Debian Jessie Apache MyriaDB Php7.0 Nextcloud 11 Collabora start to finish with a few extras

Being a recent Nextcloud noob ran me into a few teething problems that with hindsight shouldn’t of been a problem at all.
So here is a current tutorial, the one I should of found, before wasting a few days, due to my lack of knowledge.

I am going to presume no Linux knowledge and just provide a copy&paste step by step guide on how to get things operational. Also this is a self hosting guide, but actually a VPS/Cloud is practically the same in fact slightly easier as no local DNS to worry about.

1… Lets get Debian Jessie http://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-8.7.1-amd64-netinst.iso download the net install cd of Jessie as grabbing from the net is instantly up to date.
Because of the use of Docker on AMD/Intel platforms you will have to use the 64bit install.

2… Burn your Debian ISO to disk DVD/CD or USB stick, you can do this via windows or CdburnerXP which is my preference for disks. https://cdburnerxp.se/downloadsetup.exe
Or we can create a USB install with Unetbootin https://unetbootin.github.io/
Burning an ISO image to disk or USB is relatively simple and a quick google will quickly get you up to speed on that.

3… This guide is for a clean install and will wipe the target computer clean, equipment wise you can have very modest hardware and an old PC with a network card, harddrive and USB is really all you need, 2GB Ram and 40GB hardrive is more than enough for the system at least and a monitor you can use for the install, also a network connection.

4… All computer Bios are different but power on the machine and press del, F10 or hit what ever key you need to select the boot order. Depending on if you burned a disk or USB select that correct media to boot from.

Hopefully you managed the above and hit enter to start the install.
You will get a prompt to choose your language and country keymap and hit enter until you get to the hostname.
I am going to use the hostname Nextcloud on the domain Vote4u.org.uk for the purpose of this tutorial, you can use Nextcloud or whatever hostname you wish. You may have a registered domain or may even use your surname as in Naylor.lan if this is just a local install.

So for the hostname change from debian to Nextcloud (all lower case) hit enter, for the domain vote4u.org.uk and hit enter again.
Then its a matter of the password for the root account (Admin) pick a good password alphanumeric with a mixture of case and maybe the odd special character such as * or £.
14Me24Get! Is probably highly apt in my case and confirm it.
Then add the main user which will be the sudo admin stuart in my case, account name stuart and I am going to use the same password, pick quite strong ones as apart from the install, touch wood you will not need them often.

Partitioning method two choices here either Guided-use entire disk and setup LVM or Guided use entire disk and setup encrypted LVM. We are just going to use the guided install as its super easy, encryption means the system is relatively forensics proof, but most installs just go for just LVM.
I will at the end of the tutorial show you how to swap the encryption passphrase to a keyfile on a usb stick, that if the machine is powered down it not coming back to life unless that usb stick is plugged in the machine. It only needs the keyfile to boot and all can be made super secure by just pulling the plug.
But anyway normal install, select guided-entire disk LVM and hit enter.
With a one disk system select that disk and hit enter.
All files in one partition (hit enter)
Select (Yes) and hit enter.
It will chose the correct partition scheme for you, so just hit enter on finish partitioning and write changes to disk.
It asks once more as those disks are going to be wiped clean and a new OS is going to be installed, so select (Yes) and hit enter.
The installer will install a minimum default packages and then ask you to pick the nearest net repository of debian to install from. Hit enter twice as they are prob the best options.

Presuming you are not connected to a proxy server hit enter once more.
Its up to you if you participate in the usage survey and hit enter.

Now we are just going to install a server, with normal tools and SSH access,

So press the spacebar to deselect the desktop and print server, if needed they can be done later.
Spacebar to select SSH server and we should just have a * against SSH Server and standard system utilities. Tab to select continue and hit enter.

Yes to install grub to the master boot record, select your single drive /dev/sda and once more hit enter.
Debian Jessie on a last enter will now reboot and finally we get to setting things up.

We are going to logon as root with the root password.

