Valerio
December 29, 2018, 10:05am
1
Hello,
I’ve installed on the same VM in my intranet both Nextcloud 15 and Onlyoffice Document Server using the following tutorials: https://www.howtoforge.com/tutorial/how-to-install-nextcloud-with-nginx-and-php-fpm-on-centos-7/ and https://helpcenter.onlyoffice.com/server/linux/document/linux-installation-centos.aspx . As you can see through the attached images I can access both the applications with HTTP connection via http://nextcloud.xxx.it and http://onlyoffice.xxx.it .
I’d like to integrate Onlyoffice in Nextcloud, so I activate the app as NC Administrator but when I set http://onlyoffice.xxx.it as “Document Editing Service address” I have the error Error when trying to connect (Bad Request or timeout error)
Can anybody help me?
hfw
December 29, 2018, 10:28am
2
FYI both servers should have a valid certificate e.g. Let’s Encrypt
Valerio
December 29, 2018, 10:40am
3
Doesn’t it work with HTTP only?
OliverV
December 29, 2018, 3:08pm
4
Noop, but you can use Let’s Encrypt certbot to get a certificate and as you already using it, use Nginx to proxy https.
Valerio
December 29, 2018, 5:23pm
5
How can I use Let’s Encrypt certbot to get a certificate for a subdomain on an intranet, not accessible from internet?
OliverV
December 30, 2018, 7:07am
6
Use DNS to verify your subdomain
Valerio
December 30, 2018, 9:37am
7
Can I refer to this guide for nginx, instead of apache?
Valerio
December 30, 2018, 9:46am
8
I’ve just tried to create the certificates for my subdomains, but they didn’t work because the DNS doesn’t point to a public IP address, the subdomains can only be accessed in the intranet
OliverV
December 30, 2018, 10:24am
9
Either temporarily point it at a public IP (you can remove the A record, once verified)
or
generate and self sign a certificate following for example this guide There are plenty howto’s . You will have to add an exception when loading the page the first time, when you get a warning the certificate should not be trusted.
Valerio
December 30, 2018, 11:32am
10
I applied what reported in that guide , but when I executed the command nginx -t the following error return:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/ssl/private/nextcloud.key") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/ssl/private/nextcloud.key’,‘r’) error:20074002:BIO routines:FILE_CTRL:system lib error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib)
nginx: configuration file /etc/nginx/nginx.conf test failed
I’ve checked the file /etc/ssl/private/nextcloud.key’ exists.
I don’t know how to fix it
Valerio
December 30, 2018, 12:08pm
11
I used the following commands:
mkdir -p /etc/nginx/cert/
openssl req -new -x509 -days 365 -nodes -out /etc/nginx/cert/nextcloud.crt -keyout /etc/nginx/cert/nextcloud.key
chmod 700 /etc/nginx/cert
chmod 600 /etc/nginx/cert/*
Then I configured Nextcloud Virtual Host in Nginx as follows:
upstream php-handler {
server 127.0.0.1:9000;
#server unix:/var/run/php5-fpm.sock;
}
server {
listen 80;
server_name nextcloud.xxx.it;
# enforce https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name nextcloud.xxx.it;
ssl_certificate /etc/nginx/cert/nextcloud.crt;
ssl_certificate_key /etc/nginx/cert/nextcloud.key;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /usr/share/nginx/html/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
After that:
nginx -t
systemctl restart nginx
My NC works fine on (not trusted) HTTPS
I tried what reported at the end of your howto’s suggestion but nothing changes.
The command I executed was:
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n "nextcloud.xxx.it" -i /etc/nginx/cert/nextcloud.crt
The last step!!! Please help me…
OliverV
December 30, 2018, 2:41pm
12
You should have a separate subdomain, certificate and nginx.vhost conf files for nc and onlyoffice
for example in /etc/nginx/sites-available/:
nextcloud.conf with cert for nextcloud.xxxx.it
onlyoffice.conf with cert for onlyoffice.xxxx.it
OliverV
December 31, 2018, 8:20am
14
It seems Nginx is looking for the key file somewhere else.
Adjust the PATH in the config file or create a symbolic link to it.
Valerio
December 31, 2018, 10:10am
15
I have now both NC and Onlyoffice working on untrusted HTTPS connections.
I applied the following commands as reported at the end of the howto’s in order to make them trusted:
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n "nextcloud.xxx.it" -i /etc/nginx/cert/nextcloud.crt
certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n "onlyoffice.xxx.it" -i /etc/nginx/cert/onlyoffice.crt
but nothing changes.
What’s wrong?