Who have Nextcloud and Docker Onlyoffice on the same host ? Need help

Nemskiller · June 22, 2018, 5:34pm

Hello to the community,

i have a problem to use 100% Nginx web server for Nextcloud and Onlyoffice on Docker all of this on the same host.

Nextcloud 13.0.4 works great,
Let say it’s cloud.mydomain.com
I have installed the docker container of OnlyOffice/DocumentServer and it works well (at least the welcome page)
Let say it’s office.mydomain.com

I installed the OnlyOffice App for Nextcloud, get to the Admin panel and configuration page.
I put in the server address : https://office.mydomain.com/
But when i click save ---- it goes nowhere, and after in the logs i have 504 Gateway Timeout

It look like the nextcloud instance can’t find office.mydomain.com.

I’m asking help for someone who have nextcloud/onlyofficedocker on the same host working for sharing the .conf files…

The docker use port 80 and Nginx 81-82-83…

Here is my Nextcloud.conf :

server {
server_name cloud.mydomain.com;
#Your DDNS adress, (e.g. from desec.io)
listen 83 default_server;

IPv6:

listen [::]:83 default_server;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name cloud.mydomain.com;
#Your DDNS adress, (e.g. from desec.io)
listen 443 ssl http2 default_server;

IPv6

#listen [::]:443 ssl http2 default_server;
root /var/www/nextcloud/;
access_log /var/log/nginx/nextcloud.access.log main;
error_log /var/log/nginx/nextcloud.error.log warn;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
client_max_body_size 10240M;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ .(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 100m;
mp4_max_buffer_size 1024m;
fastcgi_split_path_info ^(.+.php)(/.)$;
include fastcgi_params;
include php_optimization.conf;
fastcgi_pass php-handler;
fastcgi_param HTTPS on;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+).php(?:$|/) {
fastcgi_split_path_info ^(.+.php)(/.)$;
include fastcgi_params;
include php_optimization.conf;
fastcgi_pass php-handler;
fastcgi_param HTTPS on;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff|svg|gif|png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
access_log off;
expires 360d;
}
}

And my office.conf

upstream docservice {
server office.mydomain.com;
}

map $http_host $this_host {
“” $host;
default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
“” $scheme;
}

map $http_x_forwarded_host $the_host {
default $http_x_forwarded_host;
“” $this_host;
}

map $http_upgrade $proxy_connection {
default upgrade;
“” close;
}

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Normal HTTP host

server {
listen 0.0.0.0:84;
listen [::]:84 default_server;
server_name office.mydomain.com;
server_tokens off;

Redirects all traffic to the HTTPS host

root /nowhere; ## root doesn’t have to be a valid path since we are redirecting
rewrite ^ https://$host$request_uri? permanent;
}
server {
listen 443 ssl;
server_name office.mydomain.com;
server_tokens off;
root /usr/share/nginx/html;

Strong SSL Security

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl on;
ssl_certificate /etc/letsencrypt/live/office.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/office.mydomain.com/privkey.pem;
ssl_verify_client off;

ssl_ciphers ‘ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384’;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;

ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security max-age=31536000;

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

[Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.

Replace with your ssl_trusted_certificate. For more info see:

- https://medium.com/devops-programming/4445f4862461

- SSL OCSP stapling won't enable - NGINX - Ruby-Forum

- How To Configure OCSP Stapling on Apache and Nginx | DigitalOcean

ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;

resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired

resolver_timeout 10s;

[Optional] Generate a stronger DHE parameter:

cd /etc/ssl/certs

sudo openssl dhparam -out dhparam.pem 4096

ssl_dhparam /etc/ssl/certs/dhparam.pem;

location / {
proxy_pass http://docservice;
proxy_http_version 1.1;
}
}

Schmu · June 22, 2018, 8:40pm

Hi @Nemskiller

The problem here very likely is, that you forward HTTPS traffic to HTTP:

The docker image should have HTTPS enabled as well.

So what I did with the following command to run the docker image:

docker run -i -t -d -p 127.0.0.1:8443:443 --name onlyoffice --hostname nextcloud -v /etc/onlyoffice/documentserver/data:/var/www/onlyoffice/Data --restart always onlyoffice/documentserver

rebind the docker port 443 to port 8443 on localhost and don’t use port 80 at all (-p 127.0.0.1:8443:443)
- I can therefor use port 80 and 443 for nginx
bind the docker directory “/var/www/onlyoffice/Data” to the local directory “/etc/onlyoffice/documentserver/data” (-v /etc/onlyoffice/documentserver/data:/var/www/onlyoffice/Data) in order to place SSL-certificates in that directoy, which are automatically used by the web server within the docker image

I’m also wondering about these entries:

I think I remember these lines from config files when Onlyoffice is installed with nodejs and without docker. I don’t have them in my config and I think they can be removed - just to clean up a little bit.

Here is my Onlyoffice config for comparisson:

upstream onlyoffice-docker {
    server 127.0.0.1:8443;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name office.mydomain.tld;

    server_tokens off;

    ##
    ## SSL- Settings
    ##
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;

    #ssl_ciphers
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
    ssl_prefer_server_ciphers on;
	
	# OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    resolver 192.168.1.1;
    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_dhparam /etc/ssl/dhparams.pem;
	ssl_ecdh_curve secp384r1;
    ssl_trusted_certificate /etc/ssl/ca-certs.pem;
    ssl_certificate /etc/letsencrypt/live/office.mydomain.tld/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/office.mydomain.tld/privkey.pem; # managed by Certbot

    ## Headers
    add_header Referrer-Policy "no-referrer";

    add_header X-Frame-Options "ALLOW-FROM https://nextcloud.mydomain.tld/" always;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    location / {
            proxy_pass         https://onlyoffice-docker;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;

        }

}

Nemskiller · June 22, 2018, 8:53pm

I will test that but :
Usually for Collabora and Onlyoffice on docker, i use no-ssl and it’s the proxy who get certs.

I used the conf file from the DocumentServer Github of OnlyOffice.

I’m totally newb on Nginx, so i’m get some training.

Thanks i will see that tomorrow

Nemskiller · June 23, 2018, 11:54am

hi @Schmu

My problem is solved, but it wasn’t with my office.conf.

The culprit was my ISP and my modem.
Orange (french ISP) give you a Professionnal ROUTER that haven’t the right to do look back.
Imagine that your public IP is 92.100.100.50, when i am inside my LAN, and i want to access to https://92.100.100.50, the packet can’t get out of my router and come back. It’s blocked.
If you put another Router on this line, no problem.
So my problem wasn’t the config of Nginx, but the Docker DNS.
On my server i can resolve both cloud.mydomain.com and office.mydomain.com, but inside Docker when i ping cloud.mydomain.com he tries to use public IP 92.100.100.50 (it’s an exemple) so TimedOut Connexion.

I will have to configure bind9 for redirecting locally this.

Thank you for your answer anyway.