Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save JSinghDev/0b68890e07c43b4cc013acc4148d2a43 to your computer and use it in GitHub Desktop.
Save JSinghDev/0b68890e07c43b4cc013acc4148d2a43 to your computer and use it in GitHub Desktop.
OnlyOffice Docs into a LXC Debian 10

OnlyOffice Docs into a Debian 10 LXC

How I installed Onlyoffice Docs 5.6 (DocumentServer) into a Debian 10 Buster Proxmox LXC Container.

References

System Requirements

  • CPU dual core 2 GHz or better
  • RAM 2 GB or more
  • HDD at least 40 GB of free space
  • Additional requirements at least 4 GB of swap
  • OS 64-bit Debian, Ubuntu or other compatible distribution with kernel version 3.13 or later
  • Additional requirements
    • PostgreSQL: version 9.1 or later
    • NGINX: version 1.3.13 or later
    • libstdc++6: version 4.8.4 or later
    • RabbitMQ

Prepare container

First update everything

# apt update && apt dist-upgrade

I like to install these

# apt install curl wget nano htop

You may want to have a local user to use instead of root
and also to add it to the sudo group

# apt install sudo
# adduser admin
# usermod -aG sudo admin

Let's add ssh capabilities

# apt install openssh-client openssh-server
# ssh admin@localhost  # test it

Configure Locales properly I used pt_BR.UTF-8 as the default, but added support to other languages and encodings as well

# dpkg-reconfigure locales
# reboot  # you may want to reboot to the new language

Install PostgreSQL

https://www.postgresql.org/download/linux/debian/

First we need lsb_release

# apt install lsb-release

Install Postgres SQL

# Create the file repository configuration:
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'

# Import the repository signing key:
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -

# Update the package lists:
sudo apt-get update

# Install the latest version of PostgreSQL.
# If you want a specific version, use 'postgresql-12' or similar instead of 'postgresql':
sudo apt-get -y install postgresql

Create Database for Onlyoffice

sudo -i -u postgres psql -c "CREATE DATABASE onlyoffice;" ; sudo -i -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';" ; sudo -i -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;"

Install Rabbitmq

sudo apt-get install rabbitmq-server

Install Nginx

sudo apt-get install nginx-extras

Changing the default ONLYOFFICE Docs port

By default ONLYOFFICE Docs listens to the incoming connections using port 80. Starting with version 4.3 you can change the port for ONLYOFFICE Docs if you plan to use it instead of the default one.

I did not change this and I will also not run in HTTPS, because my CT will run through another nginx proxy.

echo onlyoffice-documentserver onlyoffice/ds-port select <PORT_NUMBER> | sudo debconf-set-selections

If you want to change the ONLYOFFICE Docs protocol to HTTPS, do not change the port to 443, but use this instruction instead.

Install OnlyOffice Docs

Add GPG key

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5

Add ONLYOFFICE Docs repository

sudo echo "deb https://download.onlyoffice.com/repo/debian squeeze main" | sudo tee /etc/apt/sources.list.d/onlyoffice.list

Install

sudo apt-get update
sudo apt-get install onlyoffice-documentserver

During the installation process, you will be asked to provide a password for the onlyoffice PostgreSQL user. Please enter the onlyoffice password that you have specified when configuring PostgreSQL.

After that ONLYOFFICE Docs will be run as a process.
At this point your DocumentServer instance is already usable

The package will be updated just like any other deb package.
Please note that the local.json may be reset during updates, resetting the JWT Token password.
Just make a copy of /etc/onlyoffice before updates to be sure.

Fonts

You will probably want to install some extra Fonts, including the Microsoft Fonts.

Core Microsoft Fonts

sudo apt install ttf-mscorefonts-installer

Vista Fonts are not so easy
You could try this installer with

sudo apt install wget cabextract fontforge
wget https://gist.githubusercontent.com/tavinus/1a92c79d790657d5b66546996dd006b9/raw/ttf-vista-fonts-installer.sh -q -O - | sudo bash

Then you need to refresh the Onlyoffice cache

/usr/bin/documentserver-generate-allfonts.sh

Now you could refresh the browser to check the new fonts

Secret Token Configuration

We need to edit the file /etc/onlyoffice/documentserver/local.json
to secure our Document Server with a JWT token.