First we are going to set up a sudo for the user account we created.

apt-get install sudo
nano /etc/sudoers this config file often seems to cause shrill panic, just make sure you enter everything exactly as I say.
If you make a mistake or are not sure press ctrl+x and press n (no) to save and you will exit and you can start again.

Under the below line enter the user you entered on install and copy the exact case.
Use the down arrow to scroll down to the line directly below:- root ALL=(ALL:ALL) ALL
so its your username mine is stuart (press tab) ALL=(ALL:ALL) (press space) ALL (press enter once) so its looks exactly like the above line part from it has your user name rather than root.
crtl+x (press once at same time) (press y once) (hit enter) and the changes are saved.

usermod -a -G sudo stuart (substitute your user name for stuart)

Yes you can us SU to switch to root but sudo is a common method and that basically sets sudo up and that user as sudo account with full root permissions, that can be locked down later.

ifconfig (press enter)

This will display your current network connections and it all went well by ETH0 it will state the current IP address so we can connect via SSH and no longer need a monitor.

We now have to think about how we are going to connect and interact with clients as this is a server.
If you are setting up a VPS/Cloud install you can skip all this as you don’t have any clients part from the docker container and with a VPS/Cloud its highly likely the ETH0 IP address is also the public domain address so the DNS entry in the registered domain settings is all you need.

If you are self hosting at home or even in a business its highly likely you will be on a private subnet such as 192.168.0/24.
With my ISP and router when I did an ifconfig the IP address was 192.168.1.7 and the default gateway was 192.168.1.1 because here we are on the 192.168.1/24 subnet and of 255 possible IPs from 192.168.1.1 to 192.168.1.255 and they are private ‘non’ rotatable addressses that can not be used as public domain IP addresses.
Which is no problem as the router from the ISP has your public IP address, but the problem is the IP addresses and DNS is different externally for remote connections than it is for local internal devices.

Each device has a hosts file which is a list of IP addresses and DNS names that takes priority over any DNS system. So the easiest way is just to configure each client hosts files so it has the right IP to DNS names and for a couple of computers is manageable. If you have a few computers and devices connecting it can be a pain having to configure the hosts file each time so a device can connect.

So you have a choice of providing a local DNS server or hosts file editing on every machine and either way will work and I will explain both.

Currently your ISP’s router is using DHCP to make your clients all get the right IP and point to the gateway (router ip) and (dns server router also).
What I am going to do is show two methods, one using dnsamsq as super easy and powerful way to provide DHCP & DNS and turn that function off in the ISP router and secondly just using the ISP router and hosts file edits.

So if you have have more than just a couple of computers and want to allow ad hoc connections with configuration needs and set up a typical office local subnet or busy home, then dnsmasq is the way to go, otherwise skip past this section and just manually configure each clients hosts files.

DNSMasq Setup.

Firstly being the DHCP, DNS and nextcloud server we are going to change the network settings to give us a static IP address.
My router address is 192.168.1.1 and I can see that in the network settings of my clients or ipconfig/ifconfig windows/linux.
Could be any IP in the 192.168.1/24 subnet but I am going to pick 192.168.1.2 so its the next IP up from the gateway (router ip)

sudo nano /etc/network/interfaces which should look currently something like this.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
iface eth0 inet6 auto

Its they highlighted section that needs to be deleted and replaced with.

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
        address 192.168.1.2
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1

ctrl+x (press both at the same time once) (Yes) (press y to save) (press enter)

That is a static IP address setup.

sudo apt-get install dnsmasq
sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.old
sudo nano /etc/dnsmasq.conf

domain-needed
bogus-priv
no-resolv
no-poll
server=yourrouterip
server=8.8.8.8
server=208.67.220.220
local=/vote4u.org.uk/
expand-hosts
domain=vote4u.org.uk
dhcp-range=192.168.1.16,192.168.1.244,72h

#dhcp-host=nextcloud,192.168.1.200,36h
dhcp-option=option:router,192.168.1.1
dhcp-option=option:ntp-server,192.168.1.1

Thats is for setting up the basics of our DNS/DHCP server and basically it will replicate whatever is in this servers hosts file to all connected clients and save us the hassle of having to do so.

dhcp-host=nextcloud,192.168.1.200,36h is an example of DHCP handing a static IP to a computer that connects with the hostname nextcloud.
dhcp-range=192.168.1.16,192.168.1.244,72h sets a DHCP range of 16-244 with a lease time of 72 hours.
The first 15 IPs like the router and this server 192.168.1 (1 & 2) are static and there is space for 13 more.

