Restricting Domain Access to OnlyOffice doc server from nextcloud only

wizlon · February 11, 2018, 12:38pm

So I have made great progress: I have onlyoffice running in an LXC container, fully https accessible and everything works brilliantly from nextcloud. I use haproxy at the front of my LAN as I have a nextcloud, WordPress and now an onlyoffice documents server - all on different LAN Ip’s. haproxy directs traffic well. So far, so good.

What I think I need to do though is restrict access to the onlydocument server so that only requests from my nextcloud instance (cloud.mydomain.com) are accepted by onlyoffice, otherwise anyone can connect to it and edit documents to their hearts content - which would waste my resource but also expose a potential security issue. As it is, anyone can access my document servr via a web portal at onlyoffice.mydomain.com - and I just know that’s not good.

Does anyone know how I can restrict access to my documents server to be exclusively from my cloud.mydomain.com instance?

alexander_onlyoffice · February 20, 2018, 11:19am

Hello @wizlon,

Ipfilter parameter can be an option to restrict access to the document server. You can find this parameter in /etc/onlyoffice/documentserver/default.json

"ipfilter": {
           "rules": [{"address": "*", "allowed": true}],
           "useforrequest": false,
           "errorcode": 401

You can type in the ip address or the domain name.

Unfortunately, we do not have documentation for it.

Another solution is JWT token, as ipfilter is less secure. Please find more information about enabling JWT in our API documentation.

wizlon · February 20, 2018, 4:42pm

Thanks! I will give this a go, as I have given up with nginx & haproxy.

It’s probably not a big deal, but it does seem a sensible precaution.

Much appreciated

wizlon · February 20, 2018, 4:51pm

Thanks for the suggestion. So I typed this into the config file:

“ipfilter”: {
“rules”: [{“address”: “*cloud.mypvtdomain.com”, “allowed”: true}],
“useforrequest”: false,
“errorcode”: 401
},

Followed of course by

sudo supervisorctl restart all

And the good news is I can still edit my documents, but the bad news is I can still access my document server from the web.

Do I have anything wrong above? (I had to add a closing ‘},’ to your code).

I will check the JWT token.

Many thanks for your suggestions.

Andrew

wizlon · February 20, 2018, 5:55pm

Ok, I tried the token. I have seen the “secret code” in the nextcloud app and thought it would be good to use. So I pasted this in my document file at /etc/onlyoffice/documentserver/default.json:

"services": {
    "CoAuthoring": {
        "secret": {
            "inbox": {
                "string": "mysecret"
            },
            "outbox": {
                "string": "mysecret"
            },
        },
        "token": {
            "enable": {
                "browser": true,
                "request": {
                    "inbox": true,
                    "outbox": true
                }
            }
        }
    }

However, my supervisor restart gave me this:

root@onlyoffice:~# supervisorctl restart all
onlyoffice-documentserver:spellchecker: stopped
onlyoffice-documentserver:metrics: stopped
onlyoffice-documentserver:gc: stopped
onlyoffice-documentserver:docservice: stopped
onlyoffice-documentserver:converter: stopped
onlyoffice-documentserver:metrics: started
onlyoffice-documentserver:spellchecker: ERROR (spawn error)
onlyoffice-documentserver:gc: ERROR (spawn error)
onlyoffice-documentserver:docservice: ERROR (spawn error)
onlyoffice-documentserver:converter: ERROR (spawn error)

It’s all a bit strange as “nothing seems to work”, but at least the documents server works! :-/

Thanks for any pointers,

Andrew

wizlon · February 23, 2018, 4:05pm

UPDATE:

So I have still not successfully blocked www access to my document server, but I have finally cracked the simple) code for securing working access to the editors, which is better than where I was.

On your onlyoffice document server, you have to edit this file:

/etc/onlyoffice/documentserver/default.json

And do a search for “secret” (and in this case, you DO NEED the quotes as otherwise you get several hits). This will take you to the “secret”: json section, where there are three passwords…all of which are called “secret”. These are the DEFAULT secret passwords needed to enable the editors to function. Change these three entries to a new, identical password. Then goto nextcloud–>settings–>basic-settings and click on the advanced options for the onlyoffice app. Just find the “secret” entry and change it to your password in the json config file (this time WITHOUT the quotes of course) , then click save. Now your document server is password protected.

If I ever figure out how to block access from anything but my nextcloud instance, I will update this thread. Right now, things are better than they were (anyone could have used my onlyoffice server, but now at least it’s password-protected).

Apologies for being so slow to figure this out. As old as I am, I am a newbie to running a server.

pikaille · February 26, 2018, 3:55am

I tried the following :
Running my nextcloud and onlyoffice behind a proxy, which is only forwarding to the nextcloud instance. That means, the onlyoffice instance is isolated.

The two services do link together (I can setup the onlyoffice integration app via the settings successfully). However, when editing documents, we need direct access to the onlyoffice server. Nextcloud isn’t forwarding anything at that point. Your browser directly queries the onlyoffice server. So ya. I guess we are stuck with the app secret security.

alexander_onlyoffice · February 27, 2018, 6:41am

@wizlon, thank you for your feedback, we will take it into account and try to improve the guide.

@pikaille, as we have answered you in this thread, you can try to set up your proxy server to pass on the requests to the document server or make an access to it open and enable JWT.

mmccarn · May 26, 2019, 7:00pm

I believe I’ve done what you were trying to do using apache proxypass combined with mod_rewrite:

proxypass the document server path (eg “/ds-vpath/”) to onlyoffice
use mod_rewrite to send any request that is not for onlyoffice back to nextcloud.

On Ubuntu 18.04 I created /etc/apache2/sites-available/proxy-onlyoffice.conf containing:

<VirtualHost *:80>
   ServerName onlyoffice.mydomain.com
   ServerAdmin mmccarn-onlyoffice@mydomain.com

   AllowEncodedSlashes On
    RewriteEngine on
    RewriteCond %REQUEST_METHOD ^(TRACE|TRACK)
    RewriteRule .* - [F]

    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
   ServerName onlyoffice.mydomain.com
   ServerAdmin mmccarn-onlyoffice@mydomain.com

   SSLEngine on
   SSLProxyEngine On
   SSLCertificateFile /etc/letsencrypt/live/nextcloud.mydomain.com/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/nextcloud.mydomain.com/privkey.pem

   Define VPATH /ds-vpath/
   Define DS_ADDRESS onlyoffice.mydomain.com

  <Location ${VPATH}>
    Require all granted
    SetEnvIf Host "^(.*)$" THE_HOST=$1
    RequestHeader setifempty X-Forwarded-Proto https
    RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
    RequestHeader edit X-Forwarded-Host (.*) $1
    ProxyAddHeaders Off
  </Location>

  ProxyPassMatch ^\${VPATH}(.*)(\/websocket)$ "wss://${DS_ADDRESS}/${VPATH}/$1$2"
  ProxyPass ${VPATH} "https://${DS_ADDRESS}/${VPATH}"
  ProxyPassReverse ${VPATH} "https://${DS_ADDRESS}/${VPATH}"

  RewriteEngine On
  RewriteCond %{REQUEST_URI} !^\${VPATH}
  RewriteRule "^/?(.*)"        "https://nextcloud.mydomain.com/$1" [L,R,NE]

</VirtualHost>

Then activate it:

a2ensite proxy-onlyoffice
systemctl restart apache2