Nextcloud and Onlyoffice Same Server w/ NGINX

Hey,

I have Nextcloud 11 successfully installed on my Centos 7 VPS server with godaddy. I also have Onlyoffice document server successfully installed on the same server. I tested each with seperate nginx config files to make sure each work. And each does work on HTTPS.

Desire
My goal is to have them both functioning on the same server, using NGINX…but can only be accessed through my HTML homepage in the root directory.
My root directory is /var/www/ and all my website files are located in this directory, so when you go to my domain, it loads my index.html.
What i want is for a user to click a login tab (a href=“path to nextcloud login”), get redirected to nextcloud’s login page, and they will have Onlyoffice functionality within their nextcloud account.

Currently
Before i do the website part, i want to test Nextcloud working with Onlyoffice on the same server but im running into issues. I assumed that Onlyoffice needs to talk on a different port because Nextcloud is using port 443. So i changed the nginx conf for onlyoffice to listen on port 9443 and opened that port in my iptables.

I have nextcloud located in /var/www/nextcloud and onlyoffice located in /var/www/onlyoffice

My nextcloud nginx conf file looks like so:

upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/var/run/php-fpm/php-fpm.sock;
}

server {
    listen 80;
    server_name mydomain.net;
    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name mydomain.net;

    ssl_certificate /etc/letsencrypt/live/mydomainnet/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomainnet/privkey.pem;

   # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000;
    includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    # Path to the root of your installation
    root /var/www/nextcloud/;
    index index.html index.htm;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
 location = /.well-known/caldav {
  return 301 $scheme://$host/remote.php/dav;
}

# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Disable gzip to avoid the removal of the ETag header
gzip off;

# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;

error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;

location / {
    rewrite ^ /index.php$uri;
}

location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
    #deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
}

location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
    include fastcgi_params;
    fastcgi_split_path_info ^(.+\.php)(/.*)$;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    #Avoid sending the security headers twice
    fastcgi_param modHeadersAvailable true;
    fastcgi_param front_controller_active true;
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
}

location ~ ^/(?:updater|ocs-provider)(?:$|/) {
    try_files $uri/ =404;
    index index.php;
}


# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
    try_files $uri /index.php$uri$is_args$args;
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers (It is intended to
    # have those duplicated to the ones above)
    # Before enabling Strict-Transport-Security headers please read into
    # this topic first.
    add_header Strict-Transport-Security "max-age=15768000;
    includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't log access to assets
    access_log off;
}

location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
    try_files $uri /index.php$uri$is_args$args;
    # Optional: Don't log access to other assets
    access_log off;
}
}

My onlyoffice nginx conf file looks like so:

include /etc/nginx/includes/onlyoffice-http.conf;

server {
  listen 0.0.0.0:80;
  #listen [::]:80 server_name mydomain.net;
  server_tokens off;
  ## Redirects all traffic to the HTTPS host
  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
  rewrite ^ https://$host$request_uri? permanent;
}
#HTTP host for internal services
server {
  listen 127.0.0.1:80;
  #listen [::1]:80;
  server_name localhost;
  server_tokens off;
  include /etc/nginx/includes/onlyoffice-documentserver-common.conf;
  include /etc/nginx/includes/onlyoffice-documentserver-docservice.conf;
}
server {
  listen 0.0.0.0:443 ssl;
  #listen [::]:443 ssl;

  server_name mydomain.net
  ssl_certificate /etc/letsencrypt/live/mydomainnet/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomainnet/privkey.pem;

  # Redirect the browser to our port 9443 config
  return 301 $scheme://mydomain.net:9443$request_uri;

}


## HTTPS host
server {

  listen 0.0.0.0:9443;
  #listen [::]:443 ssl default_server;
  server_name mydomain.net;
  server_tokens off;
  root /var/www/onlyoffice/;
  index index.html index.html


  ssl_certificate /etc/letsencrypt/live/mydomainnet/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomainnet/privkey.pem;

