onlyoffice-nextcloud
onlyoffice-nextcloud copied to clipboard
ONLYOFFICE
Problems configuring Apache as a reverse proxy to ONLYOFFICE in Docker
I was hoping to find an answer to my problem in an issue here or on the Nextcloud Discourse forum but I'm afraid I haven't been able to and after spending several days trying to solve this problem I thought someone here might have a suggestion…
I have this error when I save the ONLYOFFICE settings in Nextcloud:
Error when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.)
And I don't have an option to open .docx files using ONLYOFFICE.
This is on a Debian Buster Xen virtual server with 5GB of RAM and two CPUs and which has been configured using the dev branch of this Ansible repo, the server is running Apache and PHP FPM and it has one IP address, Nextcloud has been installed using this Ansible role and it is running Nextcloud version 18.0.1.
The Nextcloud Apache configuration has been generated from this Jinja2 template and includes this configuration to prevent indexing by robots, the Let's Encrypt cert is an ECC one and Apache is configured following the Mozilla intermediate compatibility cipher recommendations, the server is configured to only use TLSv1.2 and TLSv1.3, the Apache Nextcloud VirtualHost is as follows:
# Ansible managed
# nextcloud.webarchitects.org.uk
# /home/nextcloud/sites/nextcloud
<VirtualHost *:80>
ServerName nextcloud.webarchitects.org.uk
ServerAlias www.nextcloud.webarchitects.org.uk
RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://nextcloud.webarchitects.org.uk$0
</VirtualHost>
# nextcloud.webarchitects.org.uk
# /home/nextcloud/sites/nextcloud
<VirtualHost *:443>
ServerName nextcloud.webarchitects.org.uk
ServerAlias www.nextcloud.webarchitects.org.uk
SSLEngine on
SSLCertificateFile /etc/ssl/le/nextcloud.webarchitects.org.uk.cert.pem
SSLCertificateKeyFile /etc/ssl/le/nextcloud.webarchitects.org.uk.key.pem
SSLCertificateChainFile /etc/ssl/le/nextcloud.webarchitects.org.uk.ca.pem
ServerAdmin "[email protected]"
IncludeOptional /etc/apache2/conf-available/robots-deny-nextcloud.conf
<IfModule headers_module>
Header always set Strict-Transport-Security "max-age=630720622;"
</IfModule>
DocumentRoot "/home/nextcloud/sites/nextcloud"
<Directory "/home/nextcloud/sites/nextcloud">
Options +MultiViews +SymLinksIfOwnerMatch
DirectoryIndex index.php index.html index.htm index.shtml
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,SymLinksIfOwnerMatch,MultiViews,IncludesNOEXEC Nonfatal=All
<IfModule proxy_fcgi_module>
<IfModule setenvif_module>
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
<FilesMatch "\.php$">
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/home/nextcloud/php-fpm.sock|fcgi://localhost"
</If>
</FilesMatch>
</IfModule>
Require all granted
IncludeOptional "/etc/apache2/conf-available/expires-medium.conf"
</Directory>
CustomLog /var/log/apache2/nextcloud_access.log bandwidth
LogLevel error
ErrorLog /home/nextcloud/logs/apache.error.log
CustomLog /home/nextcloud/logs/apache.access.log combinedio
</VirtualHost>
# vim: set ft=apache:
This results in an A+ at SSL Labs and an A+ at the Nextcloud Security Scan.
