Nextcloud 15 and ONLYOFFICE (NGINX)

Nextcloud and ONLYOFFICE on one server

  1. Onlyoffice using the same domain as Nextcloud
  2. Onlyoffice using a different domain as Nextcloud

Start with the preparation of your router and open a TCP port in particular for ONLYOFFICE : 8443

Prepare your environment with docker…

apt remove docker docker-engine
apt install apt-transport-https ca-certificates curl software-properties-common

… on Ubuntu:

sed -i '$adeb bionic stable' /etc/apt/sources.list
curl -fsSL | sudo apt-key add -

… on Debian:

sed -i '$deb [arch=amd64] stretch stable' /etc/apt/sources.list
curl -fsSL | sudo apt-key add -

… on both:

apt update && apt install docker-ce -y

Please ensure, docker is now running properly e.g. by issuing

docker run hello-world

Then start downloading and install the ONLYOFFICE Documentserver:

docker pull onlyoffice/documentserver

Wait for about 650 MB of downloaded binaries and modify your NGINX configuration properly.

Make ammendments to your NGINX configuration:

vi /etc/nginx/nginx.conf

Copy/paste the upstream onlyoffice-docker or the entire nginx.conf file:

user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/;
events {
worker_connections 1024;
multi_accept on;
use epoll;
http {
server_names_hash_bucket_size 64;
upstream onlyoffice-docker {
upstream php-handler {
server unix:/run/php/php7.3-fpm.sock;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
include /etc/nginx/proxy.conf;
include /etc/nginx/ssl.conf;
include /etc/nginx/header.conf;
include /etc/nginx/optimization.conf;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length" '
'cs=$upstream_cache_status' ;
access_log /var/log/nginx/access.log main;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver valid=30s;
resolver_timeout 5s;
include /etc/nginx/conf.d/*.conf;


HINT (for self signed ssl environments only!):
Enhance your Nextcloud config.php by issuing
sudo -u www-data vi /var/www/nextcloud/config/config.php
and paste the following rows before the last );
'onlyoffice' =>
array (
'verify_peer_off' => TRUE,

Restart your PHP and Webserver by issuing

service php7.3-fpm restart && service nginx restart

Create a folder and copy your ssl data:

mkdir -p /app/onlyoffice/DocumentServer/data/certs
cp /etc/letsencrypt/live/ /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
cp /etc/letsencrypt/live/ /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
cp /etc/ssl/certs/dhparam.pem /app/onlyoffice/DocumentServer/data/certs/dhparam.pem
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key


HINT (for Let's Encrypt renewals only!):
If your Let's Encrypt ssl certificates will be renewed you have to copy the new certificates again and restart your docker or use this to embed in your crontab:

cd /etc/letsencrypt
letsencrypt renew
result=$(find /etc/letsencrypt/live/ -type l -mtime -1 )
if [ -n "$result" ]; then
/usr/sbin/service nginx stop
cp /etc/letsencrypt/live/ /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
cp /etc/letsencrypt/live/ /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
/usr/sbin/service mysql restart
/usr/sbin/service redis-server restart
/usr/sbin/service php7.3-fpm restart
/usr/sbin/service nginx restart 
exit 0

Then start the docker image by issuing the following statement (1 row):

docker run --name=ONLYOFFICEDOCKER -i -t -d -p 8443:443 -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data -e JWT_ENABLED='true' -e JWT_SECRET='yoursecret' --restart=always onlyoffice/documentserver

Call your server and enjoy your ONLYOFFICE Documentserver response:

Logon to your Nextcloud as your administrator and enable the ONLYOFFICE app.

Switch to the Settings and fill in your Nextcloud domain and the port 8443 ( as shown examplarily. Add your yoursecret in the advanced section of the ONLYOFFICE configuration panel:

From now, you can create and edit office documents directly in your Nextcloud instance.

ONLYOFFICE is now part of your awesome Nextcloudserver! If you want to operate ONLYOFFICE on a dedicated server, just follow these ONLYOFFICE instructions

From my perspective, a more stable and reliable scenario would be to enhance your certificate with a further (sub-)domain

letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt --rsa-key-size 4096 -d YOUR.DEDYN.IO -d YOUR2.DEDYN.IO

and create a separate virtual host for onlyoffice

vi /etc/nginx/conf.d/onlyoffice.conf

Paste all the following rows

server {
listen 443 ssl http2;
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;

and restart nginx

service nginx restart

Switch to the Nextcloud settings for Onlyoffice. Fill in your new created domain without any port ( and  keep/add your yoursecret in the advanced section of the ONLYOFFICE configuration panel as shown

The docker statements remains the same.

docker run --name=ONLYOFFICEDOCKER -i -t -d -p 8443:443 -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data -e JWT_ENABLED='true' -e JWT_SECRET='yoursecret' --restart=always onlyoffice/documentserver

Following this scenario you neither need any portforwarding in your router for Onlyoffice nor the upstream statement

upstream onlyoffice-docker {

in the /etc/nginx/nginx.conf any longer. So please remove the port forwarding (8443) within your router if you follow this second scenario. Onlyoffice will listen on port 443 (default) using your second (sub-)domain only.

Enjoy your personal data in your secured and hardened Nextcloud-Server!

Don’t forget to backup your Nextcloud

Find more instructions here: Nextcloud backup and restore

Carsten Rieger

Usefull docker-things:

Status of docker container:

docker ps
docker image list

Issuing updates for ONLYOFFICE:

docker ps
docker stop <id from "docker ps">
docker pull onlyoffice/documentserver
docker rm <id from "docker ps">
docker run -i -t -d -p 8443:443 --restart=always -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data onlyoffice/documentserver
service nginx restart

Amount of used docker space:

docker system df

Reclaim space:

docker system prune

This will remove:
– all stopped containers
– all networks not used by at least one container
– all dangling images
– all build cache

Carsten Rieger

Carsten Rieger is a senior system engineer in full-time and also working as an IT freelancer. He is working with linux environments for more than 13 years, an Open Source enthusiast and highly motivated on linux installation and troubleshooting. Mostly working with Debian/Ubuntu Linux, Nginx and Apache web server, MariaDB/MySQL/PostgreSQL, PHP, Cloud infrastructure (e.g. Nextcloud) and other open source projects (e.g. Roundcube) and in voluntary work for the Dr. Michael & Angela Jacobi Stiftung for more than 7 years.