Next cloud collaboration with onlyoffice | Block public access


#1

We are using only office for documentation collaboration, OO is behind the proxy server, we are using next cloud web server as an proxy. We want to block public access of onlyoffice, but unfortunately i am not successful
For better understanding, let me explain with urls

NC URL = nc.test.com
OnlyOffice proxy URL = ncp.test.com
OnlyOffice internal URL, map on private IP = oo.test.com

Following are NC settings

Document Editing Service address= ncp.test.com
Document Editing Service address for internal requests from the server = oo.test.com
Server address for internal requests from the Document Editing Service = nc.test.com

Following are apache settings for proxy[as per recommended by OO], here is https to https link

<VirtualHost :443>
ServerName ncp.test.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/httpd/sslcert/ibex.crt
SSLCertificateKeyFile /etc/httpd/sslcert/ibex.key
SSLCertificateChainFile /etc/httpd/sslcert/caroot.key
ProxyPreserveHost On
SSLProxyEngine on
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
SetEnvIf Host "^(.
)$" THE_HOST=$1
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Host “%{THE_HOST}e”
ProxyAddHeaders Off
ProxyPassMatch (.*)(/websocket)$ “wss://oo.test.com/$1$2”
ProxyPass / https://oo.test.com/
ProxyPassReverse / https://oo.test.com/

if i directly access https://ncp.test.com, it takes me to OO page. How can i block it publicly.

Thanks


#2

Something like this should work (not tested it myself)

<Location /foo>
    Deny from all                       // **This rule is the most IMPORTANT**    
    Allow from 192.168.1.2 10.100       // The second value implies 10.100.0.0/16 subnet
    ProxyPass http://example.com/foo
    ProxyPassReverse http://example.com/foo
</Location>

#3

In this case, i am still able to access the OO, because i have allowed my LB’s internal IP. And all traffic is coming through this LB.
2nd if i deny all traffic, how a user access ncp.test.com to edit the document. Because if you see the below screenshot while i try to edit any document, browser directly access the OO url mentioned in setting " Document Editing Service address= ncp.test.com"


#4

You cant make a block in the LB for it ?


#5

Please review my question gain