Apache configuration of OnlyOffice with proxy and docker: access issue

Hello,

I have an issue with my installation of ONLYOFFICE (docker) on the same server as my Nextcloud server (Debian/Apache). When I save the parameters of ONLYOFFICE in Nextcloud settings, I see this error message: Error when trying to connect (Error occurred in the document service: Error while downloading the document file to be converted.). I investigated notably thanks to this thread,and I notably found out that I have no internet access from within the container. Once I’ll succeed to solve this issue, I’ll complete a full documentation in https://github.com/biva/documentation/edit/biva/admin_manual/configuration_server/onlyoffice_configuration.

I tried to find a solution everywhere, but I’m totally blocked now :cry: I really need your support, thank you in advance for your help!

The details are here:

My config:
A. Everything is running under https under Apache and Let’s encrypt
B. I set up a proxy in the office.conf Apache configuration file
C. Nextcloud is under nextcloud.mysite.com and ONLYOFFICE under office.mysite.com

What I tested:

  1. Healthcheck works and office.mysite.com work ('Document Server is running")
  2. wget office.mysite.com works from the server where Nextcloud is running
  3. My document server (docker) doesn’t have access to Nextcloud: if I launch wget nextcloud.mysite.com from docker (docker exec -it ID_CONTAINER /bin/bash), I don’t get anything (the connexion is impossible). In addition, I can’t access any site from the document server in docker. If I do wget 77.95.65.121 (a google IP), I can’t access it either.
  4. I launch docker with this command: sudo docker run -i -t -d -p 8282:80 --restart=always
  5. Nextcloud is running under https. But if I launch docker with sudo docker run -i -t -d -p 8282:443 --restart=always, then document server doesn’t work (healthcheck doesn’t work)
  6. I did not enable anything different in default.json. I see this:

"ipfilter": { "rules": [{"address": "*", "allowed": true}], "useforrequest": false, "errorcode": 403 },

  1. I tried to change my /etc/hosts within the container (even if I don’t think that it’s the problem because when I try wget 77.95.65.121 (a google IP), I can’t access it either. Same for wget XX.XX.XX.XX (which is my public ip).

The error message in the converter log is the following with different changes:
a. Without any change in /etc/hosts:

[2020-04-10T08:20:01.846] [WARN] nodeJS - { Error: ENOENT: no such file or directory, open '/var/www/onlyoffice/documentserver/../Data/license.lic'
    at Object.openSync (fs.js:443:3)
    at Object.fs.openSync (pkg/prelude/bootstrap.js:490:32)
    at Object.readFileSync (fs.js:343:35)
    at Object.fs.readFileSync (pkg/prelude/bootstrap.js:686:36)
    at Object.exports.readLicense (/snapshot/server/build/server/Common/sources/license.js:0:0)
    at exports.readLicense.next (<anonymous>)
    at readLicense (/snapshot/server/build/server/FileConverter/sources/convertermaster.js:0:0)
    at readLicense.next (<anonymous>)
    at /snapshot/server/build/server/FileConverter/sources/convertermaster.js:0:0
    at Generator.next (<anonymous>)
  errno: -2,
  syscall: 'open',
  code: 'ENOENT',
  path: '/var/www/onlyoffice/documentserver/../Data/license.lic' }
[2020-04-10T08:20:01.907] [WARN] nodeJS - update cluster with 1 workers
[2020-04-10T08:20:01.949] [WARN] nodeJS - worker 845 started.
[2020-04-10T08:20:01.969] [WARN] nodeJS - { Error: ENOENT: no such file or directory, open '/var/www/onlyoffice/documentserver/../Data/license.lic'
    at Object.openSync (fs.js:443:3)
    at Object.fs.openSync (pkg/prelude/bootstrap.js:490:32)
    at Object.readFileSync (fs.js:343:35)
    at Object.fs.readFileSync (pkg/prelude/bootstrap.js:686:36)
    at Object.exports.readLicense (/snapshot/server/build/server/Common/sources/license.js:0:0)
    at exports.readLicense.next (<anonymous>)
    at readLicense (/snapshot/server/build/server/FileConverter/sources/convertermaster.js:0:0)
    at readLicense.next (<anonymous>)
    at /snapshot/server/build/server/FileConverter/sources/convertermaster.js:0:0
    at Generator.next (<anonymous>)
  errno: -2,
  syscall: 'open',
  code: 'ENOENT',
  path: '/var/www/onlyoffice/documentserver/../Data/license.lic' }
[2020-04-10T08:20:01.971] [WARN] nodeJS - update cluster with 1 workers
[2020-04-10T08:21:14.560] [WARN] nodeJS - { Error: ENOENT: no such file or directory, open '/var/www/onlyoffice/documentserver/../Data/license.lic'
    at Object.openSync (fs.js:443:3)
    at Object.fs.openSync (pkg/prelude/bootstrap.js:490:32)
    at Object.readFileSync (fs.js:343:35)
    at Object.fs.readFileSync (pkg/prelude/bootstrap.js:686:36)
    at Object.exports.readLicense (/snapshot/server/build/server/Common/sources/license.js:0:0)
    at exports.readLicense.next (<anonymous>)
    at readLicense (/snapshot/server/build/server/FileConverter/sources/convertermaster.js:0:0)
    at readLicense.next (<anonymous>)
    at /snapshot/server/build/server/FileConverter/sources/convertermaster.js:0:0
    at Generator.next (<anonymous>)
  errno: -2,
  syscall: 'open',
  code: 'ENOENT',
  path: '/var/www/onlyoffice/documentserver/../Data/license.lic' }
[2020-04-10T08:21:14.579] [WARN] nodeJS - update cluster with 1 workers
[2020-04-10T08:21:14.644] [WARN] nodeJS - worker 921 started.
[2020-04-10T08:21:14.655] [WARN] nodeJS - { Error: ENOENT: no such file or directory, open '/var/www/onlyoffice/documentserver/../Data/license.lic'
    at Object.openSync (fs.js:443:3)
    at Object.fs.openSync (pkg/prelude/bootstrap.js:490:32)
    at Object.readFileSync (fs.js:343:35)
    at Object.fs.readFileSync (pkg/prelude/bootstrap.js:686:36)
    at Object.exports.readLicense (/snapshot/server/build/server/Common/sources/license.js:0:0)
    at exports.readLicense.next (<anonymous>)
    at readLicense (/snapshot/server/build/server/FileConverter/sources/convertermaster.js:0:0)
    at readLicense.next (<anonymous>)
    at /snapshot/server/build/server/FileConverter/sources/convertermaster.js:0:0
    at Generator.next (<anonymous>)
  errno: -2,
  syscall: 'open',
  code: 'ENOENT',
  path: '/var/www/onlyoffice/documentserver/../Data/license.lic' }
[2020-04-10T08:21:14.662] [WARN] nodeJS - update cluster with 1 workers
[2020-04-10T08:21:28.435] [ERROR] nodeJS - dnsLookup error: hostname = nextcloud.mysite.com
Error: getaddrinfo EAI_AGAIN nextcloud.mysite.com
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:56:26)
[2020-04-10T08:21:28.438] [ERROR] nodeJS - checkIpFilter error:url=https://nextcloud.mysite.com/apps/onlyoffice/empty?doc=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9;code:403;(id=conv_check_1194444044_docx)

