OnlyOffice Document Server

From The Brainwrecked Wiki
Jump to navigation Jump to search

Prequisites

Docker
For the Docker version
PostgreSQL
For the Binary versions
RabbitMQ
For the Binary versions
Redis
For the Binary versions
Snap
For the Snap version

Container Installation

Installation via containerization is the simplest way to go. The containers have the database, RabbitMQ, and Redis services already set up.

Docker

Create the following directories. 

sudo mkdir /var/{lib,log}/onlyoffice

Issue one command to download and start the Docker instance. 

sudo docker run -i -t -d -p [port]:80 --restart=always \
   -v /var/log/onlyoffice:/var/log/onlyoffice  \
   -v /var/lib/onlyoffice:/var/lib/onlyoffice \
   -v /usr/share/fonts:/usr/share/fonts/truetype/custom  onlyoffice/documentserver

Snap

sudo snap install onlyoffice-ds

Binary Installation

yay -Syu onlyoffice-documentserver

PostgreSQL Database Setup

Database setup only needs to be done for Docker and Binary versions, which use the system's database server. The Snap version uses a built-in MariaDB database server. 

sudo -u postgres psql -c "CREATE DATABASE onlyoffice;"
sudo -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';"
sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;"

Reverse Proxy Setup

Nginx

Configure nginx to act as a proxy 

/etc/nginx/sites-available/<domain>
upstream docservice {
	server <docker-ip>:8888;
}

map $http_host $this_host {
	""	$host;
	default	$http_host;
}

map $http_x_forwarded_proto $the_scheme {
	default	$http_x_forwarded_proto;
	""	$scheme;

}

map $http_x_forwarded_host $the_host {
	default	$http_x_forwarded_host;
	""	$this_host;
}

map $http_upgrade $proxy_connection {
	default	upgrade;
	""	close;
}

proxy_set_header	Upgrade $http_upgrade;
proxy_set_header	Connection $proxy_connection;
proxy_set_header	X-Forwarded-Host $the_host;
proxy_set_header	X-Forwarded-Proto $the_scheme;
proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;

server {
	listen		80;
	listen		[::]:80;
	server_name	<domain>;
	server_tokens	off;
	rewrite		^ https://$host$request_uri? permanent;
}

server {

	listen				443 ssl http2;
	listen				[::]:443 ssl http2;
	server_name			ods.bwt.com.de;
	server_tokens off;

	ssl_certificate			/etc/letsencrypt/live/<domain>/fullchain.pem;
	ssl_certificate_key		/etc/letsencrypt/live/<domain>/privkey.pem;
	ssl_trusted_certificate		/etc/letsencrypt/live/<domain>/chain.pem;

	add_header			Strict-Transport-Security max-age=31536000;
#	add_header			X-Frame-Options SAMEORIGIN;
	add_header			X-Content-Type-Options nosniff;

	access_log			/var/log/nginx/access.log main buffer=32k;
	error_log			/var/log/nginx/error.log error;
	limit_req			zone=gulag burst=200 nodelay;


	# ACME challenge
	location ^~ /.well-known {
		allow			all;
		alias			/var/lib/letsencrypt/$host/.well-known;
		default_type		"text/plain";
		try_files		$uri =404;
	}

	location / {
		proxy_pass		http://docservice;
		proxy_http_version	1.1;
	}
}

After finalizing, you should now be able to navigate to https://<domain> and see the OnlyOffice Document Server welcome page with a green checkmark indicating everything is running properly.

Apache

Listen 80
Listen 443
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so

<IfModule unixd_module>
  User daemon
  Group daemon
</IfModule>

SSLEngine on
SSLCertificateFile "{{SSL_CERTIFICATE_PATH}}"
SSLCertificateKeyFile "{{SSL_KEY_PATH}}"

## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder on

## [Optional] Generate a stronger DHE parameter:
##   cd /etc/ssl/certs
##   sudo openssl dhparam -out dhparam.pem 4096
##
# SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

SetEnvIf Host "^(.*)$" THE_HOST=$1
RequestHeader setifempty X-Forwarded-Proto https
RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
ProxyAddHeaders Off

ProxyPassMatch (.*)(\/websocket)$ "ws://backendserver-address/$1$2"
ProxyPass / "http://backendserver-address/"
ProxyPassReverse / "http://backendserver-address/"
Retrieved from "https://wiki.bwt.com.de/index.php?title=OnlyOffice_Document_Server&oldid=377"