Unable to get OnlyOffice behind Apache reverse proxy working with Nextcloud 12 -- please help!

Hey guysā€¦first off, please forgive the spaces in the URLā€™s as since Iā€™m new I can only post 2 links :slight_smile:

Anyways, I know Iā€™m SO close to figuring this out I can almost taste it, but I just canā€™t quite get it. Iā€™ve been researching and Googling for hours and I canā€™t figure out why this wonā€™t work.

What Iā€™ve got is a Nextcloud server with Apache - and this Apache instance also has several virtualhosts set up to proxy requests to other local servers running other local services. Every service/server is set up to use a single HTTPS (letā€™s encrypt) cert and all requests to anything HTTP are redirected to HTTPS in my setup as well. Iā€™ve set up a 2nd virtual machine and corresponding apache virtualhost for OnlyOffice, and itā€™s accessible via ā€œoffice .example.comā€ both internally (on my LAN) and externally (outside of it). In both cases I can successfully reach the ā€œDocument Server is Runningā€ successful page.

Iā€™ve updated the Nextcloud admin settings pages with this URL (https ://office.example.com) and saved. Additionally, I set the onlyoffice VM configuration to use a self signed cert because otherwise I was getting issues with Nextcloud (https) tried to load http resources from the onlyoffice serverā€¦hoping that makes sense.

The issue Iā€™m getting now is when I try to open a .docx document I created in Nextcloud, I get the following errors in the Google Chrome console:

Refused to display ā€˜https ://office.example.com/2017-07-21-15-20/web-apps/apps/documenteditor/main/index.html?_dc=2017-07-21-15-20&lang=en&customer=ONLYOFFICE&frameEditorId=iframeEditorā€™ in a frame because it set ā€˜X-Frame-Optionsā€™ to ā€˜sameoriginā€™.

office .example.com/2017-07-21-15-20/web-apps/apps/documenteditor/main/index.html?_dc=2017-07-21-15-20&lang=en&customer=ONLYOFFICE&frameEditorId=iframeEditor Failed to load resource: net::ERR_BLOCKED_BY_RESPONSE

Here is my Apache virtualhost config for forwarding requests to ā€œoffice .example.comā€:

<IfModule mod_ssl.c>

<VirtualHost *:443>


	ServerName office.example.com
	ServerAdmin webmaster@localhost

	SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/chat.example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/chat.example.com/privkey.pem


	ProxyRequests Off
	ProxyPreserveHost On
	RequestHeader unset Accept-Encoding
	
        ProxyPass / https://192.168.1.44/
       	ProxyPassReverse / https://192.168.1.44/
	ProxyPass "/websocket" "wss://192.168.1.44/websocket"
        ProxyPassReverse "/websocket" "wss://192.168.1.44/websocket"

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined


	SSLProxyEngine on
	SSLProxyVerify none
    	SSLProxyCheckPeerName off
   	SSLProxyCheckPeerCN off
   	SSLProxyCheckPeerExpire off
	SSLInsecureRenegotiation on
	SSLVerifyClient none

	<proxy *>
       		AddDefaultCharset off
      		Order Allow,Deny
       		Allow from all
    	</proxy>


</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

Iā€™m not sure if all that is needed or not as so far itā€™s a hodge podge of stuff Iā€™ve found and tried online. Finally, here is my onlyoffice config from /etc/nginx/conf.d/onlyoffice-documentserver.conf on that server:

include /etc/nginx/includes/onlyoffice-http.conf;

## Normal HTTP host
server {
  listen 0.0.0.0:80;
  listen [::]:80 default_server;
  server_name office.example.com;
  server_tokens off;

  ## Redirects all traffic to the HTTPS host
  ## root /nowhere; ## root doesn't have to be a valid path since we are redirecting
  ## rewrite ^ https://$host$request_uri? permanent;
}

#HTTP host for internal services
server {
  listen 127.0.0.1:80;
  listen [::1]:80;
  server_name office.example.com;
  server_tokens off;
  
  include /etc/nginx/includes/onlyoffice-documentserver-common.conf;
  include /etc/nginx/includes/onlyoffice-documentserver-docservice.conf;
}

## HTTPS host
server {
  listen 0.0.0.0:443 ssl;
  listen [::]:443 ssl default_server;
  server_name office.example.com;
  server_tokens off;
  root /usr/share/nginx/html;

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl on;
  ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
  ssl_verify_client off;

  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache  builtin:1000  shared:SSL:10m;

  ssl_prefer_server_ciphers   on;

  add_header Strict-Transport-Security max-age=31536000;
  ## add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;

  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  ## Replace with your ssl_trusted_certificate. For more info see:
  ## - https://medium.com/devops-programming/4445f4862461
  ## - https://www.ruby-forum.com/topic/4419319
  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  # ssl_stapling on;
  # ssl_stapling_verify on;
  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  # resolver_timeout 10s;

  ## [Optional] Generate a stronger DHE parameter:
  ##   cd /etc/ssl/certs
  ##   sudo openssl dhparam -out dhparam.pem 4096
  ##
  # ssl_dhparam /etc/ssl/certs/dhparam.pem;

  include /etc/nginx/includes/onlyoffice-documentserver-*.conf;

}

Any help or pointers someone MUCH smarter than I am could provide would be HUGELY appreciated! Thank you!!