The .htaccess file in the Nextcloud DocumentRoot has been partly generated using php occ maintenance:update:htaccess this part of it is as follows:
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
ErrorDocument 403 /
ErrorDocument 404 /
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg|map|webm|mp4)$
RewriteCond %{REQUEST_FILENAME} !core/img/favicon.ico$
RewriteCond %{REQUEST_FILENAME} !core/img/manifest.json$
RewriteCond %{REQUEST_FILENAME} !/remote.php
RewriteCond %{REQUEST_FILENAME} !/public.php
RewriteCond %{REQUEST_FILENAME} !/cron.php
RewriteCond %{REQUEST_FILENAME} !/core/ajax/update.php
RewriteCond %{REQUEST_FILENAME} !/status.php
RewriteCond %{REQUEST_FILENAME} !/ocs/v1.php
RewriteCond %{REQUEST_FILENAME} !/ocs/v2.php
RewriteCond %{REQUEST_FILENAME} !/robots.txt
RewriteCond %{REQUEST_FILENAME} !/updater/
RewriteCond %{REQUEST_FILENAME} !/ocs-provider/
RewriteCond %{REQUEST_FILENAME} !/ocm-provider/
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
RewriteRule . index.php [PT,E=PATH_INFO:$1]
RewriteBase /
<IfModule mod_env.c>
SetEnv front_controller_active true
<IfModule mod_dir.c>
DirectorySlash off
</IfModule>
</IfModule>
</IfModule>
And there is also the following in the .htaccess file above the section above:
<IfModule mod_headers.c>
<IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
</IfModule>
<IfModule mod_env.c>
# Add security and privacy related headers
Header always set Referrer-Policy "no-referrer"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Download-Options "noopen"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set X-Robots-Tag "none"
Header always set X-XSS-Protection "1; mode=block"
SetEnv modHeadersAvailable true
</IfModule>
# Add cache control for static resources
<FilesMatch "\.(css|js|svg|gif)$">
Header set Cache-Control "max-age=15778463"
</FilesMatch>
# Let browsers cache WOFF files for a week
<FilesMatch "\.woff2?$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
</IfModule>
<IfModule mod_php7.c>
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} DavClnt
RewriteRule ^$ /remote.php/webdav/ [L,R=302]
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
ModPagespeed Off
</IfModule>
The ONLYOFFICE Document Server has been installed using this Ansible role which was written following the instructions here and it is running via Docker, the container has been pulled and started using the Docker Image and Docker Container Ansible modules:
- name: Pull the ONLYOFFICE image
docker_image:
name: onlyoffice/documentserver
state: present
pull: true
force: true
tags:
- onlyoffice
- name: Start the ONLYOFFICE container
docker_container:
name: onlyoffice_documentserver
image: onlyoffice/documentserver
interactive: true
tty: true
state: started
restart: true
restart_policy: always
ports:
- "{{ onlyoffice_https_port }}:443"
volumes:
- /var/log/onlyoffice:/var/log/onlyoffice
- /etc/onlyoffice:/var/www/onlyoffice/Data
- /var/cache/onlyoffice:/var/lib/onlyoffice
- /var/local/postgresql:/var/lib/postgresql
env:
JWT_ENABLED: true
JWT_SECRET: "{{ onlyoffice_jwt_secret }}"
JWT_HEADER: Authorization
capabilities: MKNOD
tags:
- onlyoffice
The JWT_SECRET is a 32 character random string and the onlyoffice_https_port is set to 4433 and there is a Let's Encrypt cert for the ONLYOFFICE Docker container and when the cert is renewed there is a Bash script to copy the new cert into place and this appears to all be working OK, you can access ONLYOFFICE directly at this URL:
- https://onlyoffice.nextcloud.webarchitects.org.uk:4433/welcome/
With these HTTP headers:
lynx -head -dump https://onlyoffice.nextcloud.webarchitects.org.uk:4433/welcome/
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 10 Mar 2020 15:37:29 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4592
Connection: close
Vary: Accept-Encoding
X-Powered-By: Express
Accept-Ranges: bytes
Cache-Control: public, max-age=604800
Last-Modified: Mon, 02 Mar 2020 22:40:49 GMT
ETag: W/"11f0-1709d68b168"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
And ONLYOFFICE displays:
Thank you for choosing ONLYOFFICE!
