Nextcloud 13 and Onlyoffice on the same machine without docker. (it's working!)


#1

Well, I have some restrictions to observe but still need to provide the onlyoffice document service to our nextcloud users.
At the moment I only have one machine and it is a Strato V-Server which is not docker ready.

I followed this guide to install the onlyoffice document server onto the machine that already has a running nextcloud installation:
https://helpcenter.onlyoffice.com/de/server/linux/document/linux-installation.aspx

I was a bit discouraged to find that onlyoffice uses nginx as a proxy while I already had all the other services proxied through apache + I had no previous experience with nginx whatsoever. However I quickly found that this is not too difficult to manage since I was able to have the two http servers listen to different ports.

I have now managed to get onlyoffice open my office documents from within the nextcloud web interface. Here is the nginx configuration file that I have come up with so far:

# Use this example for proxy HTTPS traffic to the document server running on localhost.
# Replace {{SSL_CERTIFICATE_PATH}} with the path to the ssl certificate file
# Replace {{SSL_KEY_PATH}} with the path to the ssl private key file
# 
# Note that this configuration is still experimental and incomplete. 
# Do NOT use this version on your production server!  

include /etc/nginx/includes/onlyoffice-http.conf;

server {
  listen 0.0.0.0:8143 ssl;
  listen [::]:8143 ssl default_server;
  server_tokens off;
  root /usr/share/nginx/html;

  server_name office.mysite.com

  ssl on;
  ssl_certificate {{SSL_CERTIFICATE_PATH}};
  ssl_certificate_key {{SSL_KEY_PATH}};
  ssl_verify_client off;

  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RS (...)"

  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache  builtin:1000  shared:SSL:10m;

  ssl_prefer_server_ciphers   on;

  add_header Strict-Transport-Security max-age=31536000;
  add_header X-Content-Type-Options nosniff;

  location / {
    proxy_pass http://docservice;
    proxy_http_version 1.1;
  }
}

Disclaimer: I am still new to nginx, onlyoffice and nextcloud. So if you happen to find any errors or security flaws in the above configuration, please let me know.

For the sake of completeness here is the /etc/nginx/includes/onlyoffice-http.conf that is incuded within the above configuration:

upstream docservice {  
  server localhost:8000;
}

upstream spellchecker {  
  server localhost:8080;
}

upstream example {  
  server localhost:3000;
}

map $http_host $this_host {
    "" $host;
    default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
     default $http_x_forwarded_proto;
     "" $scheme;
}

map $http_x_forwarded_host $the_host {
    default $http_x_forwarded_host;
    "" $this_host;
}

map $http_upgrade $proxy_connection {
  default upgrade;
  "" close;
}

proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

While this implementatiion looks like it is working I have to admit that it is still incomplete.
I created this file by merging the original /etc/nginx/conf.d/onlyoffice-documentserver-ssl.conf with the ssl example configuration from here: https://github.com/ONLYOFFICE/document-server-proxy/blob/master/nginx/proxy-https-to-http.conf

I was able to put things nicely together except for this one bit from the http configuration file:

include /etc/nginx/includes/onlyoffice-documentserver-*.conf;

I feel that I should have to add another server{} directive but since I am proxying to docservice which is localhost:8000 I have no good idea how to do it.

Thanks for any comments and Ideas!


#2

Ok, I think I have found the solution:

# Use this example for proxy HTTPS traffic to the document server running on localhost.
# Replace {{SSL_CERTIFICATE_PATH}} with the path to the ssl certificate file
# Replace {{SSL_KEY_PATH}} with the path to the ssl private key file
# 
# Note that this configuration is experimental. It needs to be reviewed and some testing. 
# Do NOT use this version on your production server!  

include /etc/nginx/includes/onlyoffice-http.conf;

server {
  listen localhost:8180;
  server_tokens off;
  include /etc/nginx/includes/onlyoffice-documentserver-*.conf;
}


server {
  listen 0.0.0.0:8143 ssl;
  listen [::]:8143 ssl default_server;
  server_tokens off;
  root /usr/share/nginx/html;

  server_name office.mysite.com

  ssl on;
  ssl_certificate {{SSL_CERTIFICATE_PATH}};
  ssl_certificate_key {{SSL_KEY_PATH}};
  ssl_verify_client off;

  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"

  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache  builtin:1000  shared:SSL:10m;

  ssl_prefer_server_ciphers   on;

  add_header Strict-Transport-Security max-age=31536000;
  add_header X-Content-Type-Options nosniff;

  location / {
    proxy_pass http://localhost:8180;
    proxy_http_version 1.1;
  }
}

The previously missing onlyoffice-documentserver-*.conf files are now also evaluated.

