Nextcloud and ONLYOFFICE (NGINX)


Nextcloud and ONLYOFFICE on one server


  1. Onlyoffice using the same domain as Nextcloud
  2. Onlyoffice using a different domain as Nextcloud

Start with the preparation of your router and open a TCP port in particular for ONLYOFFICE : 8443

Prepare your environment with docker…

apt remove docker docker-engine docker.io
apt install apt-transport-https ca-certificates curl software-properties-common -y
ufw allow 8443/tcp

… on Ubuntu:

sed -i '$adeb https://download.docker.com/linux/ubuntu bionic stable' /etc/apt/sources.list
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

… on Debian:

sed -i '$adeb [arch=amd64] https://download.docker.com/linux/debian stretch stable' /etc/apt/sources.list
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -

… on both:

apt update && apt install docker-ce -y

Please ensure, docker is now running properly e.g. by issuing

docker run hello-world

Then start downloading and install the ONLYOFFICE Documentserver:

docker pull onlyoffice/documentserver

Wait for about 650 MB of downloaded binaries and modify your NGINX configuration properly.

Make ammendments to your NGINX configuration:

vi /etc/nginx/nginx.conf

Copy/paste the upstream onlyoffice-docker or the entire nginx.conf file:

user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
server_names_hash_bucket_size 64;
upstream onlyoffice-docker {
server 127.0.0.1:8443;
}
upstream php-handler {
server unix:/run/php/php7.3-fpm.sock;
}
set_real_ip_from 127.0.0.1;
set_real_ip_from 192.168.2.0/24;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
include /etc/nginx/mime.types;
include /etc/nginx/proxy.conf;
include /etc/nginx/ssl.conf;
include /etc/nginx/header.conf;
include /etc/nginx/optimization.conf;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length" '
'cs=$upstream_cache_status' ;
access_log /var/log/nginx/access.log main;
sendfile on;
send_timeout 3600;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=500 inactive=10m;
open_file_cache_errors on;
keepalive_timeout 65;
reset_timedout_connection on;
server_tokens off;
resolver 192.168.2.1 valid=30s;
resolver_timeout 5s;
include /etc/nginx/conf.d/*.conf;
}

HINT (for self signed ssl environments only!):
Enhance your Nextcloud config.php by issuing
sudo -u www-data vi /var/www/nextcloud/config/config.php
and paste the following rows before the last );
...
'onlyoffice' =>
array (
'verify_peer_off' => TRUE,
),
);

Verify your ssl.conf regarding the requirements depending on OnlyOffice (TLS1.2 only!)

ssl_certificate /etc/letsencrypt/rsa-certs/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/rsa-certs/privkey.pem;
ssl_certificate /etc/letsencrypt/ecc-certs/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/ecc-certs/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/ecc-certs/chain.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384';
ssl_ecdh_curve X448:secp521r1:secp384r1:prime256v1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;

Restart your PHP and Webserver by issuing

service php7.3-fpm restart && service nginx restart

Create a folder and copy your ssl data:

mkdir -p /app/onlyoffice/DocumentServer/data/certs
cp /etc/letsencrypt/rsa-certs/privkey.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
cp /etc/letsencrypt/rsa-certs/fullchain.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt cp /etc/ssl/certs/dhparam.pem /app/onlyoffice/DocumentServer/data/certs/dhparam.pem chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key

Repeat this step after every certificate renewal or automatically e.g. per shellscript using cron

vi /root/renewal.sh
#!/bin/bash
/root/.acme.sh/acme.sh --renew -d your.dedyn.io
/root/.acme.sh/acme.sh --renew -d your.dedyn.io --ecc
/usr/sbin/service nginx stop
cp /etc/letsencrypt/rsa-certs/privkey.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
cp /etc/letsencrypt/rsa-certs/fullchain.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
cp /etc/ssl/certs/dhparam.pem /app/onlyoffice/DocumentServer/data/certs/dhparam.pem
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
/usr/sbin/service mysql restart
/usr/sbin/service redis-server restart
/usr/sbin/service php7.3-fpm restart
/usr/bin/docker restart ONLYOFFICEDOCKER
/usr/sbin/service nginx restart
exit 0
chmod +x /root/renewal.sh
(crontab -l ; echo "@weekly /root/renewal.sh 2>&1") | crontab -u root -

