HOWTO - What to do for having Nextcloud / OnlyOffice on the same host?

I’m really stuck now. I’m going to email support@onlyoffice.com and see if I can get some advice from the source.

I found a list of environment variables in the readme.md here: https://github.com/ONLYOFFICE/Docker-DocumentServer However I couldn’t get any of them to work in an --env-file. If I put anything in the env-file it would fail to run the webserver in the docker container.

I experimented with different settings, but this is the farthest I can get right now. I’m just going to dump my current configs here.

sudo docker run --sysctl net.ipv6.conf.all.disable_ipv6=1 --sysctl net.ipv6.conf.default.disable_ipv6=1 -i -t -d -p 8443:443 --restart=always --add-host=cloud.chillstice.com:127.0.0.1 -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice -v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql onlyoffice/documentserver

<VirtualHost *:80>
	ServerName office.chillstice.com
	ServerAlias www.office.chillstice.com
	DocumentRoot /var/www/office/public_html

	RewriteEngine On
	RewriteCond %{HTTPS} !=on
	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] 
</VirtualHost>

<VirtualHost *:443>
	ServerAdmin chris@chillstice.com
	ServerName office.chillstice.com
    ServerAlias www.office.chillstice.com
	DocumentRoot /var/www/office/public_html

    <Directory "/var/www/office/public_html">
        	Options Indexes FollowSymLinks
            AllowOverride All
			Require all granted
    </Directory>

    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

	SSLEngine on
	SSLCertificateFile /etc/letsencrypt/live/office.chillstice.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/office.chillstice.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf

	#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
	#SSLCompression off
	#SSLHonorCipherOrder on

	SSLProxyEngine on
	#SSLProxyVerify none
	SSLProxyCheckPeerCN off
	#SSLProxyCheckPeerName off

	ProxyPassMatch (.*)(/websocket)$ "ws://127.0.0.1:8443/$1$2"
	ProxyPass / "https://127.0.0.1:8443/"
	ProxyPassReverse / "https://127.0.0.1:8443/"
	ProxyPassReverseCookieDomain https://127.0.0.1:8443 https://office.chillstice.com

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

I tried using --env-file /app/onlyoffice/env.list

ONLYOFFICE_HTTPS_HSTS_ENABLED=true
SSL_CERTIFICATE_PATH=/app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
SSL_KEY_PATH=/app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
SSL_DHPARAM_PATH=/app/onlyoffice/DocumentServer/data/certs/dhparam.pem

I added this to my nextcloud config:

  'onlyoffice' =>
  array(
    'verify_peer_off' => true,
  ),

OK:

Let me take a step back a minute
Describe your setup to me
Is Apache and this docker image all running on the same machine?
What exactly is running on this docker image – nextcloud and onlyoffice?
Is cloud.chillstice.com a FQDN - fully qualified domain name? – seems like it is if I do an nslookup.
What mods have you enabled for apache (apachectl -M)?

Going on some assumptions right now that everything is on the same machine, I make the following changes:
In you docker run statement:

–add-host=cloud.chillstice.com:127.0.0.1 — are you sure this shouldn’t be: --add-host=cloud.chillstice.com?

In your Virtual host file in Section <443>
Put back in the following:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-
SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-
AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE
-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  SSLHonorCipherOrder     on
  SSLCompression          off
  SSLSessionTickets       off
  SSLOptions              +StrictRequire

  <IfModule mod_headers.c>
         # HSTS (mod_headers is required) (15768000 seconds = 6 months)
         Header always set Strict-Transport-Security "max-age=15552000; inclu
deSubDomains"
   </IfModule>

  # Encoded slashes need to be allowed
  AllowEncodedSlashes NoDecode

For now we are going to terminate all SSL connections at the proxy – we can enable SSL proxy later when things are working so (The following are all proxy directives):

    #SSLProxyEngine on
	#SSLProxyVerify none
	#SSLProxyCheckPeerCN off
	#SSLProxyCheckPeerName off

And then since we are terminating the SSL at the proxy, we can change the following (something seems weird about these proxy statements to me – you sure the documentation you are pulling these from is correct? What documentation are you looking at for help with installation?:

ProxyPassMatch (.*)(/websocket)$ "ws://127.0.0.1:8443/$1$2"
ProxyPass / "http://127.0.0.1:8443/"
ProxyPassReverse / "http://127.0.0.1:8443/"
ProxyPassReverseCookieDomain http://127.0.0.1:8443 https://office.chillstice.com

I don’t think you need to modify anything in your config.php. I’d just put it back how it was.

I have no idea about these statements – something tells me for testing purposes I would make first line false to turn off HTTPS but I’m not sure. Really depends on documentation.

ONLYOFFICE_HTTPS_HSTS_ENABLED=true
SSL_CERTIFICATE_PATH=/app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
SSL_KEY_PATH=/app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
SSL_DHPARAM_PATH=/app/onlyoffice/DocumentServer/data/certs/dhparam.pem

I’m hosting everything off one machine (Linux Mint 19.1 (ubuntu)).
Nextcloud is a normal install and I’m trying to use docker for OnlyOffice.

Apache mods:

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php7_module (shared)
 proxy_module (shared)
 proxy_http_module (shared)
 proxy_wstunnel_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

I tried --add-host=cloud.chillstice.com and it literally doesn’t run without the ip.

