Howto install Onlyoffice document server as Nextcloud app

Hi, i’m new in the community.
I have a question about the connection to nextcloud/onlyoffice from outside.
To access onlyoffice from the outside, I had to enable the fw_onlyoffice service to accept the connections on the red.
What are the risks that I run to keep the service on red?

add firewall service

config set fw_onlyoffice service status enabled TCPPort 8082 access green red
signal-event firewall-adjust

Hi @xcostax,

welcome to the NethServer community.

Usually the onlyoffice documentserver should run on default HTTPS port but as we already have apache running on that port we decided to change the nginx port to 8082 so I think it’s ok to open that port.

I didn’t read about security issues so far.

1 Like

Thank you mrmarkuz. Your work was very useful

1 Like

@mrmarkuz Tried to install olyoffice on a upated NC13 with original NS certs.

When press save I get this error:

and from NC log:

1 Like

Thanks, with Nextcloud 13 it seems like you need a valid certificate, it doesn’t work with a self-signed cert, I already changed the howto…

1 Like

Fixed the problem.

I inserted in /usr/share/nextcloud/config/config.php at the end of the array
‘onlyoffice’ => array ( ‘verify_peer_off’ => TRUE)

So my config.php looks like:

<?php
$CONFIG = array (
  'passwordsalt' => 'm8MtZJRUJQcuEUBJgDmOZj1v9Vef0j',
  'secret' => 'LTOKh+dk9oGXzL1HPmxKo2SrfWJ0ViAhraF1obCda0anRPkB',
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'ns7ad1.jeckel.lan',
    2 => '192.168.0.236',
    3 => '93.82.232.19',
  ),
  'datadirectory' => '/var/lib/nethserver/nextcloud/',
  'overwrite.cli.url' => 'http://localhost',
  'dbtype' => 'mysql',
  'version' => '13.0.0.14',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'nextcloud',
  'dbpassword' => 'loWZByQjtAHKRFDe',
  'installed' => true,
  'instanceid' => 'oczakujqudo2',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
  'maintenance' => false,
  'loglevel' => 2,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'onlyoffice' => array ( 'verify_peer_off' => TRUE)
);

Jippie ja je… :smile:

3 Likes

Onlyoffice module available, please test before using in production…

https://wiki.nethserver.org/doku.php?id=onlyoffice

6 Likes

damn it, the like button falls short so… :heart_eyes: :heart_eyes: :heart_eyes:

1 Like

Couldn’t make it work on a test server on VirtualBox using a self-signed certificate and Nextcloud 12.0.5.
Document server on port 8082 showed as working but nextcloud reported:

Error	PHP	file_get_contents(https://server.example.com:8082/coauthoring/CommandService.ashx): failed to open stream: operation failed at /usr/share/nextcloud/apps/onlyoffice/lib/documentservice.php#351

After some fiddling and a reboot nextcloud finally saved the https://fqdn:8082/ after several retries, but editing a document brings a blank page below the nextcloud top navigation bar. I bet I’m doing something wrong (to be continued in the morning).

Some excerpts from logs follow (including some warnings/errors from dependent packages that maybe could be obviated)

yum install (SELinux warnings/errors excluded):

ValueError: Port @tcp/3000 is not defined
ValueError: Port tcp/8000 already defined
ValueError: Port tcp/8080 already defined
warning: %post(onlyoffice-documentserver-5.0.7-38.x86_64) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package onlyoffice-documentserver-5.0.7-38.x86_64

/var/log/messages:

