HOWTO - What to do for having Nextcloud / OnlyOffice on the same host?

I’m really stuck now. I’m going to email support@onlyoffice.com and see if I can get some advice from the source.

I found a list of environment variables in the readme.md here: https://github.com/ONLYOFFICE/Docker-DocumentServer However I couldn’t get any of them to work in an --env-file. If I put anything in the env-file it would fail to run the webserver in the docker container.

I experimented with different settings, but this is the farthest I can get right now. I’m just going to dump my current configs here.

sudo docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --sysctl net.ipv6.conf.default.disable_ipv6=1 -i -t -d -p 8443:443 --restart=always --add-host=cloud.chillstice.com:127.0.0.1 -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice -v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql onlyoffice/documentserver

<VirtualHost *:80>
	ServerName office.chillstice.com
	ServerAlias www.office.chillstice.com
	DocumentRoot /var/www/office/public_html

	RewriteEngine On
	RewriteCond %{HTTPS} !=on
	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] 
</VirtualHost>

<VirtualHost *:443>
	ServerAdmin chris@chillstice.com
	ServerName office.chillstice.com
    ServerAlias www.office.chillstice.com
	DocumentRoot /var/www/office/public_html

    <Directory "/var/www/office/public_html">
        	Options Indexes FollowSymLinks
            AllowOverride All
			Require all granted
    </Directory>

    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/office.chillstice.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/office.chillstice.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf

	#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
	#SSLCompression off
	#SSLHonorCipherOrder on

	SSLProxyEngine on
	#SSLProxyVerify none
	SSLProxyCheckPeerCN off
	#SSLProxyCheckPeerName off

	ProxyPassMatch (.*)(/websocket)$ "ws://127.0.0.1:8443/$1$2"
	ProxyPass / "https://127.0.0.1:8443/"
	ProxyPassReverse / "https://127.0.0.1:8443/"
	ProxyPassReverseCookieDomain https://127.0.0.1:8443 https://office.chillstice.com

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

I tried using --env-file /app/onlyoffice/env.list

ONLYOFFICE_HTTPS_HSTS_ENABLED=true
SSL_CERTIFICATE_PATH=/app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
SSL_KEY_PATH=/app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
SSL_DHPARAM_PATH=/app/onlyoffice/DocumentServer/data/certs/dhparam.pem

I added this to my nextcloud config:

  'onlyoffice' =>
  array(
    'verify_peer_off' => true,
  ),

OK:

Let me take a step back a minute
Describe your setup to me
Is Apache and this docker image all running on the same machine?
What exactly is running on this docker image – nextcloud and onlyoffice?
Is cloud.chillstice.com a FQDN - fully qualified domain name? – seems like it is if I do an nslookup.
What mods have you enabled for apache (apachectl -M)?

Going on some assumptions right now that everything is on the same machine, I make the following changes:
In you docker run statement:

–add-host=cloud.chillstice.com:127.0.0.1 — are you sure this shouldn’t be: --add-host=cloud.chillstice.com?

In your Virtual host file in Section <443>
Put back in the following:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-
SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-
AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE
-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  SSLHonorCipherOrder     on
  SSLCompression          off
  SSLSessionTickets       off
  SSLOptions              +StrictRequire

  <IfModule mod_headers.c>
         # HSTS (mod_headers is required) (15768000 seconds = 6 months)
         Header always set Strict-Transport-Security "max-age=15552000; inclu
deSubDomains"
   </IfModule>

  # Encoded slashes need to be allowed
  AllowEncodedSlashes NoDecode

For now we are going to terminate all SSL connections at the proxy – we can enable SSL proxy later when things are working so (The following are all proxy directives):

    #SSLProxyEngine on
	#SSLProxyVerify none
	#SSLProxyCheckPeerCN off
	#SSLProxyCheckPeerName off

And then since we are terminating the SSL at the proxy, we can change the following (something seems weird about these proxy statements to me – you sure the documentation you are pulling these from is correct? What documentation are you looking at for help with installation?:

ProxyPassMatch (.*)(/websocket)$ "ws://127.0.0.1:8443/$1$2"
ProxyPass / "http://127.0.0.1:8443/"
ProxyPassReverse / "http://127.0.0.1:8443/"
ProxyPassReverseCookieDomain http://127.0.0.1:8443 https://office.chillstice.com

I don’t think you need to modify anything in your config.php. I’d just put it back how it was.

I have no idea about these statements – something tells me for testing purposes I would make first line false to turn off HTTPS but I’m not sure. Really depends on documentation.

ONLYOFFICE_HTTPS_HSTS_ENABLED=true
SSL_CERTIFICATE_PATH=/app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
SSL_KEY_PATH=/app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
SSL_DHPARAM_PATH=/app/onlyoffice/DocumentServer/data/certs/dhparam.pem

I’m hosting everything off one machine (Linux Mint 19.1 (ubuntu)).
Nextcloud is a normal install and I’m trying to use docker for OnlyOffice.

Apache mods:

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php7_module (shared)
 proxy_module (shared)
 proxy_http_module (shared)
 proxy_wstunnel_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

I tried --add-host=cloud.chillstice.com and it literally doesn’t run without the ip.

I tried your suggested changes for the Apache config and get this error:

[ssl:error] [pid 31859] [remote 127.0.0.1:8443] AH01961: SSL Proxy requested for office.chillstice.com:443 but not enabled [Hint: SSLProxyEngine]
[proxy:error] [pid 31859] AH00961: HTTPS: failed to enable ssl support for 127.0.0.1:8443 (127.0.0.1)

I literally got the ProxyPass lines from op in this thread and I got the environment variables from the github repo I posted.

Still waiting on a reply from support@onlyoffice.com

I’m not sure I can help you exactly with this problem since I don’t specifically have OnlyOffice installed. I would surmise however there has to be better documentation than the sources you have referenced.

There is this, but it’s not that extensive: https://api.onlyoffice.com/editors/nextcloud

Yea I looked over some of the documentation – specifically I needed to search onlyoffice server since the link you gave me wasn’t entirely that great. It seems many of the things you are doing are concordant with the documentation, however you’re definitely changing things and such. I can see this getting into a hot mess real quick since I had a lot of problems initially with setting up my Collabora docker image — which is actually a lot less steps than what you’re trying to do – and that drove me nuts. Without actually setting up openoffice myself and painfully trying to debug all the steps involved it would be very difficult for me to help you – my goodness you potentially have a database, redis server, mail server, etc.

I got a quick little reply on my ticket to support@onlyoffice.com and they asked for my license file or proof of purchase? Excuse me?!?! It’s FOSS on github???

I think FOSS mean free to use, not free to support.

FOSS is Free Open Source Software, but yeah their email support is for customers only apparently.