Enforce Security - Nextcloud and Onlyoffice
-
- Posts: 9
- Joined: Wed Oct 24, 2018 7:23 am
Enforce Security - Nextcloud and Onlyoffice
I'm using onlyoffice with nextcloud. In nextcloud I simply typed the url of onlyoffice and saved the configuration and after that I started using them togheter.
How can I sure that onlyoffice is secure and nobody can use it in an unwanted way? In fact I don't think it's an exclusive relationship between nextcloud and onlyoffice, is it there a way to limit the usage of onlyoffice only with our nextcloud, or any way to improve security?
Regards.
How can I sure that onlyoffice is secure and nobody can use it in an unwanted way? In fact I don't think it's an exclusive relationship between nextcloud and onlyoffice, is it there a way to limit the usage of onlyoffice only with our nextcloud, or any way to improve security?
Regards.
Re: Enforce Security - Nextcloud and Onlyoffice
Hello,
You can enable JSON Web Token in Document Server config for more security:
https://api.onlyoffice.com/editors/security
https://api.onlyoffice.com/editors/signature/
Note: starting from Document Server version 5.2, JWT is enabled in local.json config.
You also need to indicate the exact secret value in ONLYOFFICE integration app settings in Nextcloud for connection to work.
You can enable JSON Web Token in Document Server config for more security:
https://api.onlyoffice.com/editors/security
https://api.onlyoffice.com/editors/signature/
Note: starting from Document Server version 5.2, JWT is enabled in local.json config.
You also need to indicate the exact secret value in ONLYOFFICE integration app settings in Nextcloud for connection to work.
-
- Posts: 9
- Joined: Wed Oct 24, 2018 7:23 am
Re: Enforce Security - Nextcloud and Onlyoffice
Hi,
in default.json I defined and enabled secret as in the documentation and restarted the onlyoffice server:
"secret": {
"browser": {"string": "secret", "file": "", "tenants": {}},
"inbox": {"string": "Secret_TEST", "file": "", "tenants": {}},
"outbox": {"string": "Secret_TEST", "file": ""},
"session": {"string": "secret", "file": ""}
},
"token": {
"enable": {
"browser": true,
"request": {
"inbox": true,
"outbox": true
}
},
but the nextcloud continue to work with onlyoffice without problem, as no secret defined. Is it normal?
Where do I need to define the secret in nextcloud?
in default.json I defined and enabled secret as in the documentation and restarted the onlyoffice server:
"secret": {
"browser": {"string": "secret", "file": "", "tenants": {}},
"inbox": {"string": "Secret_TEST", "file": "", "tenants": {}},
"outbox": {"string": "Secret_TEST", "file": ""},
"session": {"string": "secret", "file": ""}
},
"token": {
"enable": {
"browser": true,
"request": {
"inbox": true,
"outbox": true
}
},
but the nextcloud continue to work with onlyoffice without problem, as no secret defined. Is it normal?
Where do I need to define the secret in nextcloud?
Re: Enforce Security - Nextcloud and Onlyoffice
Please specify the version of document server you are using.
-
- Posts: 9
- Joined: Wed Oct 24, 2018 7:23 am
Re: Enforce Security - Nextcloud and Onlyoffice
Onlyoffice 5.2.2-2 and if you need Nextcloud 14.0.3.
Regards.
Regards.
Re: Enforce Security - Nextcloud and Onlyoffice
Hello,
Please open /etc/onlyoffice/documentserver/local.json and enable JWT and secret there. Don't forget to restart DS services after changing the config: supervisorctl restart allCarl wrote:Note: starting from Document Server version 5.2, JWT is enabled in local.json config.
-
- Posts: 9
- Joined: Wed Oct 24, 2018 7:23 am
Re: Enforce Security - Nextcloud and Onlyoffice
I confirm that I made these changes to /etc/onlyoffice/documentserver/local.json , after that I restarted the entire server.lorenzoform wrote:Hi,
in default.json I defined and enabled secret as in the documentation and restarted the onlyoffice server:
"secret": {
"browser": {"string": "secret", "file": "", "tenants": {}},
"inbox": {"string": "Secret_TEST", "file": "", "tenants": {}},
"outbox": {"string": "Secret_TEST", "file": ""},
"session": {"string": "secret", "file": ""}
},
"token": {
"enable": {
"browser": true,
"request": {
"inbox": true,
"outbox": true
}
},
but the nextcloud continue to work with onlyoffice without problem, as no secret defined. Is it normal?
Where do I need to define the secret in nextcloud?
Re: Enforce Security - Nextcloud and Onlyoffice
Restarting the container reverts the changed parameters of document server config to default values (set via environment variable). Please open the local.json file and check if JWT is enabled. You need to restart only document server services after changing the config.
-
- Posts: 9
- Joined: Wed Oct 24, 2018 7:23 am
Re: Enforce Security - Nextcloud and Onlyoffice
Sorry for delay,
I had temporarily suspended the project.
I think it's there some confusing between local and default json.
Now it's work also restarting the VM.
Where do I need to place the token into Next Cloud ?
My .htaccess in Next Cloud contains following rows:
<IfModule mod_headers.c>
<IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
</IfModule>
I had temporarily suspended the project.
I think it's there some confusing between local and default json.
Now it's work also restarting the VM.
Where do I need to place the token into Next Cloud ?
My .htaccess in Next Cloud contains following rows:
<IfModule mod_headers.c>
<IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
</IfModule>
Re: Enforce Security - Nextcloud and Onlyoffice
Hello!
You need to put your secret key in Onlyoffice settings of Nextcloud.Where do I need to place the token into Next Cloud ?