I tried your suggested changes for the Apache config and get this error:

[ssl:error] [pid 31859] [remote 127.0.0.1:8443] AH01961: SSL Proxy requested for office.chillstice.com:443 but not enabled [Hint: SSLProxyEngine]
[proxy:error] [pid 31859] AH00961: HTTPS: failed to enable ssl support for 127.0.0.1:8443 (127.0.0.1)

I literally got the ProxyPass lines from op in this thread and I got the environment variables from the github repo I posted.

Still waiting on a reply from support@onlyoffice.com

I’m not sure I can help you exactly with this problem since I don’t specifically have OnlyOffice installed. I would surmise however there has to be better documentation than the sources you have referenced.

There is this, but it’s not that extensive: https://api.onlyoffice.com/editors/nextcloud

Yea I looked over some of the documentation – specifically I needed to search onlyoffice server since the link you gave me wasn’t entirely that great. It seems many of the things you are doing are concordant with the documentation, however you’re definitely changing things and such. I can see this getting into a hot mess real quick since I had a lot of problems initially with setting up my Collabora docker image — which is actually a lot less steps than what you’re trying to do – and that drove me nuts. Without actually setting up openoffice myself and painfully trying to debug all the steps involved it would be very difficult for me to help you – my goodness you potentially have a database, redis server, mail server, etc.

I got a quick little reply on my ticket to support@onlyoffice.com and they asked for my license file or proof of purchase? Excuse me?!?! It’s FOSS on github???

I think FOSS mean free to use, not free to support.

FOSS is Free Open Source Software, but yeah their email support is for customers only apparently.

I’ve been slowly working on this and I’m getting even closer, but I’m stuck with another error. I decided to post on the onlyoffice dev forums: https://dev.onlyoffice.org/viewtopic.php?f=53&t=24615&sid=9702cc0ede9f90b33a68add12dc6d8e4

HI !

Thanks for your tuto ! Works perfectly for me with letsencrypt. I just didn’t have to create the myoffice-le-ssl.conf. I added the ssl configuration in myoffice.conf.

Hi !

I don’t know if someone is running this kind of configuration on Debian Buster (10) but docker have some issue with this version. After a reboot, your docker service doesn’t start. Debian Buster works with nftables, and when you look in the journalctl, you see that docker try to modify iptables configuration causing docker service to don’t start.

I see something like this on this website : Prevent docker iptables

To prevent this issue, you have to tell to docker daemon to don’t try to do any iptables modification. For this, you have to :
sudo mkdir -p /etc/systemd/system/docker.service.d
sudo vi /etc/systemd/system/docker.service.d/no-iptables.conf

And put this config inside :
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --iptables=false

After this, do a reload of daemon :
systemctl daemon-reload

Then restart docker. You should see docker running.

The OnlyOffice document server is now available as a snap: https://www.onlyoffice.com/blog/2019/10/onlyoffice-document-server-is-now-available-as-a-snap/

Have not tested it myself, but it should make running it on the same host considerably easier.

“Error when trying to connect (Will not follow more than 5 redirects)”
I keep getting this error when I put my server name in the Document Editing Service address in Nextcloud admin.
I can’t include “ProxyPassMatch (.*)(/websocket)$ “ws://127.0.0.1:81/$1$2”” or "ProxyPass / “http://127.0.0.1:81/” in myoffice-le-ssl.conf because apache2 server will not restart. I am lost and could use some help. Please let me know if you need more info.

Have you checked the "'s like I’ve written above? They might have copy/pasted wrong.

mhbot, I’ve decided to cut and run on trying to use the same server for nextcloud and onlyoffice. I have a 2nd server now and I will install onlyoffice on it’s own server. I like the idea of using one server but I don’t have the experience to solve the problems I encountered. Thank you for your help.

mhhbot, Thank you very much for responding and your help. I got a second server and installed OO document server on it using docker. I’m still a complete noob when it comes to applications and linux, but I am learning. I have Nextcloud up and running and am able to use OO in nextcloud. Thanks again for taking your time to respond.

tenmm

Glad it works. It’s a great feeling to get something up and running. :slight_smile:

Hi,

I followed the first post from Nemskiller for onlyoffice installation with docker on the same host as nextcloud(running on host). Everything is working until i try to connect nextcloud with onlyoffice. I’m using Let’s Encrypt for both “nextcloud.mydomain.com” and “ooffice.mydomain.com” with apache webserver.

/etc/hosts
127.0.0.1       localhost.localdomain   localhost       nextcloud.mydomain.com       myoffice.mydomain.com

The following error I get from “docker logs onlyoffice”:

[ERROR] nodeJS - error 
downloadFile:url=https://nextcloud.mydomain.com/index.php/apps/onlyoffice/empty? 
doc=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhY3Rpb24iOiJlbXB0eSJ9.hluEzYdoJVVmP8F- 
TsIwznxzY7T8UF0LzCVgYtXtKeU;attempt=3;code:SELF_SIGNED_CERT_IN_CHAIN;connect:null; 
(id=conv_check_138253076_docx)
 Error: self signed certificate in certificate chain
at TLSSocket.<anonymous> (_tls_wrap.js:1116:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:643:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:473:38)

Has someone an idea what I’m doing wrong?