Unable to get OnlyOffice behind Apache reverse proxy working with Nextcloud 12 -- please help!

Hey guys…first off, please forgive the spaces in the URL’s as since I’m new I can only post 2 links :slight_smile:

Anyways, I know I’m SO close to figuring this out I can almost taste it, but I just can’t quite get it. I’ve been researching and Googling for hours and I can’t figure out why this won’t work.

What I’ve got is a Nextcloud server with Apache - and this Apache instance also has several virtualhosts set up to proxy requests to other local servers running other local services. Every service/server is set up to use a single HTTPS (let’s encrypt) cert and all requests to anything HTTP are redirected to HTTPS in my setup as well. I’ve set up a 2nd virtual machine and corresponding apache virtualhost for OnlyOffice, and it’s accessible via “office .example.com” both internally (on my LAN) and externally (outside of it). In both cases I can successfully reach the “Document Server is Running” successful page.

I’ve updated the Nextcloud admin settings pages with this URL (https ://office.example.com) and saved. Additionally, I set the onlyoffice VM configuration to use a self signed cert because otherwise I was getting issues with Nextcloud (https) tried to load http resources from the onlyoffice server…hoping that makes sense.

The issue I’m getting now is when I try to open a .docx document I created in Nextcloud, I get the following errors in the Google Chrome console:

Refused to display ‘https ://office.example.com/2017-07-21-15-20/web-apps/apps/documenteditor/main/index.html?_dc=2017-07-21-15-20&lang=en&customer=ONLYOFFICE&frameEditorId=iframeEditor’ in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.

office .example.com/2017-07-21-15-20/web-apps/apps/documenteditor/main/index.html?_dc=2017-07-21-15-20&lang=en&customer=ONLYOFFICE&frameEditorId=iframeEditor Failed to load resource: net::ERR_BLOCKED_BY_RESPONSE

Here is my Apache virtualhost config for forwarding requests to “office .example.com”:

<IfModule mod_ssl.c>

<VirtualHost *:443>


	ServerName office.example.com
	ServerAdmin webmaster@localhost

	SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/chat.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/chat.example.com/privkey.pem


	ProxyRequests Off
	ProxyPreserveHost On
	RequestHeader unset Accept-Encoding
	
        ProxyPass / https://192.168.1.44/
       	ProxyPassReverse / https://192.168.1.44/
	ProxyPass "/websocket" "wss://192.168.1.44/websocket"
        ProxyPassReverse "/websocket" "wss://192.168.1.44/websocket"

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined


	SSLProxyEngine on
	SSLProxyVerify none
    	SSLProxyCheckPeerName off
   	SSLProxyCheckPeerCN off
   	SSLProxyCheckPeerExpire off
	SSLInsecureRenegotiation on
	SSLVerifyClient none

	<proxy *>
       		AddDefaultCharset off
      		Order Allow,Deny
       		Allow from all
    	</proxy>


</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

I’m not sure if all that is needed or not as so far it’s a hodge podge of stuff I’ve found and tried online. Finally, here is my onlyoffice config from /etc/nginx/conf.d/onlyoffice-documentserver.conf on that server:

include /etc/nginx/includes/onlyoffice-http.conf;

## Normal HTTP host
server {
  listen 0.0.0.0:80;
  listen [::]:80 default_server;
  server_name office.example.com;
  server_tokens off;

  ## Redirects all traffic to the HTTPS host
  ## root /nowhere; ## root doesn't have to be a valid path since we are redirecting
  ## rewrite ^ https://$host$request_uri? permanent;
}

#HTTP host for internal services
server {
  listen 127.0.0.1:80;
  listen [::1]:80;
  server_name office.example.com;
  server_tokens off;
  
  include /etc/nginx/includes/onlyoffice-documentserver-common.conf;
  include /etc/nginx/includes/onlyoffice-documentserver-docservice.conf;
}

## HTTPS host
server {
  listen 0.0.0.0:443 ssl;
  listen [::]:443 ssl default_server;
  server_name office.example.com;
  server_tokens off;
  root /usr/share/nginx/html;

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl on;
  ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
  ssl_verify_client off;

  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache  builtin:1000  shared:SSL:10m;

  ssl_prefer_server_ciphers   on;

  add_header Strict-Transport-Security max-age=31536000;
  ## add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;

