HOWTO - What to do for having Nextcloud / OnlyOffice on the same host?

Hello to the Community,

I will write here some tips you should know for having OnlyOffice working on the same host as your Nextcloud instance if you’re using APACHE2 as a WebServer.

I didn’t find a tutorial about this case, they’re all speaking about Ngnix

So what do you need first :

Apache2
A working Nextcloud Instance with SSL
Docker
Some RAM in your computer

I’m on a Debian/Ubuntu server.
First of all lets enable the Apache modules you will need with some commands :

a2enmod proxy
a2enmod proxy_wstunnel
a2enmod proxy_http
a2enmod headers

Then a little bit of pre-work about your installation :
Let says your nextcloud instance is on that URL : mycloud.mydomain.com
We want to create another subdomain like this : myoffice.mydomain.com
So first you have to go to your DNS configuration of your Domain provider to add this host, do the same that you did for your nextcloud instance.
On the system we will modify a file for letting the system know that myoffice.mydomain.com is itself :
Modify this file with nano/vi/vim whatever you know best :
nano /etc/hosts
and add/modify the first line to have something like this :

127.0.0.1 localhost mycloud.mydomain.com myoffice.mydomain.com

save and exit

Now a big task to do, create an Apache2 Virtual host for myoffice.mydomain.com,
create with nano/vi/vim whatever this file :

nano /etc/apache2/sites-avialable/myoffice.conf

And Modify the file depending of your domain :

<VirtualHost *:80>
ServerName myoffice.mydomain.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =myoffice.mydomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Now we will enable this virtual host :

a2ensite myoffice.conf
service apache2 reload

Now you have to create the same host for the SSL version, so you have to create Cert as you want with LetsEncrypt or Verisign etc… (follow some tutos if you want to use LetsEncrypt if you’re a newbie)

When you have your certs, lets create or modify the SSL version of myoffice.conf. As i use LetsEncrypt it created and enabled automaticly this myoffice-le-ssl.conf

Servername myoffice.mydomain.com

SSLEngine on
SSLCertificateFile “/etc/letsencrypt/live/myoffice.mydomain.com/fullchain.pem” #Change with the right path
SSLCertificateKeyFile “/etc/letsencrypt/live/myoffice.mydomain.com/privkey.pem” #Change with the right path

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLHonorCipherOrder on

Header always set Strict-Transport-Security “max-age=15768000; includeSubDomains”

SetEnvIf Host “^(.*)$” THE_HOST=$1
RequestHeader setifempty X-Forwarded-Proto https
RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
ProxyAddHeaders Off

ProxyPassMatch (.*)(/websocket)$ “ws://127.0.0.1/$1$2”
ProxyPass / “http://127.0.0.1/
ProxyPassReverse / “http://127.0.0.1

Save and reload apache2, don’t forget to enable this site if it isn’t the case :

a2ensite myoffice-le-ssl.conf
service apache2 reload

Now lets get the docker image :

docker pull onlyoffice/documentserver

Wait a moment, now we have to create some folders to map with the docker instance of DocumentServer for ease of use, and to update without pain the docker image.

mkdir /app

(it’s my exemple, you can create this folder where you want but don’t forget to follow my tuto with this modification)

Now lets start the Docker image :

docker run -i -t -d -p 80:80 --restart always -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice -v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql onlyoffice/documentserver

If you have errors because port 80 is already use, then modify the myoffice-le-ssl.conf, the last line should look like this :

ProxyPassMatch (.*)(/websocket)$ “ws://127.0.0.1:81/$1$2”
ProxyPass / “http://127.0.0.1:81/
ProxyPassReverse / “http://127.0.0.1:81

And so the docker command line will be :

docker run -i -t -d -p 81:80 --restart always -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice -v /app/onlyoffice/DocumentServer/data:/var/www onlyoffice/Data -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice -v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql onlyoffice/documentserver

Now you should go to your Admin Nextcloud Instance,
Download the Onlyoffice App,
Go to your admin panel of Nextcloud -> OnlyOffice page and configure it like this :
Document Editing Service address -> https://myoffice.mydomain.com
DO NOT CLIC ON Advanced Settings, it’s useless for this setup and won’t work
Feel free to tick or untick the other boxes, and save.

Normaly it’s working

2 Likes

nice of you !

I concur for most of the procedure, having build a debian/apache/mysql/mdamd/lvm2/openssl/letsencrypt/http2/brotli/fail2ban/redis server.

The only thing is i am using a real server without docker.

Some tuning can be made on your ssl conf:
more secure SSLProtocol:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"

modern cyphersuite excluding old unsecured browser
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

If your apache version is >= 2.4 then you can add some checking that your server certificate has not been revoked.

SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

Yes, i know, i am kind of paranoiac


if you have the prerequist add http2 for Apache >= 2.4 https://fr.wikipedia.org/wiki/Hypertext_Transfer_Protocol/2

prerequist = openssl libssl1.0.2 libssl-dev apache2 apache2-bin apache2-data libnghttp2-14 with Apache >= 2.4

add this line below <VirtualHost *:443>
Protocols h2, h2c http/1.1
then
a2enmod http2
service apache2 restart


When all done, you can check your https security level by using the https://www.ssllabs.com/ssltest/index.html tools

A%20

AND … https://tools.keycdn.com/http2-test for http2/ALPN test:

1 Like

I moded my post with some of your advices,

I added the better sypher suite and module Headers for HSTS.

