitted-cross-domain-policies: none / referrer-policy: no-referrer / content-length: 2 / content-type: application/json; charset=utf-8 / strict-transport-security: max-age=63072000 Body: [[]]| wsd/wopi/CheckFileInfo.cpp:106
Feb 09 13:18:53 xxxxx coolwsd[650793]: wsd-650793-650806 2026-02-09 13:18:53.281980 +0100 [ websrv_poll ] ERR #29: Failed or timed-out CheckFileInfo [https://urlofinstance.com/index.php/apps/richdocuments/wopi/fil
es/xxxxxxx?access_token=xxxxx&access_token_ttl=0&permission=edit]| wsd/wopi/CheckFileInfo.cpp:120
Feb 09 13:19:04 xxxxx coolwsd[650793]: wsd-650793-650806 2026-02-09 13:19:04.117081 +0100 [ websrv_poll ] WRN convert-to: Requesting address is denied: ::ffff:x.x.x.x| wsd/ClientRequestDispatcher.cpp:576
Feb 09 13:19:19 xxxxxx coolwsd[650793]: wsd-650793-650806 2026-02-09 13:19:19.953229 +0100 [ websrv_poll ] WRN convert-to: Requesting address is denied: ::ffff:x.x.x.x| wsd/ClientRequestDispatcher.cpp:576