Hi,

If you use letsencrypt certs in the apache virtual host, why not in nginx?

My header settings also looked like this in the onlyoffice-documentserver.conf, to have it working:

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
  #add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;

Still had an A+ on SSL Server Test (Powered by Qualys SSL Labs)

Unless it matters, Iā€™d prefer to just use a self signed cert on the onlyoffice server as that way I can make it ā€œvalidā€ for functionally forever and never worry about having to renew or anything.

Honestly most of my other ā€œinternalā€ servers run on HTTP and just look like HTTPS from the outside due to the reverse proxy tacking on the cert. However when I tried running onlyoffice HTTP and just doing what I have usually done with other servers and having apache reverse proxy via HTTPS, then I was getting mixed content errors. Does that make sense?

If your server is reachable from the outside refreshing your letsencrypt certs is pretty easy. Just install cerbot, create a cronjob and thatā€™s nearly it :slight_smile:

I know itā€™s that in theory, Iā€™ve just had a few issues in the past (probably 100% caused by me lol Iā€™ll give it that)ā€¦but do you really think that is what is causing this issue? Iā€™ve just never had to deal with valid CA signed certs on my other servers behind my reverse proxy ever before (and Iā€™ve done nearly 15 of them lol) so Iā€™m not sure why Iā€™d need it this time. Iā€™m far from an expert, but Iā€™m trying to wrap my mind around that.

Plus, if I have lets encrypt certs on both the Apache system (the main webserver and reverse proxy box), and on the Nginx/onlyoffice system, then how will that react? Would that not potentially cause other issues?

It worked for me and I believe it is the cleanest solution.
The cert only states that itā€™s the hostname x and you as a person y owning domain z. So when the cert is provided for you, for host yourhostname and office.yourdomain.com then you can use it where-ever you want on that host with that domain.

I seeā€¦I guess the other thing I read is here that seems to indicate at least this guy got it working the same way Iā€™m trying to:

I donā€™t knowā€¦I guess if no one else has any other thoughts Iā€™ll look further into that. I just donā€™t understand where that ā€œsameoriginā€ is coming from; I feel like I just need to add something to either my apache virtualhost config or the onlyoffice nginx config.

Please read the complete post: The solution is to turn off ProxyChecks in your Apache Reverse Proxy Config. Try this (of course change IPs):

SSLProxyEngine on
ProxyPass / https://192.168.0.103/
ProxyPassReverse / https://192.168.0.103/
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

Yes, I have all of that enabled per my config.

I (somewhat) figured it out on my own - I have the directive Header set X-Frame-Options ā€œSAMEORIGINā€ set in my /etc/apache2/mods-enabled/ssl.conf file. Commenting out that line makes the files load. However, I was under the impression that this was a good directive to have for securityā€¦am I incorrect in this understanding? If so, if there a way I can ā€œoverrideā€ it for this specific use case? Thanks!

Youā€™re right when speaking about regular websites or any WebApps in particular but in this case Document Server is just an in-frame Editor similar to other HTML editors in web-based content management systems and it simply has to be included via frames.

Better check your SSLCipherSuite manually and disable unsecure chipers:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

Ok thank you for that. I had ā€œSSLProtocol all -SSLv2 -SSLv3ā€ already in my ssl.conf, but I added the ā€œTLSv1ā€ piece for good measure.

So, since having ā€œHeader set X-Frame-Options ā€œSAMEORIGINā€ā€ in my ssl.conf breaks this onlyoffice functionality, would my best/most secure option be to remove it from ssl.conf, but add it back into all my other (completely unrelated) virtualhost configurations in /etc/apache2/sites-enabled? Am I correct in my thinking that at least that way the other sites I have still benefit from it?

:wink: it depends. If youā€™re hosting sites all by and for your own then youā€™re fine with sites-enabled IMHO. If you have customers ridinā€™ on your server then let them do this in their .htaccess files.

lol that makes sense, thanks! Yes, purely personal use :slight_smile: Thanks!!