So if you have a different subnet such as 192.168.0/24 or 10.0.0/24 just change the above to suit.

This current method is just a easy single network card server but it is also very simple to act as the whole subnet firewall and router so that we have a reverse and forward network connection with two network cards and enhanced security like many security devices such as pfsense or smoothwall.

All we need to do is declare any static DNS entries in this servers /etc/hosts file as dynamic dhcp leases will be done dynamically and transparently.

sudo nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 ns1.vote4u.org.uk ns1
192.168.1.2 ns1.vote4u.org.uk ns1
192.168.1.200 nextcloud.vote4u.org.uk nextcloud office.vote4u.org.uk office

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

The above is an example of a stand-alone name server that replicates its hosts file for local DNS.

127.0.0.1       localhost
192.168.1.2     nextcloud.vote4u.org.uk nextcloud       office.vote4u.org.uk    office


# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters 

If we are also going to run nextcloud on this server then all we need is the above in /etc/hosts and DNSMasq will do the rest and nextcloud.vote4u.org will be DNS/DHCP & application server.
Thats it really and you can override any public DNS or create new entries by adding them to this single hosts file.

Last thing with DNSMasq is to edit /etc/resolv.conf so it also uses the local DNS server
nano /etc/resolv.conf
Have only this
nameserver 127.0.0.1

Without DNSMasq every local device on the local subnet will need the line…
192.168.1.2 nextcloud.vote4u.org.uk nextcloud office.vote4u.org.uk office
Added to each hostfile and also any other declared local DNS entries.
This also includes the docker container for Collabora.
Also you may also wish to synchronise time from this server.
NTP Server
sudo apt-get install ntp
sudo nano /etc/ntp.conf
uncomment the broadcast line and change to your subnet end with 255 (broadcast ip)
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
broadcast 192.168.1.255

sudo systemctl restart ntp
sudo systemctl enable ntp 
sudo ntpq -p #show status

So here we can start with installing Webmin, MariaDB, Apache and PHP7.0

Starting with MariaDB
sudo apt-get install -y software-properties-common curl zip
sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db
sudo add-apt-repository 'deb [arch=amd64,i386] http://nyc2.mirrors.digitalocean.com/mariadb/repo/10.1/debian jessie main’
sudo apt-get update;sudo apt-get install mariadb-server
sudo mysql_secure_installation
sudo nano /etc/mysql/my.cnf
Under these two lines add:- binlog_format = mixed
log-bin = /var/log/mysql/mariadb-bin
log-bin-index = /var/log/mysql/mariadb-bin.index

Apache
sudo apt-get install apache2 apache2-doc apache2-utils

PHP7
sudo nano /etc/apt/sources.list

Add these to at the bottom of the list
deb http://packages.dotdeb.org jessie all
deb-src http://packages.dotdeb.org jessie all
cd /tmp
wget https://www.dotdeb.org/dotdeb.gpg
sudo apt-key add dotdeb.gpg
sudo apt-get update
sudo apt-get install php7.0-common php7.0-gd php7.0-mysql php7.0-apcu php7.0-curl php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-redis php7.0-xml php7.0-zip libapache2-mod-php7.0
sudo a2enmod rewrite headers env dir mime setenvif ssl proxy proxy_wstunnel proxy_http

Webmin
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.831_all.deb
sudo dpkg --install webmin_1.831_all.deb

I have included webmin as for those of us who struggle with Linux have a graphical interface is really handy for those without encyclopedic knowledge and memory.
Access webmin on https://myserver-ip:10000 and at the end of this tutorial with the guide to install failtoban and openvpn I will give you some easy steps to reduce any security concerns at the end of this tutorial, as there is a lot of hot air on this topic.