I didn’t add Checking if cert isn’t revoked because it needs a certain version of apache, nor the http/2 protocol because the first benchmark aren’t better for Nextcloud performances.

Thank you a lot

Hello NEmskiller,
I tried your TUTO. I think i’m nearly there. I’ve a problem with the proxy part. If I try to start Apache2 again, I get an error on the proxypass URL:

sep 16 21:14:40 t53n-nextcloud apachectl[5957]: AH00526: Syntax error on line 31
sep 16 21:14:40 t53n-nextcloud apachectl[5957]: ProxyPass Unable to parse URL: \
sep 16 21:14:40 t53n-nextcloud apachectl[5957]: Action 'start' failed.  

Line 31 of my office-ssl.conf contains:
ProxyPassMatch (.*)(/websocket)$ “ws://127.0.0.1/$1$2”

OnlyOffice is running, I have the 127.0.0.1/welcome screen.

Ok, This isn’t a problem anymore. I forgot the http:// bit in the lines below line 31.
I can start Apache2 now and OnlyOffice is still running.

The symptoms:

  • When I go to the URL https://office.mysite.nl. I get an error and the URL changes to: https://(null)/welcome
  • When I go to https://office.mysite.nl/healthcheck It returns ‘True’ in the browser and the browser URL stays intact.
  • The log on my Nextcloud instance when I try to save OnlyOffice settings: “file_get_contents(https://office.url.com/healthcheck): failed to open stream: Connection refused at /var/www/html/nextcloud/apps/onlyoffice/lib/documentservice.php#381”

Any ideas on this? Could it be a permission issue?

This is my conf file:

<IfModule mod_ssl.c>
<VirtualHost *:4433>
	ServerAdmin ****@protonmail.com
    Servername office.url.com

	DocumentRoot /var/www/onlyoffice
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	SSLEngine on
	SSLCertificateFile	/etc/ssl/certs/office.crt
	SSLCertificateKeyFile /etc/ssl/private/office.key

		SetEnvIf Host “^(.*)$” THE_HOST=$1
		RequestHeader setifempty X-Forwarded-Proto https
		RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
		ProxyAddHeaders Off

	SSLProxyEngine on
    ProxyPassMatch (.*)(/websocket)$ "ws://127.0.0.1/$1$2"
	ProxyPass / "http://127.0.0.1/"
	ProxyPassReverse / "http://127.0.0.1"

	<FilesMatch "\.(cgi|shtml|phtml|php)$">
			SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory /usr/lib/cgi-bin>
			SSLOptions +StdEnvVars
	</Directory>

</VirtualHost>

Thank you very much for this awesome guide.
It worked for me without any issues. :+1:

However there is a small typo in the scipts above. In the starting command for the docker container there is a / missing between /app/onlyoffice/DocumentServer/data:/var/www and onlyoffice/Data

the correct command should be like

docker run -i -t -d -p 80:80 --restart always \
-v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
-v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql onlyoffice/documentserver
1 Like

Hello !

Following exactly your instructions, I get a “ProxyPass Unable to parse URL” error on the following line :

ProxyPassMatch (.*)(/websocket)$ “ws://127.0.0.1:81/$1$2”

This doesn’t seem to be the same issue T53N encountered, since your instructions contain the http:// bit in the lines below.

I’m not getting anything on apache error log.

Could you give me a hand?

Edit : nevermind, seems to be working now after copying the same values from onlyoffice config page.

Strange.

Now I get some other errors, but the reverse proxy is working.

I Had the same problem for a few days and it drove me insane…
Anyway…

You have to comment out

#Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”

And

    #SetEnvIf Host “^(.*)$” THE_HOST=$1
	#RequestHeader setifempty X-Forwarded-Proto https
	#RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e

Try that… And if you get an “Unknow Error” Please tell me to post the settings I had to add to fix it … There are many thing I changed in my apache config file that I do not remember them all… I have to get home to get them or I could SSH to my server but my break is almost over and I have to get back to work

Good luck

Thanks for your great tutorial. Since I don’t really know what I’m doing I had no idea where to start and your howto seems to be the only one matching my configuration, that I could find.

I did run into a few issues with it however. I’ll try to list them and my solutions here and hopefully they’ll help others following this HOWTO.

First of all I wasted a lot of time due to copy/paste issues until I realized, that the " characters where not getting copied/formated properly in editor vim. Nano does not seem to have the same issues. And all lines with the "s in them ran into errors. After manually inserting all the "s things worked.

The second issue I had is that your docker command did not work for me either. Thank fully the command that @darioce kindly provied worked.

You likely ran into the same issue I did with the "s not being copied properly and therefore breaking all the lines with them.

I would question whether disabling HSTS is a reasonable fix for an issue.

Try this:
Nextcloud and onlyoffice working in a debian server with lets`encrypt. Working!