The chages are

  • Change token boolean flags to true
  • Change the secret string to a new random one

I cooked a one-liner script to make the changes easier.
Create a backup of the original config file in case something goes wrong.

sudo cp /etc/onlyoffice/documentserver/local.json /etc/onlyoffice/documentserver/local-json-backup

You can revert with

sudo cp /etc/onlyoffice/documentserver/local-json-backup /etc/onlyoffice/documentserver/local.json

Get a root sheel if not yet in one

sudo su -

Let's generate a random secret and apply it

OO_SECRET="$(< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-64})" && sed -i 's/: false/: true/g;s/"string": "secret"/"string": "'"$OO_SECRET"'"/g' /etc/onlyoffice/documentserver/local.json && echo "SECRET KEY: $OO_SECRET"

It will print the created secret.
If you forget/lose, you can retrieve from the local.json file.

You may want to check it anyways:

cat /etc/onlyoffice/documentserver/local.json

The final local.json file will look similar to this

{
  "services": {
    "CoAuthoring": {
      "sql": {
        "type": "postgres",
        "dbHost": "localhost",
        "dbPort": "5432",
        "dbName": "onlyoffice",
        "dbUser": "onlyoffice",
        "dbPass": "onlyoffice"
      },
      "token": {
        "enable": {
          "request": {
            "inbox": true,
            "outbox": true
          },
          "browser": true
        },
        "inbox": {
          "header": "Authorization"
        },
        "outbox": {
          "header": "Authorization"
        }
      },
      "secret": {
        "inbox": {
          "string": "eu94ESnlK-6BSjJKthifa7LS23hj6ugNDTO9U1yugQlRUSd-Xif2NfB1WOC5pwkC"
        },
        "outbox": {
          "string": "eu94ESnlK-6BSjJKthifa7LS23hj6ugNDTO9U1yugQlRUSd-Xif2NfB1WOC5pwkC"
        },
        "session": {
          "string": "eu94ESnlK-6BSjJKthifa7LS23hj6ugNDTO9U1yugQlRUSd-Xif2NfB1WOC5pwkC"
        }
      }
    }
  },
  "rabbitmq": {
    "url": "amqp://guest:guest@localhost"
  }
}

Restart the Document Server to apply the changes.

sudo supervisorctl restart all

You can now use the generated SECRET KEY to access your
DocumentServer instance.

NGINX Proxy Configuration

As mentioned, I am routing traffic through another NGINX proxy instance.
The Proxy runs in HTTPS and redirects insecure traffic.

Things you need to change:

  • ONLYOFFICE CONTAINER IP ADDRESS eg. 10.0.1.45
  • ONLYOFFICE DOMAIN eg. office.mydomain.tld
  • CERTIFICATE FILES LOCATIONS eg. /etc/ssl/localcerts/office.mydomain.tld-fullchain.cer

Please note that each of them occur in many places inside the file.
You need to change ALL OCCURRENCES.

Example office.mydomain.tld.conf file

server {
    listen 80;
    listen [::]:80;
    server_name office.mydomain.tld;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name office.mydomain.tld;

    ssl_certificate           /etc/ssl/localcerts/office.mydomain.tld-fullchain.cer;
    ssl_certificate_key       /etc/ssl/localcerts/office.mydomain.tld.key;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/office.mydomain.tld.access.log;

    location / {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix WebDav links
      rewrite ^/\.well-known/carddav https://$server_name/remote.php/dav/ redirect;
      rewrite ^/\.well-known/caldav https://$server_name/remote.php/dav/ redirect;

      # Proxy target setup
      proxy_pass          http://10.0.1.45;
      proxy_read_timeout  200;
      # Fix the "It appears that your reverse proxy set up is broken" error
      proxy_redirect      http://10.0.1.45 https://$host;
    }
}

I will not go into how to generate the certificates this time,
but I usually generate Let's Encrypt Certificates using
acme.sh with DNS challenges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment