OnlyOffice Docs into a LXC Debian 10

onlyofficeDocsLXCBuster.md

OnlyOffice Docs into a Debian 10 LXC

How I installed Onlyoffice Docs 5.6 (DocumentServer) into a Debian 10 Buster Proxmox LXC Container.

References

• https://helpcenter.onlyoffice.com/installation/docs-community-install-ubuntu.aspx
• https://helpcenter.onlyoffice.com/installation/docs-community-https-linux.aspx

System Requirements

• CPU dual core 2 GHz or better
• RAM 2 GB or more
• HDD at least 40 GB of free space
• Additional requirements at least 4 GB of swap
• OS 64-bit Debian, Ubuntu or other compatible distribution with kernel version 3.13 or later
• Additional requirements
  • PostgreSQL: version 9.1 or later
  • NGINX: version 1.3.13 or later
  • libstdc++6: version 4.8.4 or later
  • RabbitMQ

Prepare container

First update everything

# apt update && apt dist-upgrade

I like to install these

# apt install curl wget nano htop

You may want to have a local user to use instead of root
and also to add it to the sudo group

# apt install sudo
# adduser admin
# usermod -aG sudo admin

Let's add ssh capabilities

# apt install openssh-client openssh-server
# ssh admin@localhost  # test it

Configure Locales properly I used pt_BR.UTF-8 as the default, but added support to other languages and encodings as well

# dpkg-reconfigure locales
# reboot  # you may want to reboot to the new language

Install PostgreSQL

https://www.postgresql.org/download/linux/debian/

First we need lsb_release

# apt install lsb-release

Install Postgres SQL

# Create the file repository configuration:
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'

# Import the repository signing key:
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -

# Update the package lists:
sudo apt-get update

# Install the latest version of PostgreSQL.
# If you want a specific version, use 'postgresql-12' or similar instead of 'postgresql':
sudo apt-get -y install postgresql

Create Database for Onlyoffice

sudo -i -u postgres psql -c "CREATE DATABASE onlyoffice;" ; sudo -i -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';" ; sudo -i -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;"

Install Rabbitmq

sudo apt-get install rabbitmq-server

Install Nginx

sudo apt-get install nginx-extras

Changing the default ONLYOFFICE Docs port

By default ONLYOFFICE Docs listens to the incoming connections using port 80. Starting with version 4.3 you can change the port for ONLYOFFICE Docs if you plan to use it instead of the default one.

I did not change this and I will also not run in HTTPS, because my CT will run through another nginx proxy.

echo onlyoffice-documentserver onlyoffice/ds-port select <PORT_NUMBER> | sudo debconf-set-selections

If you want to change the ONLYOFFICE Docs protocol to HTTPS, do not change the port to 443, but use this instruction instead.

Install OnlyOffice Docs

Add GPG key

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5

Add ONLYOFFICE Docs repository

sudo echo "deb https://download.onlyoffice.com/repo/debian squeeze main" | sudo tee /etc/apt/sources.list.d/onlyoffice.list

Install

sudo apt-get update
sudo apt-get install onlyoffice-documentserver

During the installation process, you will be asked to provide a password for the onlyoffice PostgreSQL user. Please enter the onlyoffice password that you have specified when configuring PostgreSQL.

After that ONLYOFFICE Docs will be run as a process.
At this point your DocumentServer instance is already usable

The package will be updated just like any other deb package.
Please note that the local.json may be reset during updates, resetting the JWT Token password.
Just make a copy of /etc/onlyoffice before updates to be sure.

Fonts

You will probably want to install some extra Fonts, including the Microsoft Fonts.

Core Microsoft Fonts

sudo apt install ttf-mscorefonts-installer

Vista Fonts are not so easy
You could try this installer with

sudo apt install wget cabextract fontforge
wget https://gist.githubusercontent.com/tavinus/1a92c79d790657d5b66546996dd006b9/raw/ttf-vista-fonts-installer.sh -q -O - | sudo bash

Then you need to refresh the Onlyoffice cache

/usr/bin/documentserver-generate-allfonts.sh

Now you could refresh the browser to check the new fonts

Secret Token Configuration

We need to edit the file /etc/onlyoffice/documentserver/local.json
to secure our Document Server with a JWT token.