  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  ## Replace with your ssl_trusted_certificate. For more info see:
  ## - https://medium.com/devops-programming/4445f4862461
  ## - https://www.ruby-forum.com/topic/4419319
  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  # ssl_stapling on;
  # ssl_stapling_verify on;
  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  # resolver_timeout 10s;

  ## [Optional] Generate a stronger DHE parameter:
  ##   cd /etc/ssl/certs
  ##   sudo openssl dhparam -out dhparam.pem 4096
  ##
  # ssl_dhparam /etc/ssl/certs/dhparam.pem;

  include /etc/nginx/includes/onlyoffice-documentserver-*.conf;

}

Any help or pointers someone MUCH smarter than I am could provide would be HUGELY appreciated! Thank you!!

Hi,

If you use letsencrypt certs in the apache virtual host, why not in nginx?

My header settings also looked like this in the onlyoffice-documentserver.conf, to have it working:

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;

Still had an A+ on https://www.ssllabs.com/ssltest/

Unless it matters, I’d prefer to just use a self signed cert on the onlyoffice server as that way I can make it “valid” for functionally forever and never worry about having to renew or anything.

Honestly most of my other “internal” servers run on HTTP and just look like HTTPS from the outside due to the reverse proxy tacking on the cert. However when I tried running onlyoffice HTTP and just doing what I have usually done with other servers and having apache reverse proxy via HTTPS, then I was getting mixed content errors. Does that make sense?

If your server is reachable from the outside refreshing your letsencrypt certs is pretty easy. Just install cerbot, create a cronjob and that’s nearly it :slight_smile:

I know it’s that in theory, I’ve just had a few issues in the past (probably 100% caused by me lol I’ll give it that)…but do you really think that is what is causing this issue? I’ve just never had to deal with valid CA signed certs on my other servers behind my reverse proxy ever before (and I’ve done nearly 15 of them lol) so I’m not sure why I’d need it this time. I’m far from an expert, but I’m trying to wrap my mind around that.

Plus, if I have lets encrypt certs on both the Apache system (the main webserver and reverse proxy box), and on the Nginx/onlyoffice system, then how will that react? Would that not potentially cause other issues?

It worked for me and I believe it is the cleanest solution.
The cert only states that it’s the hostname x and you as a person y owning domain z. So when the cert is provided for you, for host yourhostname and office.yourdomain.com then you can use it where-ever you want on that host with that domain.

I see…I guess the other thing I read is here that seems to indicate at least this guy got it working the same way I’m trying to:

I don’t know…I guess if no one else has any other thoughts I’ll look further into that. I just don’t understand where that “sameorigin” is coming from; I feel like I just need to add something to either my apache virtualhost config or the onlyoffice nginx config.

Please read the complete post: The solution is to turn off ProxyChecks in your Apache Reverse Proxy Config. Try this (of course change IPs):

SSLProxyEngine on
ProxyPass / https://192.168.0.103/
ProxyPassReverse / https://192.168.0.103/
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

Yes, I have all of that enabled per my config.

I (somewhat) figured it out on my own - I have the directive Header set X-Frame-Options “SAMEORIGIN” set in my /etc/apache2/mods-enabled/ssl.conf file. Commenting out that line makes the files load. However, I was under the impression that this was a good directive to have for security…am I incorrect in this understanding? If so, if there a way I can “override” it for this specific use case? Thanks!

You’re right when speaking about regular websites or any WebApps in particular but in this case Document Server is just an in-frame Editor similar to other HTML editors in web-based content management systems and it simply has to be included via frames.

Better check your SSLCipherSuite manually and disable unsecure chipers:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Ok thank you for that. I had “SSLProtocol all -SSLv2 -SSLv3” already in my ssl.conf, but I added the “TLSv1” piece for good measure.

So, since having “Header set X-Frame-Options “SAMEORIGIN”” in my ssl.conf breaks this onlyoffice functionality, would my best/most secure option be to remove it from ssl.conf, but add it back into all my other (completely unrelated) virtualhost configurations in /etc/apache2/sites-enabled? Am I correct in my thinking that at least that way the other sites I have still benefit from it?

:wink: it depends. If you’re hosting sites all by and for your own then you’re fine with sites-enabled IMHO. If you have customers ridin’ on your server then let them do this in their .htaccess files.

lol that makes sense, thanks! Yes, purely personal use :slight_smile: Thanks!!