So wow we almost get there and its time to install Next cloud.

https://nextcloud.com/install find the link to the latest and copy the url and in the following I am going to duplicate each step firstly using webmin, then the command line.
The choice is yours and each step only needs to be done once.

Webmin:
Right click on the latest nextcloud download link and copy the url.( https://download.nextcloud.com/server/releases/nextcloud-11.0.1.zip )

→ Others → File manager → navigate to /var/www/ → File → Download from remote url → paste the url and hit enter.
Right click on nextcloud-11.0.1.zip and select extract, if the extract command is missing it means unzip/zip is not installed.

In the left hand section margin of webmin, at the bottom you will see a >_ icon, click that and type apt-get -y install zip (press enter).
In file manger right click select refresh and right click again and you will now see the extract icon.
Select extract.
Right click on the extracted nextcloud folder → Properties → change ownership → www-data/www-data and check recursive and apply.
You can also delete the zip, right click and select delete.
→ File → Create Folder name it nextcloud-data → Create
Right click on the extracted nextcloud-data folder → Properties → change ownership → www-data/www-data and check recursive and apply.

CLI:
Copy the url https://download.nextcloud.com/server/releases/nextcloud-11.0.1.zip
wget
https://download.nextcloud.com/server/releases/nextcloud-11.0.1.zip
sudo unzip nextcloud-11.0.1.zip
sudo cp -r nextcloud /var/www/
sudo chown www-data:www-data /var/www/nextcloud/ -R
sudo mkdir /var/www/nextcloud-data/
sudo chown www-data:www-data /var/www/nextcloud-data -R
Now the database.

Webmin:

→ Servers → MySQL Database Server.
First time use you will need to enter the root password.

→ Create new database → name it nextcloud → create

→ User permissions → create new user permissions → set a username and a password and set to localhost → create → return to database list
→ Create database permissions → create new database permissions → databases select the nextcloud database, select a user ( nextcloud ), select and enter localhost, select all permissions apart from ‘grant permissions’.

CLI:
sudo mysql -u root -p
create database nextcloud;
create user nextcloud@localhost identified by ‘14Me24Get!’;
grant all privileges on nextcloud.* to nextcloud@localhost identified by ‘14Me24Get!’;
flush privileges;

exit;

Create an Apache Virtual Host File for Nextcloud

Webmin:

→ Servers → Apache web server → Create virtual host → Port select 80, Document root select /var/www/nextcloud
, servername nextcloud.your-domain.com → create now.
Double click that virtual domain → Edit directives.

Paste so it looks like so.
DocumentRoot "/var/www/nextcloud"
ServerName nextcloud.vote4u.org.uk
ServerAdmin stuartiannaylor@outlook.com

ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory /var/www/nextcloud/>
 Options +FollowSymlinks
 AllowOverride All

 <IfModule mod_dav.c>
 Dav off
 </IfModule>

 SetEnv HOME /var/www/nextcloud
 SetEnv HTTP_HOME /var/www/nextcloud
 Satisfy Any

</Directory>

→ Save & close → return to server list.
Top right of page click the refresh/apply changes button.

CLI:
sudo nano /etc/apache2/sites-available/nextcloud.conf
Paste and edit the below.
<VirtualHost *:80>
DocumentRoot "/var/www/nextcloud"
ServerName nextcloud.vote4u.org.uk

 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined

<Directory /var/www/nextcloud/>
 Options +FollowSymlinks
 AllowOverride All

 <IfModule mod_dav.c>
 Dav off
 </IfModule>

 SetEnv HOME /var/www/nextcloud
 SetEnv HTTP_HOME /var/www/nextcloud
 Satisfy Any

</Directory>

</VirtualHost>

ctrl+x Y to save
sudo a2ensite nextcloud.conf
sudo systemctl restart apache2

Now DNS.

