Who have Nextcloud and Docker Onlyoffice on the same host ? Need help

Nemskiller · 2018-06-22 17:34:54 UTC

Hello to the community,

i have a problem to use 100% Nginx web server for Nextcloud and Onlyoffice on Docker all of this on the same host.

Nextcloud 13.0.4 works great,
Let say it’s cloud.mydomain.com
I have installed the docker container of OnlyOffice/DocumentServer and it works well (at least the welcome page)
Let say it’s office.mydomain.com

I installed the OnlyOffice App for Nextcloud, get to the Admin panel and configuration page.
I put in the server address : https://office.mydomain.com/
But when i click save ---- it goes nowhere, and after in the logs i have 504 Gateway Timeout

It look like the nextcloud instance can’t find office.mydomain.com.

I’m asking help for someone who have nextcloud/onlyofficedocker on the same host working for sharing the .conf files…

The docker use port 80 and Nginx 81-82-83…

Here is my Nextcloud.conf :

server {
server_name cloud.mydomain.com;
#Your DDNS adress, (e.g. from desec.io)
listen 83 default_server;

IPv6:

listen [::]:83 default_server;
location ^~ /.well-known/acme-challenge {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name cloud.mydomain.com;
#Your DDNS adress, (e.g. from desec.io)
listen 443 ssl http2 default_server;

IPv6

#listen [::]:443 ssl http2 default_server;
root /var/www/nextcloud/;
access_log /var/log/nginx/nextcloud.access.log main;
error_log /var/log/nginx/nextcloud.error.log warn;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
client_max_body_size 10240M;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ .(?:flv|mp4|mov|m4a)$ {
mp4;
mp4_buffer_size 100m;
mp4_max_buffer_size 1024m;
fastcgi_split_path_info ^(.+.php)(/.)$;
include fastcgi_params;
include php_optimization.conf;
fastcgi_pass php-handler;
fastcgi_param HTTPS on;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+).php(?:$|/) {
fastcgi_split_path_info ^(.+.php)(/.)$;
include fastcgi_params;
include php_optimization.conf;
fastcgi_pass php-handler;
fastcgi_param HTTPS on;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
location ~ .(?:css|js|woff|svg|gif|png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
access_log off;
expires 360d;
}
}

And my office.conf

upstream docservice {
server office.mydomain.com;
}

map $http_host $this_host {
“” $host;
default $http_host;
}

map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
“” $scheme;
}

map $http_x_forwarded_host $the_host {
default $http_x_forwarded_host;
“” $this_host;
}

map $http_upgrade $proxy_connection {
default upgrade;
“” close;
}

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Normal HTTP host

server {
listen 0.0.0.0:84;
listen [::]:84 default_server;
server_name office.mydomain.com;
server_tokens off;

Redirects all traffic to the HTTPS host

root /nowhere; ## root doesn’t have to be a valid path since we are redirecting
rewrite ^ https://$host$request_uri? permanent;
}
server {
listen 443 ssl;
server_name office.mydomain.com;
server_tokens off;
root /usr/share/nginx/html;

Strong SSL Security

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

#ssl on;
ssl_certificate /etc/letsencrypt/live/office.mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/office.mydomain.com/privkey.pem;
ssl_verify_client off;

ssl_ciphers ‘ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384’;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:50m;

ssl_prefer_server_ciphers on;

add_header Strict-Transport-Security max-age=31536000;

add_header X-Frame-Options SAMEORIGIN;

add_header X-Content-Type-Options nosniff;

[Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.

Replace with your ssl_trusted_certificate. For more info see:

- https://medium.com/devops-programming/4445f4862461

- https://www.ruby-forum.com/topic/4419319

- https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx

ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;

resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired

resolver_timeout 10s;

[Optional] Generate a stronger DHE parameter:

cd /etc/ssl/certs

sudo openssl dhparam -out dhparam.pem 4096

ssl_dhparam /etc/ssl/certs/dhparam.pem;

location / {
proxy_pass http://docservice;
proxy_http_version 1.1;
}
}

Schmu · 2018-06-22 20:40:47 UTC

Hi @Nemskiller

The problem here very likely is, that you forward HTTPS traffic to HTTP:

The docker image should have HTTPS enabled as well.

So what I did with the following command to run the docker image:

docker run -i -t -d -p 127.0.0.1:8443:443 --name onlyoffice --hostname nextcloud -v /etc/onlyoffice/documentserver/data:/var/www/onlyoffice/Data --restart always onlyoffice/documentserver

rebind the docker port 443 to port 8443 on localhost and don’t use port 80 at all (-p 127.0.0.1:8443:443)
- I can therefor use port 80 and 443 for nginx
bind the docker directory “/var/www/onlyoffice/Data” to the local directory “/etc/onlyoffice/documentserver/data” (-v /etc/onlyoffice/documentserver/data:/var/www/onlyoffice/Data) in order to place SSL-certificates in that directoy, which are automatically used by the web server within the docker image

I’m also wondering about these entries:

I think I remember these lines from config files when Onlyoffice is installed with nodejs and without docker. I don’t have them in my config and I think they can be removed - just to clean up a little bit.

Here is my Onlyoffice config for comparisson:

upstream onlyoffice-docker {
    server 127.0.0.1:8443;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name office.mydomain.tld;

    server_tokens off;

    ##
    ## SSL- Settings
    ##
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;

    #ssl_ciphers
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
    ssl_prefer_server_ciphers on;
	
	# OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    resolver 192.168.1.1;
    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_dhparam /etc/ssl/dhparams.pem;
	ssl_ecdh_curve secp384r1;
    ssl_trusted_certificate /etc/ssl/ca-certs.pem;
    ssl_certificate /etc/letsencrypt/live/office.mydomain.tld/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/office.mydomain.tld/privkey.pem; # managed by Certbot

    ## Headers
    add_header Referrer-Policy "no-referrer";

    add_header X-Frame-Options "ALLOW-FROM https://nextcloud.mydomain.tld/" always;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;

    location / {
            proxy_pass         https://onlyoffice-docker;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;

        }

}

Nemskiller · 2018-06-22 20:53:56 UTC

I will test that but :
Usually for Collabora and Onlyoffice on docker, i use no-ssl and it’s the proxy who get certs.

I used the conf file from the DocumentServer Github of OnlyOffice.

I’m totally newb on Nginx, so i’m get some training.

Thanks i will see that tomorrow