[GH-ISSUE #2176] Websocket connection to collabora with nextcloud(-aio) throws error 400 #6884

New Issue

Closed

opened 2026-04-25 15:53:05 -05:00 by GiteaMirror · 5 comments

GiteaMirror commented 2026-04-25 15:53:05 -05:00

Owner

Copy Link

Originally created by @Joly0 on GitHub (Dec 28, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2176

Describe the Bug

I have switched a while ago to pangolin and have not noticed issues with collabora in nextcloud until now (though havent used that feature in nextcloud for a while). Just now i noticed, that files like excel or word files dont load and throw this error in nextcloud:

In the dev console i see that it tries to reach an wss:// url pointing to my nextcloud instance but throws a 400 bad request error.

I am not sure, what exactly throws this issue, but i tried it with nginx-proxy-manager and there it works no problem.

Environment

• OS Type & Version: (e.g., Ubuntu 22.04) Debian 12
• Pangolin Version: 1.14.1
• Gerbil Version: 1.3.0
• Traefik Version: v3.6.4
• Newt Version: 1.8.1
• Olm Version: (if applicable)

To Reproduce

Install nextcloud and collabora (perferably with nextcloud-aio).
Create pangolin rule for nextcloud
Create excel file
Try to open that excel file
See errro

Expected Behavior

Should just open the file and correctly work with websocket connections

Originally created by @Joly0 on GitHub (Dec 28, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2176 ### Describe the Bug I have switched a while ago to pangolin and have not noticed issues with collabora in nextcloud until now (though havent used that feature in nextcloud for a while). Just now i noticed, that files like excel or word files dont load and throw this error in nextcloud: <img width="1874" height="330" alt="Image" src="https://github.com/user-attachments/assets/00c508c8-2588-428e-b91a-390fa4fc7924" /> In the dev console i see that it tries to reach an wss:// url pointing to my nextcloud instance but throws a 400 bad request error. I am not sure, what exactly throws this issue, but i tried it with nginx-proxy-manager and there it works no problem. ### Environment - OS Type & Version: (e.g., Ubuntu 22.04) Debian 12 - Pangolin Version: 1.14.1 - Gerbil Version: 1.3.0 - Traefik Version: v3.6.4 - Newt Version: 1.8.1 - Olm Version: (if applicable) ### To Reproduce Install nextcloud and collabora (perferably with nextcloud-aio). Create pangolin rule for nextcloud Create excel file Try to open that excel file See errro ### Expected Behavior Should just open the file and correctly work with websocket connections

GiteaMirror closed this issue 2026-04-25 15:53:06 -05:00

GiteaMirror commented 2026-04-25 15:53:06 -05:00

Author

Owner

Copy Link

@TheDadNerd commented on GitHub (Dec 29, 2025):

This actually came from a traefik update. To fix, add the encodedCharacters section to your traefik config. It should look like it does below.

entryPoints:
  web:
    address: :80
  websecure:
    address: :443
    http:
      encodedCharacters:
        allowEncodedSlash: true
        allowEncodedQuestionMark: true

<!-- gh-comment-id:3695380702 --> @TheDadNerd commented on GitHub (Dec 29, 2025): This actually came from a traefik update. To fix, add the encodedCharacters section to your traefik config. It should look like it does below. ``` entryPoints: web: address: :80 websecure: address: :443 http: encodedCharacters: allowEncodedSlash: true allowEncodedQuestionMark: true ```

GiteaMirror commented 2026-04-25 15:53:07 -05:00

Author

Owner

Copy Link

@Joly0 commented on GitHub (Dec 29, 2025):

@TheDadNerd Looks like that worked. Thanks

<!-- gh-comment-id:3695442082 --> @Joly0 commented on GitHub (Dec 29, 2025): @TheDadNerd Looks like that worked. Thanks

GiteaMirror commented 2026-04-25 15:53:07 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Dec 29, 2025):

Adding this to the default config for the next installer

<!-- gh-comment-id:3696850895 --> @oschwartz10612 commented on GitHub (Dec 29, 2025): Adding this to the default config for the next installer

GiteaMirror commented 2026-04-25 15:53:07 -05:00

Author

Owner

Copy Link

@Yonoesio commented on GitHub (Dec 31, 2025):

I’ve finally found the cause of the issue, and it wasn’t Pangolin after all — it was Traefik.

GitLab’s Web IDE and the simple editor were returning 400 Bad Request whenever they tried to load a file through the API, even though everything worked perfectly when accessing GitLab directly via the server’s local IP.

The problem was that Traefik was blocking or normalizing encoded characters in the URL, specifically %2F (encoded slash) and %3F (encoded question mark). GitLab relies on these encoded characters for paths like:

/api/v4/projects/.../repository/files/<path>/raw?ref=<branch>

Because Traefik was rejecting these requests, the Web IDE couldn’t load any file.

The fix was to explicitly allow encoded slashes and question marks in Traefik:

entryPoints:
  web:
    address: :80
  websecure:
    address: :443
    http:
      encodedCharacters:
        allowEncodedSlash: true
        allowEncodedQuestionMark: true

After applying this configuration, both the Web IDE and the simple editor started working normally again.
Posting this here in case it helps anyone else using Pangolin together with Traefik and GitLab.

<!-- gh-comment-id:3701622038 --> @Yonoesio commented on GitHub (Dec 31, 2025): I’ve finally found the cause of the issue, and it wasn’t Pangolin after all — it was Traefik. GitLab’s Web IDE and the simple editor were returning 400 Bad Request whenever they tried to load a file through the API, even though everything worked perfectly when accessing GitLab directly via the server’s local IP. The problem was that Traefik was blocking or normalizing encoded characters in the URL, specifically %2F (encoded slash) and %3F (encoded question mark). GitLab relies on these encoded characters for paths like: `/api/v4/projects/.../repository/files/<path>/raw?ref=<branch>` Because Traefik was rejecting these requests, the Web IDE couldn’t load any file. The fix was to explicitly allow encoded slashes and question marks in Traefik: ```yaml entryPoints: web: address: :80 websecure: address: :443 http: encodedCharacters: allowEncodedSlash: true allowEncodedQuestionMark: true ``` After applying this configuration, both the Web IDE and the simple editor started working normally again. Posting this here in case it helps anyone else using Pangolin together with Traefik and GitLab.

GiteaMirror commented 2026-04-25 15:53:08 -05:00

Author

Owner

Copy Link

@KusAdama commented on GitHub (Jan 24, 2026):

Now, since Traefik 3.6.7, all are true by default, it's 7x allowEncodedXYZ, not only two.

From the docs: 'It is now up to the users to configure the security hardening of encoded characters.'

So thinking this should be all in and as true(?) by default.
Otherwise users still will be hitting this.
It's not that straightforward to debug, especially if Traefik is not 1:1 compared to the Pangolin.

<!-- gh-comment-id:3794529939 --> @KusAdama commented on GitHub (Jan 24, 2026): Now, since [Traefik 3.6.7](https://doc.traefik.io/traefik/v3.6/migrate/v3/#v367), all are true by default, it's 7x allowEncodedXYZ, not only two. From the docs: '_It is now up to the users to configure the security hardening of encoded characters._' So thinking this should be all in and as true(?) by default. Otherwise users still will be hitting this. It's not that straightforward to debug, especially if Traefik is not 1:1 compared to the Pangolin.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/fast-uri-3.1.2

crowdin_dev

dev

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.3

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#6884