If you have a VPS/Cloud then all you need to do is create a cname or A record for nextcloud and office subdomains depending on how your domain registrar DNS system works.
Mine is like so.
nextcloud CNAME vote4u.org.uk.
office CNAME vote4u.org.uk.

I am self hosting so I need to work with the public IP of my router and for many this will require either the purchase of a static IP address (really winds me up as its a big con, really) or pay for a dynamic DNS service that you can set up in your router (which actually might be more than the cost of a static IP)
But until your public IP changes this will work.
With vote4u.org.uk being an A record to my public IP of my router.
@ A 92.2.183.195

That can be easily found by just a google for myip.
92.2.183.195
Your public IP address

If you have a VPS/Cloud then all clients access externally via the public IP and you are done except one client (The docker container of collabora is internal and may need a /etc/hosts entry to the private IP of the nextcloud virtualhost)

If you installed DNSMasq and edited this servers /etc/hosts so it looks like the below, you are already done for local DNS.

127.0.0.1       localhost
192.168.1.2     nextcloud.vote4u.org.uk nextcloud       office.vote4u.org.uk    office


# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

If you don’t have DNSMasq then in every client including the docker container you will need to add to /etc/hosts an entry as below.

192.168.1.2 nextcloud.vote4u.org.uk nextcloud office.vote4u.org.uk office

After that internally you can access nextcloud from http://nextcloud.vote4u.org.uk (or whatever domain you have employed.
Externally if you are self hosting you need to setup port forwarding for Http & Https to this server.
Each router is different but usually very easy to achieve.

So after all that we can navigate to http://nextcloud.vote4u.org.uk and its important to get the DNS right before you setup the site as the configuration will use the current entries rather than IP addresses for configuration.

You can check the nextcloud dns with the command nslookup nextcloud.vote4u.org.uk
So setup up your nextcloud and create an admin user change the data directory to /var/www/nextcloud-data
Enter the database credentials you created and we should see nextcloud.

We are going to jump ahead slightly and install the Collabora office subdomain and also get a free cert from letsencrypt reason why I am doing this now is so we can get the certs for the nextcloud and office subdomains at the same time.

So set up another virtual host for office.vote4u.org.uk

Webmin:

→Servers → Apache Webserver → Create virtual host → Port select 80, servername office.your-domain.com → create now.
Top right hand corner click refresh/apply changes

CLI:
sudo nano /etc/apache2/sites-available/office.your-domain.com.conf
Put the following text into the file.

<VirtualHost *:80>
 ServerName office.vote4u.org.uk
 </VirtualHost>

sudo a2ensite office.your-domain.com.conf
sudo systemctl restart apache2

Now we can get the super easy certificates from letsencrypt.

cd ~
sudo wget https://dl.eff.org/certbot-auto && sudo chmod a+x certbot-auto

sudo ./certbot-auto --apache --agree-tos --email stuartiannaylor@outlook.com -d nextcloud.vote4u.org.uk -d office.vote4u.org.uk

Remind to add a cronjob! For cert renewal.
If it fails to find or verify the hosts then something is wrong with your external DNS or port forwarding and you need to recheck your settings.
If all goes well it will prompt you for an easy or secure install (options 1 or 2)
Select 2 secure as it is just as easy and it will autocreate a redirect so all none https traffic is redirected to https.

You can check this now by entering in a browser http://nextcloud.vote4u.org.uk and it will redirect automatically to https://nextcloud.vote4u.org.uk and your browser should be telling you that you have a valid authentic certificates.

Seen as we are already here we will kickstart the Nextcloud installer.
Pick and Admin name and password.
Use /var/www/nextcloud-data for the data folder
Enter the nextcloud database credentials and install.
As said its important to get your dns and SSL sorted first as the entry point to the Nextcloud installer is used in the configuration.
Just don’t run the install until you get things right.