  # modern configuration. tweak to your needs.
  ssl_protocols TLSv1.2;
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_prefer_server_ciphers on;

  # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  add_header Strict-Transport-Security max-age=15768000;

  ssl_session_cache builtin:1000 shared:SSL:10m;
  # add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;

  # ssl_stapling on;
  # ssl_stapling_verify on;
  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  # resolver_timeout 10s;
  ## [Optional] Generate a stronger DHE parameter:
  ##   cd /etc/ssl/certs
  ##   sudo openssl dhparam -out dhparam.pem 4096
  ##
  #ssl_dhparam {{SSL_DHPARAM_PATH}};

  location ~ /.well-known/acme-challenge {
     root /var/www/onlyoffice/;
     allow all;
  }

  include /etc/nginx/includes/onlyoffice-documentserver-*.conf;
}



Nginx doesnt give me any errors in my log nor does the onlyoffice nginx.error.log. The only errors im getting are within the nextcloud log. 

When typing in the domain of the onlyoffice document server, here are the corresponding errors in the nextcloud log.

When i try https://mydomain.net:9443

Error	onlyoffice	CommandRequest on check error: Bad Request or timeout error	2017-10-07T16:12:22-0400
Error	PHP	file_get_contents(https://mydomain.net:9443/coauthoring/CommandService.ashx): failed to open stream: operation failed at /var/www/nextcloud/apps/onlyoffice/lib/documentservice.php#351	2017-10-07T16:12:22-0400
Error	PHP	file_get_contents(): Failed to enable crypto at /var/www/nextcloud/apps/onlyoffice/lib/documentservice.php#351	2017-10-07T16:12:22-0400

When i try https://mydomain.net or https://mydomain.net/onlyoffice

Error	onlyoffice	CommandRequest on check error: Error occurred in the document service	2017-10-07T16:12:30-0400
Error	PHP	Trying to get property of non-object at /var/www/nextcloud/apps/onlyoffice/lib/documentservice.php#293	2017-10-07T16:12:30-0400
Error	PHP	Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the php://input stream instead. at Unknown#0	2017-10-07T16:12:30-0400

Sorry for the long post, but ive been stuck on this issue for some time and would love some assistance so i can continue my development.

I tried and failed doing the same before, but that doesn’t mean anything :wink:

Did you follow the advise here:
https://helpcenter.onlyoffice.com/server/linux/document/linux-installation.aspx
sub-section: “Changing the default Document Server port” ?

yes i have tried that with no avail. Plus im on HTTPS so i have to redirect the port from 443 to another port. But regardless, that did not fix the issue. I believe the issue lies within the nginx config files but im uncertain how to fix this as theres no detailed explanation on how to combine these two services/applications on one server with NGINX.

Hi,

I would like to help you but don’t have access to my config files right now.
So for now I can only give some ideas:

  1. Onlyoffice needs to run on standard ports 80 and 443. I read in the Onlyoffice documentation that custom ports are not supported and not working right now. Consequently Nextcloud needs to be moved to other ports!
  2. while there are no files from the Onlyoffice document server to keep (all document files are stored in Nextcloud data folder) you could think about using the Onlyoffice docker image

The docker image of Onlyoffice makes things so much easier. With docker you actually can have Onlyoffice run on a custom port and keep Nextcloud running on standard ports. This is used by port binding when starting the docker image.
So if you plan to use Onlyoffice docker container and Nextcloud on the same server I can provide the config which works for this setup. Just need to find the time at home to post and comment my config.

Hi,

Here we go, I had time to access my config. I hope this will help you.