b. If I change /etc/hosts with my ip 45.54.XX.XX nextcloud.mysite.com this is what I get in the log:

[2020-04-10T08:32:18.480] [ERROR] nodeJS - error downloadFile:url=https://nextcloud.mysite.com/apps/onlyoffice/empty?doc=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhY3Rpb24iOiJlbXB0eSJ9.eRMxK1CX8bwiEsvi3HxUW_zazK2TAv0XWLPaFw2xmTE;attempt=1;code:ETIMEDOUT;connect:true;(id=conv_check_1351485715_docx) Error: ETIMEDOUT at Timeout.<anonymous> (/snapshot/server/build/server/Common/node_modules/request/request.js:848:19) at ontimeout (timers.js:436:11) at tryOnTimeout (timers.js:300:5) at listOnTimeout (timers.js:263:5) at Timer.processTimers (timers.js:223:10)

c. If I change /etc/hosts with 127.0.0.1 nextcloud.mysite.com this is what I get in the log:

[2020-04-10T08:35:57.106] [ERROR] nodeJS - error downloadFile:url=https://nextcloud.mysite.com/apps/onlyoffice/empty?doc=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhY3Rpb24iOiJlbXB0eSJ9.eRMxK1CX8bwiEsvi3HxUW_zazK2TAv0XWLPaFw2xmTE;attempt=1;code:ETIMEDOUT;connect:true;(id=conv_check_978098827_docx) Error: ETIMEDOUT at Timeout.<anonymous> (/snapshot/server/build/server/Common/node_modules/request/request.js:848:19) at ontimeout (timers.js:436:11) at tryOnTimeout (timers.js:300:5) at listOnTimeout (timers.js:263:5) at Timer.processTimers (timers.js:223:10)

  1. I tried to load the container with these 2 possibilities:
    -A: sudo docker run -i -t -d -p 8283:80 -p 8282:443 --restart=always onlyoffice/documentserver : document server doesn’t work (healthcheck doesn’t work)
    -B: sudo docker run -i -t -d -p 8283:80 -p 8282:443 --restart=always onlyoffice/documentserver : documentserver works, but my issue is still there

  2. In my Apache config file I have this, should I change something? (inspired by https://github.com/ONLYOFFICE/document-server-proxy/blob/master/apache/proxy-https-to-http.conf but I’m not sure which config file I should use within the 4 supplied files in https://github.com/ONLYOFFICE/document-server-proxy/tree/master/apache)

  • /etc/apache2/sites-available/office.conf:
    <VirtualHost *:80>
    ServerName office.mysite.com

          \# Redirection HTTPS
          RewriteEngine on
          RewriteCond %{SERVER_NAME} =office.mysite.com
          RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
    
  • /etc/apache2/sites-available/office-le-ssl.conf :

    <VirtualHost *:443>

ServerName office.mysite.com:443

# Prevent access to directory listing
<Directory /var/www/html>
Options -Indexes

#In the ONLYOFFICE Apache file, but removed because prevent Apache to be started
#
# User daemon
# Group daemon
#

# SSL configuration
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/office.mysite.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/office.mysite.com/privkey.pem

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder on

SetEnvIf Host “^(.*)$” THE_HOST=$1
RequestHeader setifempty X-Forwarded-Proto https
RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
ProxyAddHeaders Off

ProxyPassMatch (.*)(/websocket)$ “ws://127.0.0.1:8282/$1$2”
ProxyPass / “http://127.0.0.1:8282/
ProxyPassReverse / “http://127.0.0.1:8282/

ErrorLog /var/log/apache2/office-error.log
CustomLog /var/log/apache2/office-access.log combined

Would anybody have an idea?

Is there somewhere a complete tutorial where I could start over to configure OnlyOffice behind a proxy, using docker, Apache and Nextcloud? I did not find it and I want to do it in https://github.com/biva/documentation/e … figuration to help other users.

For information, I wrote documentation here: comments and advice would be appreciated!