Document Server is running
As I wish to only use one public IP address and Apache is listening on port 443 a reverse proxy has been configured, based on the example here, the following Apache config has been generated from this Jinja2 template:
# Ansible provisioned
# https://github.com/ONLYOFFICE/document-server-proxy/blob/master/apache/proxy-https-to-https.conf
<VirtualHost *:80>
ServerName onlyoffice.nextcloud.webarchitects.org.uk
ServerAdmin [email protected]
IncludeOptional /etc/apache2/conf-available/le.conf
RedirectMatch 301 ^(?!/\.well-known/acme-challenge/).* https://onlyoffice.nextcloud.webarchitects.org.uk$0
</VirtualHost>
# https://nextcloud.com/collaboraonline/
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName onlyoffice.nextcloud.webarchitects.org.uk
SSLEngine on
SSLCertificateFile /etc/ssl/le/onlyoffice.nextcloud.webarchitects.org.uk.cert.pem
SSLCertificateKeyFile /etc/ssl/le/onlyoffice.nextcloud.webarchitects.org.uk.key.pem
SSLCertificateChainFile /etc/ssl/le/onlyoffice.nextcloud.webarchitects.org.uk.ca.pem
SSLProxyEngine on
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
IncludeOptional /etc/apache2/conf-available/robots-deny-nextcloud.conf
SetEnvIf Host "^(.*)$" THE_HOST=$1
RequestHeader setifempty X-Forwarded-Proto https
RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
ProxyAddHeaders Off
ProxyPassMatch (.*)(\/websocket)$ "ws://onlyoffice.nextcloud.webarchitects.org.uk:4433/$1$2"
ProxyPass / "https://onlyoffice.nextcloud.webarchitects.org.uk:4433/"
ProxyPassReverse / "https://onlyoffice.nextcloud.webarchitects.org.uk:4433/"
LogLevel error
ErrorLog /home/nextcloud/logs/apache.onlyoffice.access.log
CustomLog /home/nextcloud/logs/apache.onlyoffice.error.log combined
</VirtualHost>
</IfModule>
# vim: set ft=apache:
The reverse proxy appears to be working OK, ONLYOFFICE is available at this URL:
- https://onlyoffice.nextcloud.webarchitects.org.uk/welcome/
And again this has a A+ at SSL Labs and these HTTP headers:
lynx -head -dump https://onlyoffice.nextcloud.webarchitects.org.uk/welcome/
HTTP/1.1 200 OK
Date: Tue, 10 Mar 2020 15:38:31 GMT
Server: nginx
Content-Type: text/html; charset=UTF-8
Content-Length: 4592
Vary: Accept-Encoding
X-Powered-By: Express
Accept-Ranges: bytes
Cache-Control: public, max-age=604800
Last-Modified: Mon, 02 Mar 2020 22:40:49 GMT
ETag: W/"11f0-1709d68b168"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
Connection: close
In Nextcloud there are these settings for ONLYOFFICE:
Document Editing Service address:
https://onlyoffice.nextcloud.webarchitects.org.uk/Document Editing Service address for internal requests from the server:
https://onlyoffice.nextcloud.webarchitects.org.uk/Server address for internal requests from the Document Editing Service:
https://nextcloud.webarchitects.org.uk/
And the ONLYOFFICE settings from php occ config:list include the ONLYOFFICE domain being added to the trusted_domain array:
{
"system": {
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost",
"www.nextcloud.webarchitects.org.uk",
"nextcloud.webarchitects.org.uk",
"onlyoffice.nextcloud.webarchitects.org.uk"
],
And these app settings:
"onlyoffice": {
"DocumentServerInternalUrl": "https:\/\/onlyoffice.nextcloud.webarchitects.org.uk\/",
"DocumentServerUrl": "https:\/\/onlyoffice.nextcloud.webarchitects.org.uk\/",
"StorageUrl": "https:\/\/nextcloud.webarchitects.org.uk\/",
"demo": "{\"available\":true,\"enabled\":false,\"start\":{\"date\":\"2020-03-06 22:19:53.263490\",\"timezone_type\":3,\"timezone\":\"UTC\"}}",
"enabled": "yes",
"installed_version": "4.1.4",
"jwt_secret": "XXXXXXXXXXXXXXXX",
"settings_error": "Error occurred in the document service: Error while downloading the document file to be converted.",
"types": "filesystem"
},
The settings above have been entered manually, but once I work out what these need to be to work correctly, I intend to add then using the php occ command.
