Onlyoffice Nextcloud integration

🍱 Features & apps onlyoffice
1

Hello,

since some days I face an issue with OnlyOffice integration. First everything worked perfectly. I could create documents, edit documents and so on. Then after some days OnlyOffice docserver is still reachable and welcome page is working. But the “new” menu in Nextcloud does not contain exel, word, etc. anymore. And it I try to open an existing document it is not opened via OnlyOffice but instead provides download dialog or google doc viewer.

So it seems OnlyOffice documentserver is up and running but integration is not working.

Meanwile I reainstalled integration app, restartet everything, checked my firewall and still have no glue what is going on here.

Configuration page in OnlyOffice says “successfully saved”.

I use docker containers for Nextcloud and another one for OnlyOffice document server.

Please help me find the root cause for this issue.

2

If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the

scheme used to connect to this server

map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
‘’ $scheme;
}

If we receive X-Forwarded-Port, pass it through; otherwise, pass along the

server port the client connected to

map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
‘’ $server_port;
}

If we receive Upgrade, set Connection to “upgrade”; otherwise, delete any

Connection header that may have been passed to this server

map $http_upgrade $proxy_connection {
default upgrade;
‘’ close;
}

Apply fix for very long server names

server_names_hash_bucket_size 128;

Default dhparam

ssl_dhparam /etc/nginx/dhparam/dhparam.pem;

Set appropriate X-Forwarded-Ssl header

map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] ’
'"$request" $status $body_bytes_sent ’
‘"$http_referer" “$http_user_agent”’;
access_log off;
resolver 127.0.0.11;

HTTP 1.1 support

proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;

Mitigate httpoxy attack (see README for details)

proxy_set_header Proxy “”;
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 80;
access_log /var/log/nginx/access.log vhost;
return 503;
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
return 503;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
}

cloud.diezimmermanns.at

upstream cloud.diezimmermanns.at {
## Can be connected with “compose_nextcloud_network” network
# nextcloud
server 172.21.0.8:80;
}
server {
server_name cloud.diezimmermanns.at;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name cloud.diezimmermanns.at;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ‘ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES25
6-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES
128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS’;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/cloud.diezimmermanns.at.crt;
ssl_certificate_key /etc/nginx/certs/cloud.diezimmermanns.at.key;
ssl_dhparam /etc/nginx/certs/cloud.diezimmermanns.at.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/cloud.diezimmermanns.at.chain.pem;
add_header Strict-Transport-Security “max-age=31536000” always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://cloud.diezimmermanns.at;
}
}

office.diezimmermanns.at

upstream office.diezimmermanns.at {
## Can be connected with “compose_nextcloud_network” network
# onlyoffice
server 172.21.0.6:80;
}
server {
server_name office.diezimmermanns.at;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name office.diezimmermanns.at;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers ‘ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES25
6-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES
128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS’;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/office.diezimmermanns.at.crt;
ssl_certificate_key /etc/nginx/certs/office.diezimmermanns.at.key;
ssl_dhparam /etc/nginx/certs/office.diezimmermanns.at.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/office.diezimmermanns.at.chain.pem;
add_header Strict-Transport-Security “max-age=31536000” always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://office.diezimmermanns.at;
}
}

3

Docker-compose file:
version: ‘3.1’

networks:
nextcloud_network:

services:

proxy:
image: jwilder/nginx-proxy:alpine
labels:
- “com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true”
container_name: nextcloud-proxy
networks:
- nextcloud_network
ports:
- 80:80
- 443:443
volumes:
- /apps/config/nginx:/etc/nginx:ro
- /apps/config/nginx/conf.d:/etc/nginx/conf.d:rw
- /apps/config/nginx/vhost.d:/etc/nginx/vhost.d:rw
- /apps/config/nginx/html:/usr/share/nginx/html:rw
- /apps/config/nginx/certs:/etc/nginx/certs:ro
- /apps/config/nginx/dhparam:/etc/nginx/dhparam:ro
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/tmp/docker.sock:ro
- /var/log/nginx:/var/log/nginx.sock:rw
- /spool/nginx/client_temp:/var/cache/nginx/client_temp:rw
restart: unless-stopped

letsencrypt:
image: jrcs/letsencrypt-nginx-proxy-companion
container_name: nextcloud-letsencrypt
networks:
- nextcloud_network
environment:
- DEFAULT_EMAIL=guenterzim@outlook.com
#- DEBUG=TRUE
depends_on:
- proxy
volumes:
- /apps/config/nginx/certs:/etc/nginx/certs:rw
- /apps/config/nginx/vhost.d:/etc/nginx/vhost.d:rw
- /apps/config/nginx/html:/usr/share/nginx/html:rw
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
restart: unless-stopped

db:
image: mariadb:10.4.7
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
container_name: nextcloud_db
networks:
- nextcloud_network
environment:
MYSQL_ROOT_PASSWORD: deleted for security
MYSQL_DATABASE: nextcloud
MYSQL_USER: nextcloud
MYSQL_PASSWORD: deleted for security
volumes:
- /apps/nextcloud_db/mysql:/var/lib/mysql
- /backup/nextcloud_db:/backup:rw
- /etc/localtime:/etc/localtime:ro
- /apps/config/mariadb:/etc/mysql:ro
- /apps/logs/mariadb:/var/logs/mysql:rw

nextcloud:
#image: nextcloud:latest
#build: . # instead of image
build:
context: /etc/docker/compose
dockerfile: Dockerfile
container_name: nextcloud
networks:
- nextcloud_network
depends_on:
- letsencrypt
- proxy
- db
volumes:
#- nextcloud:/var/www/html
- /apps/nextcloud/www/html:/var/www/html
#- /apps/nextcloud/www/html/config:/var/www/html/config
#- /apps/nextcloud/www/html/custom_apps:/var/www/html/custom_apps
#- /apps/nextcloud/www/html/data:/var/www/html/data
#- /apps/nextcloud/www/html/themes:/var/www/html/themes
- /etc/localtime:/etc/localtime:ro
environment:
- VIRTUAL_HOST=cloud.diezimmermanns.at
- LETSENCRYPT_HOST=cloud.diezimmermanns.at
- LETSENCRYPT_EMAIL=guenterzim@outlook.com
restart: unless-stopped

onlyoffice:
image: onlyoffice/documentserver:latest
#build:
#context: /etc/docker/compose
#dockerfile: Dockerfile-onlyoffice
container_name: onlyoffice
#ports:
#- 8080:8080
volumes:
- /apps/onlyoffice/data:/var/www/onlyoffice/Data
- /apps/logs/onlyoffice:/var/log/onlyoffice
environment:
- “JWT_ENABLED=true”
- “JWT_SECRET=deleted for security”
- VIRTUAL_HOST=office.diezimmermanns.at
- LETSENCRYPT_HOST=office.diezimmermanns.at
- LETSENCRYPT_EMAIL=guenterzim@outlook.com
networks:
- nextcloud_network
restart: unless-stopped

4

OnlyOffice integration app:
ONLYOFFICE
Servereinstellungen
ONLYOFFICE Document Servicestandort gibt die Adresse des Servers mit den installierten Dokumentdiensten an. Ändere bitte ‘’ für die Serveradresse in der folgenden Zeile.

Serviceadresse der Dokumentbearbeitung

https://office.diezimmermanns.at/

Geheimer Schlüssel (freilassen, um zu deaktivieren)
deleted for security