NextCloud and OnlyOffice via Docker: Difference between revisions
| Line 159: | Line 159: | ||
It is possible to set-up OnlyOffice to use HTTPS and certain FQDN through its configuration. However in this section i described how to create Apache2 Reverse proxy that will handle this. | It is possible to set-up OnlyOffice to use HTTPS and certain FQDN through its configuration. However in this section i described how to create Apache2 Reverse proxy that will handle this. | ||
First, test whether the necessary Apache2 modules are enabled. Below is show the list of the modules retired for this set-up.<syntaxhighlight lang="shell" line="1"> | First, test whether the necessary Apache2 modules are enabled. Below is show the list of the modules retired for this set-up. | ||
<syntaxhighlight lang="shell" line="1"> | |||
sudo apache2ctl -M | grep -E 'auth[nz]_core|unixd|proxy|headers|setenvif' | sudo apache2ctl -M | grep -E 'auth[nz]_core|unixd|proxy|headers|setenvif' | ||
</syntaxhighlight><syntaxhighlight lang="bash"> | </syntaxhighlight><syntaxhighlight lang="bash"> | ||
| Line 174: | Line 175: | ||
</syntaxhighlight>Then setup a new virtual host as follow and restart Apache2. Note in this scenario you need a valid SSL/TLS certificate. In my case I'm using Let's encrypt wildcard certificate for the base domain where the instances of NextCloud and OnlyOffice are installed.<syntaxhighlight lang="shell" line="1"> | </syntaxhighlight>Then setup a new virtual host as follow and restart Apache2. Note in this scenario you need a valid SSL/TLS certificate. In my case I'm using Let's encrypt wildcard certificate for the base domain where the instances of NextCloud and OnlyOffice are installed.<syntaxhighlight lang="shell" line="1"> | ||
sudo nano /etc/apache2/sites-enabled/docs.example.com.conf | sudo nano /etc/apache2/sites-enabled/docs.example.com.conf | ||
</syntaxhighlight><syntaxhighlight lang="apacheconf" line="1"> | </syntaxhighlight><syntaxhighlight lang="apacheconf" line="1" class="mlw-pre-max-height-320"> | ||
Define docs_base_fqdn example.com | Define docs_base_fqdn example.com | ||
Define docs_fqdn docs.example.com | Define docs_fqdn docs.example.com | ||
Revision as of 17:22, 25 September 2022
Here is a short step-by-step manual: How to setup OnlyOffice Docker container and proxy it by Apache2 for usage via NextCloud.
Install Docker
According to the Docker and Docker-compose installation, read the guide Docker Basic Setup. The rest part of this section is deprecated, but is leaved here as historical note :)
sudo apt update
sudo apt install apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - && \
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt install docker-ce
docker --version
sudo systemctl start docker
sudo systemctl enable docker
$USER without using sudo.sudo groupadd docker
sudo usermod -aG docker $USER
su - $USER
id -nG
sudo crontab -l | grep -i 'docker'
0 2 * * 7 /usr/bin/docker container prune
sudo sed 's/^#DOCKER_OPTS/DOCKER_OPTS/' /etc/default/docker -i
sudo systemctl restart docker
Setup the OnlyOffice Docker Container
Create a directory where the configuration file docker-compose.yaml and the persistent volumes will live.
mkdir /home/docker/onlyoffice
cd /home/docker/onlyoffice
Pull the Docker images and run an OnlyOffice container for a first time
sudo docker run -i -t -d -p 8081:80 --restart=always \
-v $PWD/DocumentServer/logs:/var/log/onlyoffice \
-v $PWD/DocumentServer/data:/var/www/onlyoffice/Data \
-v $PWD/DocumentServer/lib:/var/lib/onlyoffice \
-v $PWD/DocumentServer/db:/var/lib/postgresql \
--hostname docs --name onlyoffice-docs \
onlyoffice/documentserver:latest
Test whether it works. At this point the OnlyOffice document server must be accessible the browser, probably you maybe need to wait about 10 seconds before it become accessible. Note the host port 8081 must be open (for you) within the host's firewall.
http://<host-ip>:8081/welcome/
Enable the integrated test examples.
docker exec onlyoffice-docs supervisorctl start ds:example
docker exec onlyoffice-docs sed 's,autostart=false,autostart=true,' -i /etc/supervisor/conf.d/ds-example.conf
Now you can access the examples at the following address.
http://<host-ip>:8081/example/
Export the configuration files. For some reason the configuration files cannot be exported via the volume option as this is done above for some other directories. So, if we need that, we need first to copy them manually.