I have tried debugging this by logging into the container:
docker exec -t -i $(docker ps -q) /bin/bash
And then installing some additional tools (eg apt install vim) to help with the debugging, but I can't work out what the problem is.
This is a development server, if anyone from ONLYOFFICE is in a position to help debug this problem please let me have a username and a URL for your SSH public keys and I'd be happy to give you a password-less sudo account on the server as well as a Nextcloud admin account, or if anyone has any suggestions for what I could try to do to debug and solve this problem please let me know.
Or perhaps I should give up on this and install the Community Document Server, which I only found out about in #243 while writing up this issue? :roll_eyes:
Saving the settings when running php occ log:watch results in the following:
Fatal onlyoffice Download empty without jwt 2020-03-12T08:46:30+00:00
Fatal onlyoffice Download empty without jwt 2020-03-12T08:46:31+00:00
Fatal onlyoffice Download empty without jwt 2020-03-12T08:46:32+00:00
Error onlyoffice GetConvertedUri on check error: Error occurred in the document service: Error while 2020-03-12T08:46:34+00:00
downloading the document file to be converted.
There is a thread of other people with this issue on Discourse however there doesn't appear to be an answer there.
In this issue there is the suggestion to edit /etc/onlyoffice/documentserver/default.json in the container, so I did the following:
docker exec -t -i $(docker ps -q) /bin/bash
apt install vim
vi /etc/onlyoffice/documentserver/default.json
I changed these values to true:
"token": {
"enable": {
"browser": true,
"request": {
"inbox": true,
"outbox": true
}
},
And I restarted the services:
supervisorctl restart all
ds:metrics: stopped
ds:spellchecker: stopped
ds:converter: stopped
ds:docservice: stopped
ds:metrics: started
ds:spellchecker: started
ds:docservice: started
ds:converter: started
But this didn't solve the issue.
In this issue it suggests editing /etc/onlyoffice/documentserver/local.json so I changed these variables:
"token": {
"enable": {
"request": {
"inbox": true,
"outbox": true
},
"browser": true
},
And restarted the services and saved the ONLYOFFICE settings in Nextcloud and now there is only one error message:
Error onlyoffice CommandRequest on check error: Error occurred in the document service: Invalid token 2020-03-12T09:06:21+00:00
So I edited this part of the /etc/onlyoffice/documentserver/local.json file and added the secret string (replacing the word secret with the string on the Nextcloud settings page):
"secret": {
"inbox": {
"string": "secret"
},
"outbox": {
"string": "secret"
},
"session": {
"string": "secret"
}
I then restarted all the services again and in Nextcloud on saving the settings I have:
Settings have been successfully updated
And ONLYOFFICE works!
It is going to be rather annoying if files in the container need editing after every update, I guess I could write a BASH script for this but that seems a little crazy, is there any other way to do this? Or should I simply use the Community Document Server?
After giving up on the ONLYOFFICE Docker container due to the issue above and then trying to use the Community Document Server for a while and finding that to be less than satisfactory, I have now written an ONLYOFFICE Document Server Ansible role and corresponding PostgreSQL and RabbitMQ roles in order to setup a VM running a separate ONLYOFFICE Document Server… there is a repo to provision a development Nextcloud and ONLYOFFICE server here as an example of this.
The non-Docker version of the ONLYOFFICE Document Server seems to have been easier for me to get up and running than the Docker version, but I guess most people find the Docker version easier…:roll_eyes:
@chriscroome
I have the docker versiond of document server and it works without problem so I see in the front config that you have set you need to apply the settings that they recommend if you do a proxypass, I leave you some that you should put:
ProxyAddHeaders Off
ProxyPassMatch (.*)(\/websocket)$ "ws://$IP:$PORT/$1$2"
ProxyPass / http://$IP:$PORT/
ProxyPassReverse / http://$IP:$PORT/
Hope this can help you
Hello, I have written a documentation for that in https://github.com/biva/documentation/blob/biva/admin_manual/configuration_server/onlyoffice_configuration.rst
I would be happy to receive your feedback / advice, so that it's useful for more users @richardrey @chriscroome
