How-To: Set up Onlyoffice Enterprise Edition with the Nextcloud AIO
AI Disclaimer: This post, and the investigation that led up to it, were completed with assistance from AI. This included numerous, iterative prompts that I tested and reviewed. The post may contain inaccuracies and errors generated by AI, or myself; use it with caution.
Context
I am running the Nextcloud AIO and wanted to use the Onlyoffice Enterprise Edition and encountered numerous problems setting it up. I have since suceeded and wanted to share what I learned and instructions to complete the setup with this forum.
My Learner’s Notes:
- Eventually, I realized that I was following a process of blackbox trial-and-erroring where I was changing configurations, seeing if they worked, getting the error messages, and repeating. This may be obvious to some and daunting to others, but I found having access to the source code, especially with the assistance of AI development tools, to be incredibly powerful in helping understand the ground-truth that is the code and configuration.
- Since I used AI to troubleshoot the configuration issues, I was able to do so in a way that recorded the context of what issues were encountered and how they were resolved, which allowed me to have AI take the first pass at writing this post, which greatly reduced the time to put together the content that I thought would be helpful for other readers.
About my configuration
- The Nextcloud AIO is deployed via Docker compose
- The Onlyoffice Enterprise Edition is deployed via Docker compose
- Both services are deployed on the same machine
- Tailscale Serve is used for TLS termination
- Caddy is used for the reverse proxy
The problems
- The AIO bundles Onlyoffice Community Edition and there is no built-in way to swap it for the Enterprise Edition
- If you disable Onlyoffice in the AIO admin panel, the Onlyoffice connector app is removed from Nextcloud on every update
The solution
- Prevent the AIO from removing the Onlyoffice connector app when the built-in container is disabled
- Run Onlyoffice Enterprise Edition as a standalone container
- Configure a reverse proxy to route Onlyoffice traffic to the Enterprise Edition container
- Configure the Nextcloud Onlyoffice connector to point to your Enterprise Edition instance
Instructions
These instructions explain how to set up Onlyoffice Enterprise Edition if you are running the AIO as described in the configuration above.
Step 1: Set NEXTCLOUD_KEEP_DISABLED_APPS on the AIO mastercontainer
Add this environment variable to your AIO mastercontainer configuration:
environment:
NEXTCLOUD_KEEP_DISABLED_APPS: true
Without this, the AIO will remove the Onlyoffice connector app from Nextcloud every time the containers are updated, because the built-in Onlyoffice container is disabled.
Step 2: Disable Onlyoffice in the AIO admin panel
- Open the AIO admin interface
- Click
Stop containers - Click
Disable office suite - Click
Save changes - Click
Start containers
If the Onlyoffice connector app is already installed, it will remain installed. If it is not yet installed, install it via the Nextcloud Apps store.
Step 3: Deploy Onlyoffice Enterprise Edition
Run Onlyoffice Enterprise Edition as a standalone Docker container. Here is an example compose file:
name: onlyoffice-ee
services:
onlyoffice-enterprise:
image: onlyoffice/documentserver-ee:latest
container_name: onlyoffice-enterprise
restart: always
networks:
- nextcloud-aio
ports:
- "8081:80"
environment:
JWT_ENABLED: "true"
JWT_HEADER: AuthorizationJwt
JWT_SECRET: "your-secure-jwt-secret"
volumes:
- /path/to/onlyoffice/data:/var/www/onlyoffice/Data
networks:
nextcloud-aio:
external: true
Note that this example is serving the document server on port 8081 of the host machine. This will be used in the Caddy configuration later. You can set this to another value if you would like.
Important:
JWT_HEADERmust beAuthorizationJwt, notAuthorization.The AIO uses
AuthorizationJwtas the JWT header name to avoid conflicts with the standard HTTPAuthorizationheader, which can be stripped or modified by reverse proxies and authentication middleware. Both the Onlyoffice Enterprise container and the Nextcloud connector must use the same header name. By default, the Onlyoffice Enterprise Edition container will use the value ofAuthorizationfor the header name.