sudo mkdir DocumentServer/etc
sudo docker cp onlyoffice-docs:/etc/onlyoffice DocumentServer/etc
sudo docker cp onlyoffice-docs:/etc/supervisor DocumentServer/etc
Now we can stop and prune the container.
docker stop onlyoffice-docs
docker container prune
sudo docker run -i -t -d -p 8081:80 --restart=always \
-v "$PWD/DocumentServer/logs:/var/log/onlyoffice" \
-v "$PWD/DocumentServer/data:/var/www/onlyoffice/Data" \
-v "$PWD/DocumentServer/lib:/var/lib/onlyoffice" \
-v "$PWD/DocumentServer/db:/var/lib/postgresql" \
-v "$PWD/DocumentServer/etc/onlyoffice:/etc/onlyoffice" \
-v "$PWD/DocumentServer/etc/supervisor:/etc/supervisor" \
--hostname docs --name onlyoffice-docs \
onlyoffice/documentserver:latest
Starting from version 7.2, JWT (JSON Web Token) is enabled by default. A random secret is generated automatically if a custom secret has not been added during installation. To obtain the default secret, run this command:
docker exec onlyoffice-docs /var/www/onlyoffice/documentserver/npm/json \
-f /etc/onlyoffice/documentserver/local.json 'services.CoAuthoring.secret.session.string'
xd4f2PO5hdHJHjpV1NdD
You can replace the default secret with a custom key using Docker env. More information about JWT in the documentation. Once again, in order to make the JWT persistent you need to provide it via Docker as environment variable – this will be done within the next section. Finally. Stop and prune the container, because in the next section we will create a Docker-compose configuration file.
docker stop onlyoffice-docs
docker container prune
Manage an OnlyOffice container by Docker-compose
Create the docker-compose.yaml file. Tweak the value of the host port 8081, and the time zone TZ if it is needed. The most important thing is to set an unique value for JWT_SECRET, thus the JWT will become persistent.
nano docker-compose.yaml
# https://hub.docker.com/r/onlyoffice/documentserver/
# https://github.com/ONLYOFFICE/onlyoffice-owncloud/issues/108
version: "3.9"
services:
onlyoffice-docs:
container_name: onlyoffice-docs
image: onlyoffice/documentserver:latest
hostname: docs
#network_mode: host
ports:
- "8081:80/tcp"
environment:
TZ: 'Europe/Sofia'
JWT_SECRET: "xd4f2PO5hdHJHjpV1NdD"
# Volumes store your data between container upgrades
volumes:
- "./DocumentServer/logs:/var/log/onlyoffice"
- "./DocumentServer/data:/var/www/onlyoffice/Data"
- "./DocumentServer/lib:/var/lib/onlyoffice"
- "./DocumentServer/db:/var/lib/postgresql"
- "./DocumentServer/etc/onlyoffice:/etc/onlyoffice"
- "./DocumentServer/etc/supervisor:/etc/supervisor"
restart: unless-stopped
volumes:
DocumentServer:
Download the Docker images and run the container in detached (persistent) mode.
docker-compose up -d
Open the OnlyOffice document server via the browser. Note the host port 8081 must be open (for you) within the host's firewall.
http://<host-ip>:8081/welcome/
The rest part of this section is deprecated, but is leaved here as historical note :)
wget -q https://registry.hub.docker.com/v1/repositories/onlyoffice/documentserver/tags -O - | jq -r '.[].name'
81 of 127.0.0.1 localhost.# docker pull onlyoffice/documentserver
docker run -i -t -d -p 81:80 --restart=always onlyoffice/documentserver:latest
- Note the option
–restart=alwaysmeans the container will run automatically when Docker is started/restarted. - Docker will pull the image automatically when it is not available locally.
Apache2 HTTPS Reverse Proxy
It is possible to set-up OnlyOffice to use HTTPS and certain FQDN through its configuration. However in this section i described how to create Apache2 Reverse proxy that will handle this.
First, test whether the necessary Apache2 modules are enabled. Below is show the list of the modules retired for this set-up.
sudo apache2ctl -M | grep -E 'auth[nz]_core|unixd|proxy|headers|setenvif'
unixd_module (static) # Required
authn_core_module (shared) # Required
authz_core_module (shared) # Required
headers_module (shared) # Required
proxy_module (shared) # Required
proxy_fcgi_module (shared)
proxy_http_module (shared) # Required
proxy_http2_module (shared)
proxy_wstunnel_module (shared) # Required
setenvif_module (shared) # Required
Then setup a new virtual host as follow and restart Apache2. Note in this scenario you need a valid SSL/TLS certificate. In my case I'm using Let's encrypt wildcard certificate for the base domain where the instances of NextCloud and OnlyOffice are installed.
