Onlyoffice docker container behind NGINX, virtualhost settings

alexkcy · January 10, 2020, 3:26pm

Dear all,

I have been trying hard to find a solution but in vain. In short, onlyoffice (docker) + nextcloud (docker) doesn’t work at a particular situation.

If I run onlyoffice docker image and forward external ports (say 1080/1443) to onlyoffice ports (80/443) under docker, and nextcloud point to 1080/1443 port, everything works.
However, if I do not forward external ports in docker, but using ngnix reverse proxy + virtualhost setting, something weird really happens.
Somehow, I am manage to visit https://nameofonlyoffice-virualhost/welcome, it works.
But if I visit https://nameofonlyoffice-virualhost (i.e. without the trailing pathname), it would redirect to https://docservice, which, of course, not working.
As nextcloud is relying on https://nameofonlyoffice-virualhost, nextcloud of course doesn’t work.
One thing worths noting, onlyoffice docker in fact has a layer of nginx sitting in front of onlyoffice document server locally in one container.

Anyone succeed such kind of configuration before and share your nginx virtualhost file with the community here ?

To summarize:

browser (433) <-> (8443) nginx-in-docker (80) <-> (80) nginx-AAA (80-localhost) <-> (80-localhost) onlyoffice-AAA

nginx-AAA and onlyoffice-AAA are running inside the same container.

Thanks a lot !

Regards
Alex

Reiner_Nippes · January 10, 2020, 3:47pm

yes. yesterday.

but not such kind of. just a working one. i don’t expose any ports of onlyoffice nor use I a sudomain for it.

alexkcy · January 10, 2020, 3:51pm

Dear Reiner_Nippes

Good to hear that ! Do you mind to share you nginx conf file here ? Lemme try and see if it could work using virtualhost too.

Regards
Alex

Reiner_Nippes · January 10, 2020, 4:01pm

Hope you can read (and process) jinjas templates (ansible). if not run the playbook in virtual server and examine the result.

are you using selfsigned certs for nextcloud?

github.com

ReinerNippes/nextcloud_on_docker/blob/master/roles/docker_container/templates/nginx.conf.j2

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

This file has been truncated. show original

And the config of nextcloud.

github.com

ReinerNippes/nextcloud_on_docker/blob/master/roles/nextcloud_config/tasks/configure_onlyoffice.yml#L13


- name: install onlyoffice app
  shell: '{{ docker_occ_cmd }} app:install onlyoffice'
  args:
    creates: '{{ nextcloud_www_dir }}/apps/onlyoffice'
  register: install_onlyoffice_app
  
- name: enable onlyoffice app
  shell: '{{ docker_occ_cmd }} app:enable onlyoffice'
  when: install_onlyoffice_app is changed


- name: setup onlyoffice app
  shell: '{{ docker_occ_cmd }} --no-warnings config:system:set onlyoffice {{ item }}'
  loop:
    - 'DocumentServerUrl --value="/ds-vpath/"'
    - 'DocumentServerInternalUrl --value="http://onlyoffice_documentserver/"'
    - 'StorageUrl --value="http://nginx/"'
  when: install_onlyoffice_app is changed

alexkcy · January 10, 2020, 4:38pm

Thanks a lot. Lemme see if I could adopt your config file.

Self-signed certificate - Yes. I did successfullly after rounds and rounds of experiments. I use FreeNAS to generate CA and cert but openssl should also be the same.

Beware of SAN, valid period of the cert and SHA requirements by chrome and MacOS Catalina.

the certs may work in windows 7, but not in chromebook and after fixing, it work in safari but not in chrome in mac blah blah blah… It was a nightmare to me previously and turn out, I found out that the validty of the cert cannot be longer than 770 days otherwise chrome in macos will consider it as revoked.

Also, remember to put CA keychain (mac), /etc/somewhere in linux, chrome settings in chromeos and also use MMC to add CA without admin rights in windows 7.

Alex

Reiner_Nippes · January 10, 2020, 4:47pm

it’s about the following issue. onlyoffice rejects nextcloud as a storage server if you don’t change a setting in an internal xml file.

github.com/ONLYOFFICE/Docker-DocumentServer

"Download failed" after upgrade to onlyoffice - unable to verify the first certificate

opened 03:22PM - 10 Apr 18 UTC

closed 12:48PM - 10 Jul 19 UTC

thomass4t

I upgraded to the current community- and document-server 9.6.1.627 Community-Se…rver runs with self-signed SSL certificate Document-Server runs with plain http After restart of the two docker containers, I get an error message when opening any kind of document. The error message merely shows "Download failed". I discovered the underlying error within the logfile /app/onlyoffice/DocumentServer/logs/documentserver/converter/out.log Whenever I open a document, an error shows up in this logfile: [2018-04-10 14:17:05.216] [ERROR] nodeJS - error downloadFile:url=https://onlyoffice/products/files/httphandlers/filehandler.ashx?action=stream&fileid=4&version=6&stream_auth=xxx;attempt=3;code:UNABLE_TO_VERIFY_LEAF_SIGNATURE;connect:undefined;(id=PryKqIixHZSmYe_LEsQ_) **Error: unable to verify the first certificate** at Error (native) at TLSSocket.<anonymous> (_tls_wrap.js:1092:38) at emitNone (events.js:86:13) at TLSSocket.emit (events.js:185:7) at TLSSocket._finishInit (_tls_wrap.js:609:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:439:38) The document-Server seems to download something from the community-server and fails because it doesn't know the CA of the self-signed certificate. How can I add my self-signed certificate or my CA to the document-server? My CA must be injected to Node-JS service. (Adding it to /etc/ssl/certs didn't work and also setting the docker-env NODE_TLS_REJECT_UNAUTHORIZED=0 didn't help either) Thanks for any suggestions, Thomas

the merge request to control this with docker ENV variables is not yet merge to master.

alexkcy · January 10, 2020, 5:03pm

Be honest I forgot how to make it works exactly but according to my evernote archive:-

For nextcloud: I should have made changes to the followings:-

NEXTCLOUD/data/resources/config/ca-bundle.crt OR
/usr/share/ca-certificates
change /etc/ca-certificates.conf

For onlyoffice: I should have done something to /var/www/onlyoffice/Data/certs

Regards
Alex

alexkcy · January 10, 2020, 5:08pm

In fact, those SSL problems caused me to try to move everything behind a nginx reversed proxy (as i don’t know in which update would break my adhoc patching to nextcloud and onlyoffice), and then let nextcloud and onlyoffice behind the proxy (within the same docker network) to talk with each other with reject_unauthorized set to false at the backend.