Now we are going to install Docker before we enable Collabora.

sudo apt-get install apt-transport-https ca-certificates software-properties-common
curl -fsSL https://yum.dockerproject.org/gpg | sudo apt-key add -
sudo add-apt-repository \
       "deb https://apt.dockerproject.org/repo/ \
       debian-$(lsb_release -cs) \
       main"
sudo apt-get update
sudo apt-get -y install docker-engine

Now for some of us with I-386 machines there may be a loud scream as you realise Docker does not support I-386 or have a I-386 repo.
For those of you with a 64bit machine, you are ok but for Intel/Amd platforms compiling and using a 32bit docker is beyond my capabilities.
Also there is a problem with Debian and Aufs support.
sudo docker info

You will see Storage Driver: aufs and it doesn’t work and we need to change to devicemapper
grep ExecStart /lib/systemd/system/docker.service
will return something like the below which we need to place in a system.d conf file
ExecStart=/usr/bin/dockerd -H fd://
mkdir /etc/systemd/system/docker.service.d
nano /etc/systemd/system/docker.service.d/execWithDeviceMapper.conf
Create like so:
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --storage-driver=devicemapper -H fd://
crt+x y to save
systemctl daemon-reload
systemctl restart docker.service
sudo docker info will tell us that we are using devicemapper with some nags, but it will work and so far I have only ever got aufs to work once and I am damned if I can work out what I did.

Letsencrypt will of create a new ssl apache conf for you that we are going to tighten the security of.

sudo nano /etc/apache2/sites-available/nextcloud-le-ssl.conf

Paste the below:

Header always set Strict-Transport-Security “max-age=15768000; preload”

So it looks like the below

SSLCertificateFile /etc/letsencrypt/live/nextcloud.vote4u.org.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.vote4u.org.uk/privkey.pem
<IfModule mod_headers.c>
     Header always set Strict-Transport-Security "max-age=15768000; preload"
</IfModule>

Include /etc/letsencrypt/options-ssl-apache.conf

ctrl+x y to save
Then we will add the reverse proxy for Collabora.

sudo nano /etc/apache2/sites-enabled/office.your-domain.com-le-ssl.conf
and add the below
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

  # Container uses a unique non-signed certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

  # keep the host
  ProxyPreserveHost On

  # static html, js, images, etc. served from loolwsd
  # loleaflet is the client part of LibreOffice Online
  ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
  ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

  # WOPI discovery URL
  ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
  ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

  # Main websocket
  ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

  # Admin Console websocket
  ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

  # Download as, Fullscreen presentation and Image upload operations
  ProxyPass           /lool https://127.0.0.1:9980/lool
  ProxyPassReverse    /lool https://127.0.0.1:9980/lool

so it looks like this

<IfModule mod_ssl.c>
<VirtualHost *:443>
 ServerName office.vote4u.org.uk
SSLCertificateFile /etc/letsencrypt/live/nextcloud.vote4u.org.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.vote4u.org.uk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

  # Encoded slashes need to be allowed
  AllowEncodedSlashes NoDecode

  # Container uses a unique non-signed certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

  # keep the host
  ProxyPreserveHost On

  # static html, js, images, etc. served from loolwsd
  # loleaflet is the client part of LibreOffice Online
  ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
  ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

  # WOPI discovery URL
  ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discove$
  ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discove$

  # Main websocket
  ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

  # Admin Console websocket
  ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

  # Download as, Fullscreen presentation and Image upload operations
  ProxyPass           /lool https://127.0.0.1:9980/lool
  ProxyPassReverse    /lool https://127.0.0.1:9980/lool

 </VirtualHost>
</IfModule>

Ignore the truncation but place it just above

Now we will get the docker image.

sudo docker pull collabora/code (which actually the next line will do anyway)
Run that as a container.
with dnsmasq edit --dns=mydnsmasq-ip
docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=nextcloud\\.vote4u\\.org\\.uk' --dns=192.168.1.2 --restart always --cap-add MKNOD collabora/code
Otherwise it will just copy your resolv.conf or use the google open DNS servers
docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=nextcloud\\.vote4u\\.org\\.uk' --restart always --cap-add MKNOD collabora/code