sudo nano /etc/apache2/sites-enabled/docs.example.com.conf
Define docs_base_fqdn example.com
Define docs_fqdn docs.example.com
Define docs_srvr 127.0.0.1
Define docs_port 8081
Define docs_doc_root "/var/www/${docs_fqdn}"
<VirtualHost *:80>
ServerName ${docs_fqdn}
ServerAdmin admin@${docs_base_fqdn}
ErrorLog ${APACHE_LOG_DIR}/${docs_fqdn}.error.log
CustomLog ${APACHE_LOG_DIR}/${docs_fqdn}.access.log combined
# Redirect Requests to HTTPS
Redirect permanent "/" "https://${docs_fqdn}/"
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName ${docs_fqdn}
ServerAdmin admin@${docs_base_fqdn}
ErrorLog ${APACHE_LOG_DIR}/${docs_fqdn}.error.log
CustomLog ${APACHE_LOG_DIR}/${docs_fqdn}.access.log combined
<IfModule http2_module>
# https://httpd.apache.org/docs/2.4/mod/mod_http2.html
# https://httpd.apache.org/docs/2.4/howto/http2.html
Protocols h2 h2c http/1.1
#ProtocolsHonorOrder Off
#H2Direct on
H2Upgrade on
H2Push on
# Default Priority Rule:
# H2PushPriority * After 16
# More complex ruleset:
H2PushPriority * after
H2PushPriority text/css before
H2PushPriority image/jpg after 32
H2PushPriority image/jpeg after 32
H2PushPriority image/png after 32
H2PushPriority application/javascript interleaved
<LocationMatch "^.*$">
# Header add Link "</example.png>; rel=preload; as=image"
# Header add Link "</style.css>; rel=preload; as=style"
# Header add Link "</script.js>; rel=preload; as=script"
</LocationMatch>
# From apache2/mods-available/http2.conf
# Since mod_http2 doesn't support the mod_logio module (which provide the %O format),
# you may want to change your LogFormat directive as follow:
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %B" common
</IfModule>
SSLEngine on
#SSLCertificateFile /etc/letsencrypt/live/${docs_base_fqdn}/cert.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/${docs_base_fqdn}/privkey.pem
#SSLCertificateChainFile /etc/letsencrypt/live/${docs_base_fqdn}/chain.pem
SSLCertificateFile /etc/letsencrypt/live/${docs_base_fqdn}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${docs_base_fqdn}/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SetEnvIf Host "^(.*)$" THE_HOST=$1
Header edit Set-Cookie ^(.*)$ "$1; HttpOnly; Secure"
RequestHeader setifempty X-Forwarded-Proto https
RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
# Reference about OnlyOffice Proxy settings
# https://github.com/ONLYOFFICE/onlyoffice-owncloud/issues/108
ProxyAddHeaders Off
<Location "/">
ProxyPass "http://${docs_srvr}:${docs_port}/"
ProxyPassReverse "http://${docs_srvr}:${docs_port}/"
</Location>
ProxyPassMatch (.*)(\/websocket)$ "ws://${docs_srvr}:${docs_port}/$1$2"
# DocumentRoot "${docs_doc_root}"
# <Directory "${docs_doc_root}">
# DirectoryIndex index.php index.html hello.html
# Require all granted
# #Options None FollowSymLinks MultiViews
# Options None FollowSymLinks
# # AllowOverride None
# AllowOverride All
# <IfModule security2_module>
# #SecRuleEngine Off
# </IfModule>
# </Directory>
# Limit the acces to the URIs /, /welcome, /example, /healthcheck
<ifModule mod_rewrite.c>
RewriteEngine On
RewriteCond "%{REMOTE_ADDR}" "!^(172\.16\.[0-9]{1,3}\.[0-9]{1,3}|0\.0\.0\.0|127\.0\.0\.[0-9]{1,3})$"
RewriteCond "%{REQUEST_URI}" "^/(welcome.*$|example.*$|healthcheck.*$|$)"
RewriteRule "^(.*)$" https://cloud.example.com/? [L,R=307]
</ifModule>
</VirtualHost>
</IfModule>
References
- OnlyOffice Help Center: Installing ONLYOFFICE Docs Community Edition for Docker on a local server
- Docker Hub: onlyoffice/documentserver
- GitHub: ONLYOFFICE/onlyoffice-nextcloud
- GitHub: ONLYOFFICE/onlyoffice-nextcloud/releases
- OnlyOffice Api Docs: Nextcloud ONLYOFFICE integration app
- GitHub: ONLYOFFICE/onlyoffice-nextcloud/issues/[Can't connect do document server after update to NC19 #297]
- PhoenixNAP: How To Install and Use Docker on Ubuntu 20.04
