Nextcloud 13 and ONLYOFFICE (NGINX)

Please verify your config.php – in previous versions of this guide i had a typo!


Last Updates:

July, 13thth 2018:
– added a shell script to install your own on-prem Onlyoffice server without docker


Guides for Onlyoffice…

  1. on a separate server (not the Nextcloud one) or lxc using one shell script only new
  2. alternatevly using docker on the same server

1. Onlyoffice on a separate (NOT the Nextcloud one) server or lxc using one shell script only new

If you are on Ubuntu 18.04 LTS:

sudo -s
apt install git -y
cd /usr/local/src
git clone https://github.com/riegercloud/install-onlyoffice.git
cd install-onlyoffice/
chmod +x install-onlyoffice.sh
./install-onlyoffice.sh

The script will perform the installation fully automated except one question regarding the PostgreSQL password:

Please enter

onlyoffice

and enter to go ahead with the script. Be patient and if your prompt is back just call your Onlyoffice in your browser:

https://192.168.2.234

If the Onlyoffice welcome page appears

we will enhance the config.php

sudo -u www-data vi /var/www/nexcloud/config/config.php

and add

'onlyoffice' => array ( 'verify_peer_off' => TRUE, ),

before the last row of the config.php.

... 
'onlyoffice' =>
array (
'verify_peer_off' => TRUE,
),
);

Enable the Onlyoffice app within Nextclouds Appstore and set the proper URL to your new Onlyoffice server(https://192.168.234/) as exemplarily shown

From now your office documents can be created, reviewed or edited within your own and secure Nextcloud.


2. Alternatively (using docker on the same server) start with the preparation of …

(1) … your router

Open a fourth TCP port in particular for OnlyOffice: 8443 in your router.

(2) … your ufw firewall

ufw allow 8443/tcp

(3) … your docker environment

apt remove docker docker-engine docker.io
apt install apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
UBUNTU 16.04.4 LTS:
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
UBUNTU 18.04 LTS:
sed -i '$adeb https://download.docker.com/linux/ubuntu bionic stable' /etc/apt/sources.list
apt update && apt install docker-ce -y

Please ensure, docker is now running properly e.g. by issuing

docker run hello-world

Then start downloading and install the ONLYOFFICE Documentserver:

docker pull onlyoffice/documentserver

Wait for about 650 MB of downloaded binaries and modify your NGINX configuration properly.

Make ammendments to your NGINX configuration:

vi /etc/nginx/nginx.conf

Copy/paste the upstream onlyoffice-docker or the entire nginx.conf file:

user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
server_names_hash_bucket_size 64;
upstream onlyoffice-docker {
server 127.0.0.1:8443;
}
upstream php-handler {
server unix:/run/php/php7.2-fpm.sock;
}
set_real_ip_from 127.0.0.1;
set_real_ip_from 192.168.2.0/24;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
include /etc/nginx/proxy.conf;
include /etc/nginx/ssl.conf;
include /etc/nginx/header.conf;
include /etc/nginx/optimization.conf;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length" '
'cs=$upstream_cache_status' ;
access_log /var/log/nginx/access.log main;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 192.168.2.1;
resolver_timeout 10s;
include /etc/nginx/conf.d/*.conf;
}

HINT (for self signed ssl environments only!):
Enhance your Nextcloud config.php by issuing
sudo -u www-data vi /var/www/nextcloud/config/config.php
and paste the following rows before the last );
...
'onlyoffice' =>
array (
'verify_peer_off' => TRUE,
),
);

Restart your PHP and Webserver by issuing

service php7.2-fpm restart && service nginx restart

Create a folder and copy your ssl data:

mkdir -p /app/onlyoffice/DocumentServer/data/certs
cp /etc/letsencrypt/live/your.dedyn.io/privkey.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
cp /etc/letsencrypt/live/your.dedyn.io/fullchain.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
cp /etc/ssl/certs/dhparam.pem /app/onlyoffice/DocumentServer/data/certs/dhparam.pem
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
HINT (for Let's Encrypt renewals only!):
If your Let's Encrypt ssl certificates will be renewed you have to copy the new certificates again and restart your docker or use this renewal.sh to embed in your crontab:

#!/bin/bash
cd /etc/letsencrypt
letsencrypt renew
result=$(find /etc/letsencrypt/live/ -type l -mtime -1 )
if [ -n "$result" ]; then
/usr/sbin/service nginx stop
cp /etc/letsencrypt/live/your.dedyn.io/privkey.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
cp /etc/letsencrypt/live/your.dedyn.io/fullchain.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
/usr/sbin/service mysql restart
/usr/sbin/service redis-server restart
/usr/sbin/service php7.2-fpm restart
docker restart ONLYOFFICEDOCKER
/usr/sbin/service nginx restart 
fi
exit 0

Then start the docker image by issuing the following statement (1 row):

docker run --name=ONLYOFFICEDOCKER -i -t -d -p 8443:443 -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data -e JWT_ENABLED='true' -e JWT_SECRET='yoursecret' --restart=always onlyoffice/documentserver

Call your server and enjoy your ONLYOFFICE Documentserver response:

https://your.dedyn.io:8443

Logon to your Nextcloud as your administrator and enable the ONLYOFFICE app.

Switch to the Settings and fill in your Nextcloud domain and the port 8443 (https://your.dedyn.io:8443) as shown examplarily. Add your yoursecret in the advanced section of the ONLYOFFICE configuration panel:

From now, you can create and edit office documents directly in your Nextcloud instance.

 

Enjoy your ONLYOFFICE documents in your secured and hardened Nextcloud-Server!



Carsten Rieger


Usefull docker-things:

Status of docker container:

docker ps
docker image list

Issuing updates for ONLYOFFICE:

docker ps
docker stop <id from "docker ps">
docker pull onlyoffice/documentserver
docker rm <id from "docker ps">
docker run -i -t -d -p 8443:443 --restart=always -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data onlyoffice/documentserver
service nginx restart

Amount of used docker space:

docker system df

Reclaim space:

docker system prune

This will remove:
– all stopped containers
– all networks not used by at least one container
– all dangling images
– all build cache


27 Responses

  1. Reiner says:

    Hi Carsten,

    maybe it’s not necessary to copy the certificates. You could provide them as a docker volume and use the SSL_-environment variables of the onlyoffice docker container to point at them.
    You have to put the dhparam.pem into another folder then /etc/ssl/certs because onlyoffice requires a snake-oil-cert to run. Such a file might not be the standard OS folder.

    “`
    openssl dhparam -out /etc/nextcloud/dhparam.pem 4096

    docker run –name=ONLYOFFICEDOCKER -i -t -d -p 8443:443 \
    -v /etc/letsencrypt:/etc/letsencrypt:ro \
    -v /etc/nextcloud:/etc/nextcloud:ro’ \
    -e JWT_ENABLED=’true’ \
    -e JWT_SECRET=’yoursecret’ \
    -e SSL_CERTIFICATE_PATH=/etc/letsencrypt/live/your.dedyn.io/fullchain.pem \
    -e SSL_KEY_PATH=/etc/letsencrypt/live/your.dedyn.io/privkey.pem \
    -e eSSL_DHPARAM_PATH=’/etc/nextcloud/dhparam.pem’
    –restart=always onlyoffice/documentserver
    “`

  2. Claudio Gonzales says:

    Hi

    Really nice tutorial.

    Having a small issue on my mature Ubuntu16.04/Nextcloud/ Setup. Nextcloud has been and still running properly.

    Docker is working, Nginx is working properly when restarted. (It is installed alongside Apache)

    I do have letsencrypt certs working properly, but I cannot open the “https://mysebsite.com:8443”, Chrome returning “ERR_SSL_PROTOCOL_ERROR” & “This site can’t provide a secure connection” error.