Docker runs each instance in a container and to get a list we can use
sudo docker ps

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                      NAMES
aff963c67321        collabora/code      "/bin/sh -c 'bash ..."   12 minutes ago      Up 2 minutes        127.0.0.1:9980->9980/tcp   determined_booth

We can view the logs of that container by:
sudo docker logs [container-id] so
sudo docker logs aff963c67321

Generating RSA private key, 2048 bit long modulus
...+++
.......................................................................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
.....................................................+++
..................................+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.1 - 2.0.1
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.1", "ProductExtension": ".10.15", "BuildId": "345fa14e85e6e36ad0280f4e549c70f6b9af1a18" }
Generating RSA private key, 2048 bit long modulus
.........+++
.................+++
e is 65537 (0x10001)
Generating RSA private key, 2048 bit long modulus
.......+++
.....................+++
e is 65537 (0x10001)
Signature ok
subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost
Getting CA Private Key
loolforkit version details: 2.0.1 - 2.0.1
office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.1", "ProductExtension": ".10.15", "BuildId": "345fa14e85e6e36ad0280f4e549c70f6b9af1a18" }

Things are looking ok.
So we need to install the Collabora App in nextcloud.
Hit the plus sign in the apps menu when logged in as an admin.
Enable the Collabora Online App.
Go to the Admin menu and in the section for Collabora Online enter
https://office.vote4u.org.uk in the Collabora Online server box and click apply.

Time to check out if things work by going and viewing a document.

If you have problems you can enter the container via:
sudo docker exec -t -i aff963c67321 /bin/sh
exit to exit back to the host
sudo docker stop aff963c67321
Will stop a container and after that you can delete it with
sudo docker rm aff963c67321
nslookup nextcloud.vote4u.org.uk
To check the DNS entry.

nslookup office.vote4u.org.uk

openssl s_client -connect example.com:443

Check your certs and also from inside the container

2 Likes

Excellent post @Stuart_Naylor

Thanks its a bit ropey (in presentation) and only a start.

Main bit is if self hosting with a few clients use DNSMasq, included it as after my own experience realized most of my woes where DNS and that the internal DNS is not catered for or really spoken about.
Switching to devicemapper from Aufs is needed but actually the install is really easy and its only docker that really throws a spanner into the works.

I have some more to add about checking the DNS and certs from inside the container and on clients and meant to add more.
I will at one stage, but if anyone wants to chip in please do, or just use it as a basis of your own… No problemo :slight_smile:

It works though and it does cover some areas where I think people like myself where hitting problems, not thinking of the docker container as an internal client is one of em.

Its easy really either edit /etc/hosts files or use DNSMasq like I have.

I will get round to fail2ban, ufw, openvpn and securing Webmin this week sometime.

HI @Stuart_Naylor, i try to duplicate your setup, but still unable to get it working:

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
782ff3cc377a collabora/code “/bin/sh -c 'bash sta” 23 minutes ago Up 23 minutes 127.0.0.1:9980->9980/tcp sick_bohr

Generating RSA private key, 2048 bit long modulus ..........+++ ................................+++ e is 65537 (0x10001) Generating RSA private key, 2048 bit long modulus ......+++ ..............................+++ e is 65537 (0x10001) Signature ok subject=/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost Getting CA Private Key loolforkit version details: 2.0.2 - 2.0.2 office version details: { "ProductName": "Collabora Office", "ProductVersion": "5.1", "ProductExtension": ".10.17", "BuildId": "ee821f3cc68838910e1a06b6141c2580152640d3" } I try the office nextcloud tutorial, yours, and I don't know how many more and still unable to get there :smile:

That is from the docker log? No errors there.

To check the DNS entry.

nslookup office.vote4u.org.uk

openssl s_client -connect example.com:443

Check your certs and also from inside the container

Have you checked the DNS by using the server address in and out of the container?

Docker info

Have you managed to get device-mapper inplace of aufs, docker info will tell you so.

I’d just use Let’s Encrypt certs instead of Self-Signed. Just my take. They are free as well.