OnlyOffice Document Server

From The Brainwrecked Wiki
Revision as of 03:52, 11 December 2019 by BrainwreckedTech (talk | contribs) (Created page.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Prequisites

Docker
For the Docker version
PostgreSQL
For the Docker and Binary versions
RabbitMQ
For the Docker and Binary versions
Redis
For the Docker and Binary versions
Snap
For the Snap version

PostgreSQL Database Setup

Database setup only needs to be done for Docker and Binary versions, which use the system's database server. The Snap version uses a built-in MariaDB database server. 

sudo -u postgres psql -c "CREATE DATABASE onlyoffice;"
sudo -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';"
sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;"

Installation

Binary

yay -Syu onlyoffice-documentserver

Docker

Create the following directories. 

sudo mkdir /var/{lib,log}/onlyoffice

Issue one command to download and start the Docker instance. 

sudo docker run -i -t -d -p [port]:80 --restart=always \
   -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice  \
   -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
   -v /app/onlyoffice/DocumentServer/db:/srv/psql  onlyoffice/documentserver

Snap

sudo snap install onlyoffice-ds

Reverse Proxy Setup

Nginx

Configure nginx to act as a proxy 

/etc/nginx/sites-available/<domain>
upstream docservice {
	server <docker-ip>:8888;
}

map $http_host $this_host {
	""	$host;
	default	$http_host;
}

map $http_x_forwarded_proto $the_scheme {
	default	$http_x_forwarded_proto;
	""	$scheme;

}

map $http_x_forwarded_host $the_host {
	default	$http_x_forwarded_host;
	""	$this_host;
}

map $http_upgrade $proxy_connection {
	default	upgrade;
	""	close;
}

proxy_set_header	Upgrade $http_upgrade;
proxy_set_header	Connection $proxy_connection;
proxy_set_header	X-Forwarded-Host $the_host;
proxy_set_header	X-Forwarded-Proto $the_scheme;
proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;

server {
	listen		80;
	listen		[::]:80;
	server_name	<domain>;
	server_tokens	off;
	rewrite		^ https://$host$request_uri? permanent;
}

server {

	listen				443 ssl http2;
	listen				[::]:443 ssl http2;
	server_name			ods.bwt.com.de;
	server_tokens off;

	ssl_certificate			/etc/letsencrypt/live/<domain>/fullchain.pem;
	ssl_certificate_key		/etc/letsencrypt/live/<domain>/privkey.pem;
	ssl_trusted_certificate		/etc/letsencrypt/live/<domain>/chain.pem;

	add_header			Strict-Transport-Security max-age=31536000;
#	add_header			X-Frame-Options SAMEORIGIN;
	add_header			X-Content-Type-Options nosniff;

	access_log			/var/log/nginx/access.log main buffer=32k;
	error_log			/var/log/nginx/error.log error;
	limit_req			zone=gulag burst=200 nodelay;


	# ACME challenge
	location ^~ /.well-known {
		allow			all;
		alias			/var/lib/letsencrypt/$host/.well-known;
		default_type		"text/plain";
		try_files		$uri =404;
	}

	location / {
		proxy_pass		http://docservice;
		proxy_http_version	1.1;
	}
}

After finalizing, you should now be able to navigate to https://<domain> and see the OnlyOffice Document Server welcome page with a green checkmark indicating everything is running properly.

Apache

Listen 80
Listen 443
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so

<IfModule unixd_module>
  User daemon
  Group daemon
</IfModule>

SSLEngine on
SSLCertificateFile "{{SSL_CERTIFICATE_PATH}}"
SSLCertificateKeyFile "{{SSL_KEY_PATH}}"

## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder on

## [Optional] Generate a stronger DHE parameter:
##   cd /etc/ssl/certs
##   sudo openssl dhparam -out dhparam.pem 4096
##
# SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

SetEnvIf Host "^(.*)$" THE_HOST=$1
RequestHeader setifempty X-Forwarded-Proto https
RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
ProxyAddHeaders Off

ProxyPassMatch (.*)(\/websocket)$ "ws://backendserver-address/$1$2"
ProxyPass / "http://backendserver-address/"
ProxyPassReverse / "http://backendserver-address/"
Retrieved from "https://wiki.bwt.com.de/index.php?title=OnlyOffice_Document_Server&oldid=364"