    Cannot connect using the ONLYOFFICE app within Nextoffice as well, returning a “Error when trying to connect (Bad Request or timeout error)”

    UFW has been opened for 8443. But I am getting through because of cert error. not connection error, I think.

    Am I missing something?

  3. Michael Leitner says:

    Hallo Carsten,

    herzlichen dank für die großartigen Tutorials!

    Ich habe nextcloud 13 auf Ubuntu 16 nach Ihrer Anleitung installiert und bin damit sehr glücklich. 🙂
    Vor kurzem habe ich Onlyoffice (lokal) installiert und bekomme leider immer nur folgende Meldung:
    “502 Bad Gateway nginx”. Bei einer meinenr vorherigen nextcloud installationen konnte ich die Verbindung
    problemlos herstellen.

    Über einen Tipp würde ich mich sehr freuen.

    Vielen Dank & mfG
    Michael

  4. Franko says:

    Hi Carsten

    ich habe mal versucht onlyoffice unter Debian zu installieren, aber leider klappt das nur bis zum er ersten reboot. danach ist onlyoffice von nextcloud nicht mehr erreichbar. Entweder liegt das an Docker oder an der nextloud conf ???

    MfG Franko

  5. kresh says:

    Hi,
    As before, onlyneoffice: 8443 does not open. When you create a new document(doc,and others), the site header opens, and there is no web form of the document
    error
    tail -f /var/log/nginx/nextcloud.error.log
    [error] 1333#1333: *58 access forbidden by rule, client: 192.168.0.1, server: cloud.dom.ru, request: “GET /data/.ocdata?t=1530530270351 HTTP/2.0”, host: “cloud.dom.ru”
    cat /var/lib/docker/…/out.log
    [WARN] nodeJS – update cluster with 1 workers
    [WARN] nodeJS – worker 663 started.

  6. olivier says:

    Hi Carsten,
    Like Allessandro i have the same issue when i reboot my VM nextcloud.
    docker log MYCONTAINER say :

    “Starting redis-server: redis-server.
    Starting supervisor: supervisord.
    * Starting nginx nginx [ OK ]
    Generating AllFonts.js, please wait…Done
    onlyoffice-documentserver:docservice: stopped
    onlyoffice-documentserver:docservice: started
    onlyoffice-documentserver:converter: stopped
    onlyoffice-documentserver:converter: started
    * Reloading nginx configuration nginx [ OK ]
    root@fde0b2213e09:/# * Starting PostgreSQL 9.5 database server [ OK ]
    * Starting RabbitMQ Messaging Server rabbitmq-server * FAILED – check /var/log/rabbitmq/startup_\{log, _err\}
    [fail]
    Starting redis-server: redis-server.
    Waiting for connection to the localhost host on port 5672
    Waiting for connection to the localhost host on port 5672

    The problem is that /var/log/rabitmg… don’t exist

    and If i restart de docker container it’s ok, onlyoffice is working.

    I founded this solution, but i don’t understand how to do (https://github.com/ONLYOFFICE/Docker-DocumentServer/issues/92#issuecomment-381528225)

    Thanks,
    Olivier

  7. kresh says:

    According to your manual, I installed and successfully launched nextcloud, installed onlyoffice, but the welcome page onlyoffice does not open in the web browser, I get an error in the applet for connection. An error occurred while trying to connect (Query error or timeout)

    • how did you call the welcome-page – please provide the url. Did you configure self-signed certificates or e.g. LE certificates to the ONLYOFFICE docker?

      • kresh says:

        link to my cloud resource https://cloud.hldns.ru/ .
        self-signed certificates for OO I did not configure, indicated the certificate nexcloud as described in your article

        • kresh says:

          Create a folder and copy your ssl data:
          Full path to certificates ОО
          /app/onlyoffice/DocumentServer/data or /var/www/nextcloud/apps/onlyoffice/DocumentServer/data/certs ???

