docker-onlyoffice-nextcloud icon indicating copy to clipboard operation
docker-onlyoffice-nextcloud copied to clipboard

Published 20 hours ago verified publisher icon ONLYOFFICE

HTTP protocol used for DocumentServer on HTTPS system

Open SlavikCA opened this issue 5 years ago • 12 comments

I'm using Docker container for NextCloud + OnlyOffice. Everything works with HTTP. The address on my LAN is http://deb10/

Then I added Nginx in the front of the system, which adds SSL cert. NextCloud works fine with SSL. However I can't open any document in OnlyOffice:

Refused to frame 'http://cloud.aidcim.org/' because it violates the following Content Security Policy directive: "frame-src https://cloud.aidcim.org/".

(index):1 Mixed Content: The page at 'https://cloud.aidcim.org/index.php/apps/onlyoffice/121?filePath=%2FtestDoc.docx' was loaded over HTTPS, but requested an insecure resource 'http://cloud.aidcim.org/ds-vpath/5.3.4-3//web-apps/apps/documenteditor/main/index.html?_dc=5.3.4-3&lang=en-GB&customer=ONLYOFFICE&frameEditorId=iframeEditor'. This request has been blocked; the content must be served over HTTPS.

So, the problem is that this extension tries to access OnlyOffice via HTTP. Expected: Extension should open OnlyOffice via HTTPS.

NC config:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => '***',
  'passwordsalt' => '***',
  'secret' => '***',
  'trusted_domains' => 
  array (
    0 => 'deb10',
    1 => 'nginx-server',
    2 => 'cloud.aidcim.org'
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '16.0.3.0',
  'overwrite.cli.url' => 'https://cloud.aidcim.org',
  'overwriteprotocol' => 'https',
  'dbname' => 'nc',
  'dbhost' => 'piwik',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nc',
  'dbpassword' => '*****',
  'installed' => true,
  'onlyoffice' => 
  array (
    'DocumentServerUrl' => 'https://cloud.aidcim.org/ds-vpath/',
    'DocumentServerInternalUrl' => 'http://onlyoffice-document-server/',
    'StorageUrl' => 'http://nginx-server/',
  ),
);

The Nginx config:

server {
  listen *:80;
  if ($scheme = http) { return 301 https://$server_name$request_uri; }
  listen *:443 ssl;
  server_name cloud.aidcim.org;
  server_tokens off;
  client_max_body_size 2G;
  proxy_set_header Host      $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_read_timeout 360;

  ssl_certificate /etc/letsencrypt/live/cloud.aidcim.org/cert.pem;
  ssl_certificate_key /etc/letsencrypt/live/cloud.aidcim.org/privkey.pem;
  location ^~ /.well-known { root /var/www/letsencrypt; }
  location / { proxy_pass  http://deb10; }
}

SlavikCA avatar Jul 17 '19 05:07 SlavikCA

ok, there is workaround exists - see updated nginx config below.

However, this is still valid bug, which I think should be fixed.

Proxy Nginx config:

map $http_host $this_host {
    "" $host;
    default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
     default $http_x_forwarded_proto;
     "" $scheme;
}

map $http_x_forwarded_host $the_host {
    default $http_x_forwarded_host;
    "" $this_host;
}

map $http_upgrade $proxy_connection {
  default upgrade;
  "" close;
}

server {
  listen *:80;
  if ($scheme = http) { return 301 https://$server_name$request_uri; }
  listen *:443 ssl;
  server_name cloud.aidcim.org;
  server_tokens off;
  client_max_body_size 2G;

  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $proxy_connection;
  proxy_set_header X-Forwarded-Host $the_host;
  proxy_set_header X-Forwarded-Proto $the_scheme;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_set_header Host      $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_read_timeout 360;

  ssl_certificate /etc/letsencrypt/live/cloud.aidcim.org/cert.pem;
  ssl_certificate_key /etc/letsencrypt/live/cloud.aidcim.org/privkey.pem;
  location ^~ /.well-known { root /var/www/letsencrypt; }
  location / { proxy_pass  http://deb10; }
}

SlavikCA avatar Jul 17 '19 06:07 SlavikCA

@SlavikCA change the onlyoffice url in the settings from http to https. Do you get the same error as described in ONLYOFFICE/onlyoffice-nextcloud#117 ?

ClundXIII avatar Jul 30 '19 11:07 ClundXIII

@SlavikCA change the onlyoffice url in the settings from http to https. Do you get the same error as described in ONLYOFFICE/onlyoffice-nextcloud#117 ?

Which "onlyoffice url" you are talking about? DocumentServerInternalUrl? It's HTTP only, it's internal Docker IP, I can't make it HTTPS DocumentServerUrl? It's already HTTPS

SlavikCA avatar Jul 30 '19 16:07 SlavikCA

I am talking about "Document Editing Service address" in the nextcloud config.

I looked at my setup more throughly. False alarm, you have a different issue than me :(

ClundXIII avatar Jul 30 '19 22:07 ClundXIII

I'm having the same thing, someone fixed it. Please guide me.

lacdan92 avatar Sep 16 '19 09:09 lacdan92

Hi, this issue related to working Document Server behind a proxy, you have to provide HTTP headers X-Forwarded-Proto and X-Forwarded-Host with origin protocol and host value while proxy traffic to Document Server. See more details and examples here.

agolybev avatar Sep 24 '19 09:09 agolybev

I know this issue is a bit old but after some digging it appears nginx is applying a 302 to all proxy_pass and rewrite directives applying a Location header to the corresponding response. When using an iframe, the Location header is used to determine if the content of the iframe is http or https. The config above is not the current config of onlyoffice but for the current configuration, the workaround is to force all schemes to https in order to set the corresponding scheme in the header location:

map $http_x_forwarded_proto $the_scheme {
     #default $http_x_forwarded_proto;
     #"" $scheme;
     default https;
}

qlux avatar Sep 28 '21 12:09 qlux

I know this issue is a bit old but after some digging it appears nginx is applying a 302 to all proxy_pass and rewrite directives applying a Location header to the corresponding response. When using an iframe, the Location header is used to determine if the content of the iframe is http or https. The config above is not the current config of onlyoffice but for the current configuration, the workaround is to force all schemes to https in order to set the corresponding scheme in the header location:

map $http_x_forwarded_proto $the_scheme {
     #default $http_x_forwarded_proto;
     #"" $scheme;
     default https;
}

@qlux Thank you!!!! This save my days.

I think this should update to readme.md

jjasoncool avatar Sep 16 '22 05:09 jjasoncool

i got problem same. i got some solusation different. we can use meta data in html head like this: <meta charset="utf-8" http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> it wored for me.

aquaqu-v246 avatar Jan 30 '24 00:01 aquaqu-v246

Adding this meta tag to index.html of my react app allowed me to embed onlyoffice. Thanks a bunch! @aquaqu-v246

Stahhl avatar Feb 21 '24 17:02 Stahhl

unfortunately the nginx trick does not work for me.

onlyoffice-docs-server runs in my kubernetes, in front of it is a nginx to which I have added the variable and shema.

where could i add this meta tag? it should work in the nextcloud

badsmoke avatar Mar 05 '24 08:03 badsmoke