Mar 17 00:36:33 server esmith::event[4210]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.193144]
Mar 17 00:36:33 server esmith::event[4210]: could not change directory to "/root"
Mar 17 00:36:34 server esmith::event[4210]: CREATE DATABASE
Mar 17 00:36:34 server esmith::event[4210]: could not change directory to "/root"
Mar 17 00:36:34 server esmith::event[4210]: CREATE ROLE
Mar 17 00:36:34 server esmith::event[4210]: could not change directory to "/root"
Mar 17 00:36:34 server esmith::event[4210]: GRANT
Mar 17 00:36:34 server esmith::event[4210]: Created symlink from /etc/systemd/system/multi-user.target.wants/supervisord.service to /usr/lib/systemd/system/supervisord.service.
Mar 17 00:36:34 server systemd: Reloading.
Mar 17 00:36:34 server esmith::event[4210]: Created symlink from /etc/systemd/system/multi-user.target.wants/rabbitmq-server.service to /usr/lib/systemd/system/rabbitmq-server.service.
Mar 17 00:36:34 server systemd: Reloading.
Mar 17 00:36:34 server systemd: Starting RabbitMQ broker...
Mar 17 00:36:34 server systemd: Cannot find unit for notify message of PID 4276.
Mar 17 00:36:34 server systemd: Cannot find unit for notify message of PID 4277.
Mar 17 00:36:34 server systemd: rabbitmq-server.service: Got notification message from PID 4279, but reception only permitted for main PID 4263
Mar 17 00:36:35 server systemd: Cannot find unit for notify message of PID 4300.
Mar 17 00:36:35 server systemd: rabbitmq-server.service: Got notification message from PID 4301, but reception only permitted for main PID 4263
Mar 17 00:36:35 server systemd: Cannot find unit for notify message of PID 4302.

Mar 17 00:36:41 server esmith::event[4210]: Trying to establish RabbitMQ connection... OK

Mar 17 00:36:43 server esmith::event[4210]: ValueError: Port tcp/9999 already defined

/var/log/onlyoffice/documentserver/gc/err.log:

events.js:160
      throw er; // Unhandled 'error' event
      ^

error: terminating connection due to administrator command
    at Connection.parseE (/var/www/onlyoffice/documentserver/server/DocService/node_modules/pg/lib/connection.js:567:11)
    at Connection.parseMessage (/var/www/onlyoffice/documentserver/server/DocService/node_modules/pg/lib/connection.js:391:17)
    at Socket.<anonymous> (/var/www/onlyoffice/documentserver/server/DocService/node_modules/pg/lib/connection.js:129:22)
    at emitOne (events.js:96:13)
    at Socket.emit (events.js:188:7)
    at readableAddChunk (_stream_readable.js:176:18)
    at Socket.Readable.push (_stream_readable.js:134:10)
    at TCP.onread (net.js:547:20)

/var/log/redis/redis.log:

5176:M 17 Mar 00:36:52.997 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
5176:M 17 Mar 00:36:52.997 # Server started, Redis version 3.2.10
5176:M 17 Mar 00:36:52.997 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
5176:M 17 Mar 00:36:52.997 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
5176:M 17 Mar 00:36:52.997 * DB loaded from disk: 0.000 seconds
5176:M 17 Mar 00:36:52.997 * The server is now ready to accept connections on port 6379

var/log/supervisor/supervisord.log:

2018-03-17 00:36:44,436 CRIT Supervisor running as root (no user in config file)

1 Like

Thanks for testing!

It seems to be another problem but did you apply this patch:

yes, already tried with that setting

Can you browse to https://neth:8082 and see this site?

grafik

I tested it on another server now. I got similar error messages in the logfiles you posted but it works. I have to tidy up the scripts to throw less errors, it’s the first working draft.

Is nginx running and the port open?

netstat -tlpn | grep nginx

Maybe a wrong port in /etc/nginx/conf.d/onlyoffice-documentserver.conf?

Do you have some software on your testserver which may collide in some way with nginx/onlyoffice/port 8082?

Yes.

Yes.

tcp        0      0 0.0.0.0:8082            0.0.0.0:*               LISTEN      1575/nginx: master  
tcp6       0      0 :::8082                 :::*                    LISTEN      1575/nginx: master
## HTTPS host
server {
  listen 0.0.0.0:8082 ssl;
  listen [::]:8082 ssl default_server;

No, not that I’m aware.

