OnlyOffice Enterprise behind Proxy with SSL Termination

Post Reply
christophdb
Posts: 6
Joined: Wed Jan 17, 2018 8:55 pm

OnlyOffice Enterprise behind Proxy with SSL Termination

Post by christophdb » Fri Dec 06, 2019 12:51 pm

Hi everybody,

I have the following situation:
- I installed OnlyOffice Enterprise Standard Plus with Docker.
- I have a LoadBalancer with SSL-Termination and automatic http to https redirect

So my setup is:
- no matter if somebody enters http://mydomain or https://mydomain, all traffic is redirected to https://mydomain and then the proxy passed all traffic via port 80 to the servers in the lan. Unfortunately I have no possibility to change that setup. The https termination has to be on the loadbalancer and I have not access to the wildcard certificates.

Situation 1) OnlyOffice (Docker) accepts all traffic on port 80.
first I tried my setup without an additional nginx proxy. OnlyOffice-Community-Server was exposed to the port 80 and accepted all traffic. So my docker ps locked like this:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b2f6286815ff onlyoffice4enterprise/communityserver-ee:10.0.4.1001 "/usr/bin/dumb-init …" 3 days ago Up 1 second 443/tcp, 0.0.0.0:80->80/tcp, 3306/tcp, 5280/tcp, 9865-9866/tcp, 9871/tcp, 9882/tcp, 0.0.0.0:5222->5222/tcp, 9888/tcp onlyoffice-community-server

I did not add any custom DNS-Settings inside OnlyOffice and I left the document-parameters to the default values.
Everything is working fine (like adding persons, projects or calendar entries) except the area "documents".
oos-situation1.png
oos-situation1.png (40.14 KiB) Viewed 821 times
Problem 1a) File Upload was not possible. The console showed me:
Mixed Content: The page at 'https://mydomain/Products/Files/#2' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://mydomain/products/files/ChunkedU ... e1f5bd0050'. This request has been blocked; the content must be served over HTTPS.

Problem 1b) Opening Office Files
Also it was not possible to open any documents. Like the upload the error was about "mixed content".

Attempt to fix situation 1)
I tried to change the custom DNS Settings or for the document-server integration but I didn't achieved to make it work.
There were websocket errors and no matter what I entered in the fields it was not possible to upload files or to open documents.
oos-situation2.png
oos-situation2.png (236.41 KiB) Viewed 821 times
Situation 2) additional nginx proxy
then I changed the docker container. Not port 80 was exposed but port 9876. No docker ps showed me

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b2f6286815ff onlyoffice4enterprise/communityserver-ee:10.0.4.1001 "/usr/bin/dumb-init …" 4 days ago Up 13 seconds 3306/tcp, 5280/tcp, 9865-9866/tcp, 9871/tcp, 9882/tcp, 9888/tcp, 0.0.0.0:5222->5222/tcp, 0.0.0.0:9876->80/tcp onlyoffice-community-server

In addition I installed a nginx-webserver to listen on port 80 and to forward it to port 9876. First I tried with the minimal nginx setup:
https://github.com/ONLYOFFICE/document- ... nimal.conf (of cause I changed backendserver-address to 127.0.0.1:9876.

Still the same behavior. File-Upload and file edition was not possible. Still the same errors with mixed content.

Situation 3) new nginx configuration
I found on this forum an alternative nginx configuration:

upstream docservice {
server 127.0.0.1:9876;
}
map $http_host $this_host {
"" $host;
default $http_host;
}
map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
"" $scheme;
}
map $http_x_forwarded_host $the_host {
default $http_x_forwarded_host;
"" $this_host;
}
map $http_upgrade $proxy_connection {
default upgrade;
"" close;
}

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

server {
listen 0.0.0.0:80;
listen [::]:80 default_server;
server_tokens off;

location / {
add_header Content-Security-Policy upgrade-insecure-requests always;
add_header "Access-Control-Allow-Origin" "*" always;
add_header "Access-Control-Allow-Methods" "POST, GET, OPTIONS" always;
add_header "Access-Control-Allow-Headers" "Content-Type, Accept, Authorization, Origin" always;
proxy_hide_header Access-Control-Allow-Origin;
if ($request_method = "OPTIONS") {
return 204;
}

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:9876$request_uri;
}
}

With this setup I could upload files. YEAH.
And If I try to open a document. The document was opened but It shows an warning before and it seems that file changes are not stored to the system. The file history did not change.
oos-situation3.png
oos-situation3.png (138.91 KiB) Viewed 821 times
Summary
could anybody help me to make this setup work?
Thanks and best regards
Christoph

Carl
Posts: 472
Joined: Thu Apr 12, 2018 10:00 am

Re: OnlyOffice Enterprise behind Proxy with SSL Termination

Post by Carl » Wed Dec 11, 2019 7:11 am

Hello Christoph.

First of all, we strongly recommend you to not change the default addresses in Document Service settings. The communication between the containers must go via internal addresses, not external ones. So leave the default values:
/ds-vpath/
http://onlyoffice-document-server/
http://onlyoffice-community-server/

I also see a Websocket error in the browser console. Please specify the load balancer that is set up in front of the Enterprise Edition. Please make sure that Websocket proxying is enabled in the load balancer config.

Post Reply