Then start the docker image by issuing the following statement (1 row):

docker run --name=ONLYOFFICEDOCKER -i -t -d -p 8443:443 -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data -e JWT_ENABLED='true' -e JWT_SECRET='yoursecret' --restart=always onlyoffice/documentserver

Call your server and enjoy your ONLYOFFICE Documentserver response:

https://your.dedyn.io:8443

Logon to your Nextcloud as your administrator and enable the ONLYOFFICE app.

Switch to the Settings and fill in your Nextcloud domain and the port 8443 (https://your.dedyn.io:8443) as shown examplarily. Add your yoursecret in the advanced section of the ONLYOFFICE configuration panel:

From now, you can create and edit office documents directly in your Nextcloud instance.


ONLYOFFICE is now part of your awesome Nextcloudserver! If you want to operate ONLYOFFICE on a dedicated server, just follow these ONLYOFFICE instructions


From my perspective, a more stable and reliable scenario would be to enhance your certificate with a further (sub-)domain

letsencrypt certonly -a webroot --webroot-path=/var/www/letsencrypt --rsa-key-size 4096 -d YOUR.DEDYN.IO -d YOUR2.DEDYN.IO

and create a separate virtual host for onlyoffice

vi /etc/nginx/conf.d/onlyoffice.conf

Paste all the following rows

server {
listen 443 ssl http2;
server_name your2.dedyn.io;
location / {
proxy_pass https://127.0.0.1:8443;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

and restart nginx

service nginx restart

Switch to the Nextcloud settings for Onlyoffice. Fill in your new created domain without any port (https://your2.dedyn.io) and  keep/add your yoursecret in the advanced section of the ONLYOFFICE configuration panel as shown

The docker statements remains the same.

docker run --name=ONLYOFFICEDOCKER -i -t -d -p 8443:443 -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data -e JWT_ENABLED='true' -e JWT_SECRET='yoursecret' --restart=always onlyoffice/documentserver

Following this scenario you neither need any portforwarding in your router for Onlyoffice nor the upstream statement

upstream onlyoffice-docker {
server 127.0.0.1:8443;
}

in the /etc/nginx/nginx.conf any longer. So please remove the port forwarding (8443) within your router if you follow this second scenario. Onlyoffice will listen on port 443 (default) using your second (sub-)domain only.


Enjoy your personal data in your secured and hardened Nextcloud-Server!


Don’t forget to backup your Nextcloud

Find more instructions here: Nextcloud backup and restore



Carsten Rieger


Usefull docker-things:

Status of docker container:

docker ps
docker image list

Issuing updates for ONLYOFFICE:

docker ps
docker stop <id from "docker ps">
docker pull onlyoffice/documentserver
docker rm <id from "docker ps">
docker run -i -t -d -p 8443:443 --restart=always -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data onlyoffice/documentserver
service nginx restart

Amount of used docker space:

docker system df

Reclaim space:

docker system prune

This will remove:
– all stopped containers
– all networks not used by at least one container
– all dangling images
– all build cache


Carsten Rieger

Carsten Rieger is a senior system engineer in full-time and also working as an IT freelancer. He is working with linux environments for more than 13 years, an Open Source enthusiast and highly motivated on linux installation and troubleshooting. Mostly working with Debian/Ubuntu Linux, Nginx and Apache web server, MariaDB/MySQL/PostgreSQL, PHP, Cloud infrastructure (e.g. Nextcloud) and other open source projects (e.g. Roundcube) and in voluntary work for the Dr. Michael & Angela Jacobi Stiftung for more than 7 years.