          • Create the folder as root:
            mkdir -p /app/onlyoffice/DocumentServer/data/certs

            copy your lets encrypt certificates or self signed certificates:
            cp /etc/letsencrypt/live/your.dedyn.io/privkey.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
            cp /etc/letsencrypt/live/your.dedyn.io/fullchain.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt

            copy your diff.-h.- key:
            cp /etc/ssl/certs/dhparam.pem /app/onlyoffice/DocumentServer/data/certs/dhparam.pem

            Change permissions:
            chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key

          • kresh says:

            I checked the certificate files in the settings nextcloud of the OO add-on, connected by specifying the address of the document server and the key. Proliferation has occurred. But 1. when creating a new document, a blank page opens. The document server is still not available from the browser by the name of the site: 8443

  8. kresh says:

    Configured Nexcloud-works, installed onlyoffice-errors with no logs. When accessing the site name in the browser: https: // name: 8443 -I can not access the site. If you specify the Address of the document editing service, an error occurs: “An error occurred while trying to connect (Request or timeout error)
    ONLYOFFICE “

  9. Jan says:

    Hi Carsten,

    first of all: thanks for this guide.

    Only two notes:
    1. The stable branch of Docker is now available for 18.04, so you now can use: sed -i ‘$adeb https://download.docker.com/linux/ubuntu bionic stable’ /etc/apt/sources.list
    2. What about the security? It seems that your OnlyOffice instance is reachable from the internet (https://your.dedyn.io:8443). When someone finds out the actual URL, then he could use your OO instance. To avoid this, you should use the parameters JWT_ENABLED and JWT_SECRET. This way, no one could use your OO instance without knowledge of the JWT secret (you’ll receive an error message when trying to add the OO connection in the Nextcloud app). On the other hand: When adding “‘verify_peer_off’ => true,” to the Nextcloud config, the certificate of the OO server can also be a self signed certificate. After applying a self signed cert, you could also use the URL https://192.168.2.118:8443 when adding OO to Nextcloud. This way, all the traffic to the OO instance would the limited to your local network and there should be no need to apply a port forwarding in your router.

    Best regards,
    Jan

  10. Alessandro says:

    Hi, after a reboot docker is restarted automatically, but the server is not reachable to port 8443, i have to remove and recreate the container. any hints?

    Thanks

    • To be honest: no! Any other tool that established a connection to 8443? UFW configured properly (ufw allow 8443/tcp)? I assume you start the docker as i described?

      • Alessandro says:

        yes, followed the guide step by step. Clean install of Ubuntu 18.04, next installed with your 2 script (nextcloud and let’s encrypt) and next this guide. UFW configured properly. fail2ban not listing any ip.

  11. olivier says:

    Hi Carsten,
    So nice your tuto !
    is it possible to put the lines “copy/paste ssl certs” in the renewal.sh (https://www.c-rieger.de/nextcloud-installation-guide-advanced/#c11) ?
    Thanks,
    Olivier

    • Yes, you find the modified script below:
      #!/bin/bash
      cd /etc/letsencrypt
      letsencrypt renew
      result=$(find /etc/letsencrypt/live/ -type l -mtime -1 )
      if [ -n "$result" ]; then
      /usr/sbin/service nginx stop
      cp /etc/letsencrypt/live/your.dedyn.io/privkey.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
      cp /etc/letsencrypt/live/your.dedyn.io/fullchain.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
      chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
      /usr/sbin/service mysql restart
      /usr/sbin/service redis-server restart
      /usr/sbin/service php7.2-fpm restart
      /usr/sbin/service nginx restart
      alias oo='docker ps -l -q'
      docker restart `oo`
      fi
      exit 0

      You only have to substitute “your.dedyn.io” with your ddns. I added the script to this blog yet.

Leave a Reply

Your email address will not be published. Required fields are marked *