You can generate a secure JWT secret with the following OpenSSL command:
openssl rand -base64 32
Note that I have chosen to have the Onlyoffice Enterprise Edition to be on the same Docker network as the AIO container,
nextcloud-aio, and have configured this in the Onlyoffice Enterprise Edition’s compose file.
Step 4: Configure your reverse proxy
If you are familiar with how to configure your reverse proxy, add a route that forwards /onlyoffice/* requests to your Onlyoffice Enterprise container, stripping the /onlyoffice/ prefix before forwarding (the container expects requests at its root path). Note the public URL for this route as you will need it when configuring the connector in Step 5.
If you are not familiar with how to configure a reverse proxy, here is how I have set this up:
Configure Caddy
Create a file called Caddyfile in the same directory as your AIO compose file with the following contents, replacing your-domain.example.com with your actual domain:
http://your-domain.example.com:8082 {
# Route Nextcloud AIO traffic
reverse_proxy localhost:11000 {
header_up X-Forwarded-Proto https
header_up X-Real-IP {remote_host}
}
# Route Onlyoffice Enterprise traffic
route /onlyoffice/* {
uri strip_prefix /onlyoffice
reverse_proxy localhost:8081 {
header_up X-Forwarded-Host {http.request.hostport}/onlyoffice
header_up X-Forwarded-Proto https
header_up X-Real-IP {remote_host}
}
}
}
You can run Caddy as a Docker container alongside the AIO. Add this to your AIO compose file:
services:
# ... your existing nextcloud-aio-mastercontainer service ...
caddy:
image: caddy:alpine
restart: always
container_name: caddy
volumes:
- caddy_data:/data
- caddy_config:/config
- ./Caddyfile:/etc/caddy/Caddyfile:ro
network_mode: "host"
volumes:
# ... your existing volumes ...
caddy_data:
caddy_config:
Note on
X-Forwarded-Proto: When TLS is terminated before Caddy, Caddy only sees HTTP traffic. Theheader_up X-Forwarded-Proto httpsdirective tells Nextcloud and Onlyoffice that the original client connection was HTTPS. Without this, Nextcloud may generate incorrect URLs or trigger mixed-content warnings.
Next, start the Caddy container.
Since TLS is terminated upstream by Tailscale Serve in my configuration, I configured Tailscale Serve to forward HTTPS traffic to Caddy’s port (port 8082 in the example above). Update Tailscale to serve the port of the Caddy container if it is not configured this way already with the following command:
tailscale serve --bg http://localhost:8082
Step 5: Configure the Nextcloud Onlyoffice connector
Once all containers are running, configure the Onlyoffice connector app in Nextcloud to point to your Enterprise instance.
- Log in to Nextcloud as an admin
- Go to Administration Settings > ONLYOFFICE
- Set the following:
- Document Editing Service address:
https://your-domain.example.com/onlyoffice - Secret key: your JWT secret (same as
JWT_SECRETfrom Step 3) - Under the
Advanced server settings - Authorization Header:
AuthorizationJwt - ONLYOFFICE Docs address for internal requests from the server:
http://onlyoffice-enterprise/ - Server address for internal requests from ONLYOFFICE Docs:
http://nextcloud-aio-apache:11000/
- Document Editing Service address:
Step 6: Verify the configuration works
- Open a document in Nextcloud (e.g., a
.docx,.xlsx, or.pptxfile) - Confirm it opens in the Onlyoffice editor
- Check the Nextcloud logs for any connection or JWT errors
Updates and maintenance
- AIO updates continue normally via Watchtower. The Onlyoffice connector app persists because
NEXTCLOUD_KEEP_DISABLED_APPSis set totrue - Onlyoffice Enterprise updates are managed independently and you must update the container image independently of the automatic AIO updates