BTW: I forgot to mention the configuration steps on the nextcloud side:

  1. go to nextcloud > apps and enable the onlyoffice app.
  2. go to nextcoud > settings > administration > onlyoffice.
    Insert https://office.mysite.com:8143/ as the Document Editing Service address

I would be really happy if someone with a good knowledge of nginx could review this file since I am a total newbie to this. Thanks so much!


#3

THANK YOU VERY MUCH!
I have two questions:
1.) Are you able to update NGINX to a version greater than 1.10 as provided by Onlyoffice?
2.) Did you ammend your config.php with the following:

'onlyoffice' => array ( 'verify_peer_off' => TRUE ),

Looking forward to your response, cheers, Carsten

BTW: I am using a VM running Onlyoffice at the moment…


#4
  1. No, I did not update nginx. Instead I am using v1.10.3 that came with the onlyoffice installation. Are there any reported problems with nginx 1.10.3?
    In case of incompatibility with nextcloud I think that does not hurt to my case. As already stated. I am using apache as a proxy for nextcloud and nginx only for onlyoffice. It might seem silly to use apache and nginx side by side instead of a single http proxy. I still decided to go that route because I did not want to change my working system any more than necessary.
  2. In my case that is not required. Adding this line pokes an (admittedly tiny) security hole into the ssl configuration because the validity of the certificate is not checked anymore.
    You would have to do that if you (1) need to use a self made certificate or (2) need to access the onlyoffice document server via ip address or LAN only server name instead of a public domain name that can be certified.

Hint: an SSL connection is only required for connections to outside clients. If the communication between nextcloud server and onlyoffice server is made within a secure LAN environment (or if both servers sit on the same machine) you can tweak the onlyoffice app configuration like this:

  1. goto nextcloud > settings > administration > onlyoffice
  2. click advanced server settings
  3. for Document Editing Service address for internal requests from the server:
    fill in: http://localhost:8000 (which is the default address for the docservice as defined in onlyoffice-http.conf)
  4. for Server address for internal requests from the Document Editing Service
    insert the internal address of your nextcloud server (look up the virtual host configuration file of your http server if you don’t know that address)
  5. Note that both these addresses use http and not https. (you can use https but that wouldn’t make much sense)

Disclaimer: Note that I only found that out yesterday - not by reading the documentation (which I have not found yet) but by poking around and trying to make sense of what I found. It works for me so far but that does not necessarily mean that I am doing things the right way here.
If anybody with some real knowledge of the matter might care to comment I’d be very happy. Thanks!


#5

The Documentation for the Nextcloud ONLYOFFICE integration app can be found here:


I admit I was just too lazy yesterday to look it up. :slight_smile:


#6

Here are some more details on how to create an unencrypted connection between nextcloud and onlyoffice. This optimization will save a few cpu cycles which might be helpful if you are using a raspi or any other small machine.
Using http here instead of http does not pose a security risk since both servers sit on the same computer.

in my previos post I wrote:

  1. for Server address for internal requests from the Document Editing Service
    insert the internal address of your nextcloud server (look up the virtual host configuration file of your http server if you don’t know that address)

Well I found that in most cases it isn’t quite as easy because usually any http access to the nextcloud server should be barred by something like this:

<VirtualHost *:80>
  ServerName cloud.mysite.com
  Redirect permanent / https://cloud.mysite.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName ...
  ...
</VirtualHost>

(example for an apache virtual server configuration)
This means we have to add another section for the loopback communication like this:

listen 8182
<VirtualHost localhost:8182>
  ServerName localhost
  DocumentRoot /var/www/nextcloud
  Alias /nextcloud "/var/www/nextcloud/"
  <Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    SetEnv HOME /var/www/nextcloud
    SetEnv HTTP_HOME /var/www/nextcloud
  </Directory>
</VirtualHost> 

Now we have something to put into the
Server address for internal requests from the Document Editing Service field. Insert http://localhost:8182 then restart apache and you’ll be fine (most probably you won’t find any perceivable difference :slight_smile: )
If you are fond of housekeeping (it definitely pays off in the long run) then move the listen 8182 directive to a more appropriate place like ports.conf.