Edit: But on Firefox console I can see some errors:

Content Security Policy: The page's settings blocked the loading of a resource at https://server.example.com/nextcloud/index.php/apps/onlyoffice/381 ("base-uri 'none'"). (unknown)
Content Security Policy: The page's settings blocked the loading of a resource at about:blank ("base-uri 'none'"). (unknown)
Strict-Transport-Security: The connection to the site is untrustworthy, so the specified header was ignored.[Learn More] editor.js
ReferenceError: error is not defined
OCA.Onlyoffice.InitEditor()
 editor.js:46
n.Callbacks/j()
 core.js:2
n.Callbacks/k.fireWith()
 core.js:2
.ready()
 core.js:2
I()

I think I could reproduce it. I get a blank page with nextcloud top nav when I enter a FQDN instead of IP in the Nextcloud/Admin/Onlyoffice settings. A FQDN only works if the certificate is valid/not self-signed, letsencrypt works.

grafik

Thanks for the heads up!
Yesterday, the first times I’ve tried with the IP I got:

file_get_contents(https:\/\/192.168.1.11:8082\/coauthoring\/CommandService.ashx): failed to open stream: operation failed at \/usr\/share\/nextcloud\/apps\/onlyoffice\/lib\/documentservice.php#351

Setting green IP it works, but only from internal network (‘no route to host’ from red).
Setting FQDN it’s working from both sides (green, red) on Chrome/Chromium but not on Firefox.

Will try it with Nextcloud 13 and Let’s Encrypt cert.

Did you try it on red with using public IP in the Nextcloud onlyoffice settings and port forwarding to your virtualbox VM? https://IP_in_settings:8082 must be reachable from the client where you are using Firefox/Nextcloud.

forwarded 80, 443, 8082 ports but didn’t work. Don’t worry will move test to fqdn with letsencrypt

1 Like

Setup

  • Nethserver 7.4
  • Nextcloud 13.0.0
  • OnlyOffice Document Server 5.0.7

All installed on the same server despite:

ONLYOFFICE Document Server and ownCloud/Nextcloud must be installed on different computers, otherwise problems might occur and no correct connector work can be guaranteed.

Notes:

  • Logs show the same warnings/errors as reported earlier.
  • OnlyOffice integration is working well (nextcloud app set with the https://FQDN:8082/)
  • Accessible from internal and public network using FQDN

Using Self-signed certificate:

  • Requires setting 'onlyoffice' => array ( 'verify_peer_off' => TRUE), in nextcloud config file, as reported by @flatspin
  • Works on Chrome/Chromium
  • Does not work on Firefox due to certificate trust (UNKNOWN ISSUER)

Using a valid certificated makes it work also on firefox.


I know it’s in early stage and, to be fair, I don’t know much about it (neither have a preference for onlyoffice or collabora) but we (all) can start considering how to secure it. I’m sure you already considered some options but if it’s of any help:

  • set a random postgres dbpass (even if only accessible from localhost)?
  • Having the document server exposed to Internet anyone can use it wasting server resources?
2 Likes

Thanks again for testing, I really appreciate it.

It seems it’s by design:

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-postgresql.html#nethserver-postgres

I don’t know if it could be misused in some way but I’ll have a look at the links you posted to see if there is a possibility to make it more secure or filter it.

It’s really helpful as I just built the package straightforward out of the howto without thinking much about security in the first step.

I hope this is not a problem and they’re talking about running both on https port.

I tested the token method for securing the documentserver and it worked - thanks @dnutan for the hint…

Edit /etc/onlyoffice/documentserver/default.json and execute supervisorctl restart all to restart the docserver as described here:

https://api.onlyoffice.com/editors/signature/

Enter the secret in Nextcloud onlyoffice advanced settings:

grafik