First I pulled the docker image of Onlyoffice and started it with the command:

docker run -i -t -d -p 192.168.2.80:8443:443 --name onlyoffice --hostname nextcloud --restart=always -v /etc/onlyoffice/documentServer/data:/var/www/onlyoffice/Data -e SSL_DHPARAM_PATH=/etc/ssl/dhparams.pem onlyoffice/documentserver

I created a nginx-config “nextcloud-onlyoffice.conf” then. It’s pretty long, but works great:

upstream onlyoffice-docker {
    server 192.168.2.80:8443;
}

upstream php-handler {
    #server 127.0.0.1:9000;
    server unix:/run/php-fpm/php-fpm.sock;
}

server {
    listen 80;
    server_name cloud.domain.tld;

    server_tokens off;

    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 80;
    server_name office.domain.tld;

    server_tokens off;

    # enforce https
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name cloud.domain.tld;

    server_tokens off;

    ##
    ## SSL- Settings
    ##
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA';
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp384r1;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    resolver 192.168.2.1;
    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_dhparam /etc/ssl/dhparams.pem;
    ssl_trusted_certificate /etc/ssl/ca-certs.pem;

    ssl_certificate /etc/letsencrypt/live/cloud.domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cloud.domain.tld/privkey.pem;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.

    add_header Referrer-Policy "no-referrer";

    # Keep deactivated because Nextcloud sets this header already and it would be sent twice resulting in error messages!
    #add_header X-Frame-Options "SAMEORIGIN";

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    #add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self';" always;

    # Path to the root of your installation
    root /var/www/nextcloud/;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;

    location = /.well-known/carddav {
      return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host/remote.php/dav;
    }

    # ACME challenge
    location ^~ /.well-known {
        allow all;
        alias /var/lib/letsencrypt/.well-known/;
        default_type "text/plain";
        try_files $uri =404;
    }
    location ^~ /.well-known/acme-challenge/ {
        allow all;
        alias /var/lib/letsencrypt/.well-known/acme-challenge/;
    }


    # set max upload size
    client_max_body_size 15G;

    # Buffers
    fastcgi_buffers 64 4K;

	gzip off;

    location / {
        rewrite ^ /index.php$uri;
    }

	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
        deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param HTTPS on;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_pass_header Authorization;
        fastcgi_pass_header http_oauth_token;
        fastcgi_pass_header oauth_token_secret;
        fastcgi_request_buffering off;
    }

    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff|svg|gif)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        #  includeSubDomains; preload;";
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
		}

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
    }
}


## ONLYOFFICE

server {
    listen 443 ssl http2;
    server_name office.domain.tld;

    server_tokens off;

    ##
    ## SSL- Settings
    ##
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA';
    ssl_prefer_server_ciphers on;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    resolver 192.168.2.1;
    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_dhparam /etc/ssl/dhparams.pem;
    ssl_trusted_certificate /etc/ssl/ca-certs.pem;
	ssl_certificate /etc/letsencrypt/live/office.domain.tld/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/office.domain.tld/privkey.pem; # managed by Certbot

    ## Headers
    add_header Referrer-Policy "no-referrer";
    add_header X-Frame-Options "ALLOW-FROM https://cloud.domain.tld/" always;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    location / {
            proxy_pass         https://onlyoffice-docker;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
        }
}

I hope this will help you.

I was working on the same issue 1 week ago. The solution was for me as well to use the docker image.

use this to start the docker image:

sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-document-server \
-p <customport>:80 \
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \
onlyoffice/documentserver

Reference for installing OnlyOffice with docker.

Hi there

I have installed nextcloud using nginx as the webserver in my ubuntu 16.04 server. I now want to install onlyoffice on the same server and integrate it with nextcloud. I followed the guide here,
https://www.linuxbabe.com/ubuntu/integrate-nextcloud-onlyoffice

But when I installed to the step of installing onlyoffice-documentserver, I ran into this error.

dpkg: error processing package onlyoffice-documentserver (–configure):
subprocess installed post-installation script returned error exit status 1

I looked for solutions but nothing I tried worked. So I want to try installing onlyoffice through docker. Can you guys that already seem to have done this help me by providing instructions on how to do this?

Thanks

Hi,

Here is the guide from onlyoffice themselves:
https://helpcenter.onlyoffice.com/server/docker/document/docker-installation.aspx

Before the docker run command you only need to pull the image:
docker pull onlyoffice/documentserver