The chages are

• Change token boolean flags to true
• Change the secret string to a new random one

I cooked a one-liner script to make the changes easier.
Create a backup of the original config file in case something goes wrong.

sudo cp /etc/onlyoffice/documentserver/local.json /etc/onlyoffice/documentserver/local-json-backup

You can revert with

sudo cp /etc/onlyoffice/documentserver/local-json-backup /etc/onlyoffice/documentserver/local.json

Get a root sheel if not yet in one

sudo su -

Let's generate a random secret and apply it

OO_SECRET="$(< /dev/urandom tr -dc A-Z-a-z-0-9 | head -c${1:-64})" && sed -i 's/: false/: true/g;s/"string": "secret"/"string": "'"$OO_SECRET"'"/g' /etc/onlyoffice/documentserver/local.json && echo "SECRET KEY: $OO_SECRET"

It will print the created secret.
If you forget/lose, you can retrieve from the local.json file.

You may want to check it anyways:

cat /etc/onlyoffice/documentserver/local.json

The final local.json file will look similar to this

{
  "services": {
    "CoAuthoring": {
      "sql": {
        "type": "postgres",
        "dbHost": "localhost",
        "dbPort": "5432",
        "dbName": "onlyoffice",
        "dbUser": "onlyoffice",
        "dbPass": "onlyoffice"
      },
      "token": {
        "enable": {
          "request": {
            "inbox": true,
            "outbox": true
          },
          "browser": true
        },
        "inbox": {
          "header": "Authorization"
        },
        "outbox": {
          "header": "Authorization"
        }
      },
      "secret": {
        "inbox": {
          "string": "eu94ESnlK-6BSjJKthifa7LS23hj6ugNDTO9U1yugQlRUSd-Xif2NfB1WOC5pwkC"
        },
        "outbox": {
          "string": "eu94ESnlK-6BSjJKthifa7LS23hj6ugNDTO9U1yugQlRUSd-Xif2NfB1WOC5pwkC"
        },
        "session": {
          "string": "eu94ESnlK-6BSjJKthifa7LS23hj6ugNDTO9U1yugQlRUSd-Xif2NfB1WOC5pwkC"
        }
      }
    }
  },
  "rabbitmq": {
    "url": "amqp://guest:guest@localhost"
  }
}

Restart the Document Server to apply the changes.

sudo supervisorctl restart all

You can now use the generated SECRET KEY to access your
DocumentServer instance.

NGINX Proxy Configuration

As mentioned, I am routing traffic through another NGINX proxy instance.
The Proxy runs in HTTPS and redirects insecure traffic.

Things you need to change:

• ONLYOFFICE CONTAINER IP ADDRESS eg. 10.0.1.45
• ONLYOFFICE DOMAIN eg. office.mydomain.tld
• CERTIFICATE FILES LOCATIONS eg. /etc/ssl/localcerts/office.mydomain.tld-fullchain.cer

Please note that each of them occur in many places inside the file.
You need to change ALL OCCURRENCES.

Example office.mydomain.tld.conf file

server {
    listen 80;
    listen [::]:80;
    server_name office.mydomain.tld;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name office.mydomain.tld;

    ssl_certificate           /etc/ssl/localcerts/office.mydomain.tld-fullchain.cer;
    ssl_certificate_key       /etc/ssl/localcerts/office.mydomain.tld.key;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/office.mydomain.tld.access.log;

    location / {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix WebDav links
      rewrite ^/\.well-known/carddav https://$server_name/remote.php/dav/ redirect;
      rewrite ^/\.well-known/caldav https://$server_name/remote.php/dav/ redirect;

      # Proxy target setup
      proxy_pass          http://10.0.1.45;
      proxy_read_timeout  200;
      # Fix the "It appears that your reverse proxy set up is broken" error
      proxy_redirect      http://10.0.1.45 https://$host;
    }
}

I will not go into how to generate the certificates this time,
but I usually generate Let's Encrypt Certificates using
acme.sh with DNS challenges.

I had a problem with a Nextcloud instance where it would not connect to any Onlyoffice Doc server.

Neither this one or any other one (I have a few that I can test with).

I tried many things, but in the end what I think solved the problem was to

1. Clear the onlyoffice info in /var/www/nextcloud/config/config.php
   I noticed a new instance had no onlyoffice info saved in its config.php file.
   So I just made a copy of config.php and erased the whole onlyoffice entry.
   You may want to restart apache/nginx/php-fpm after this.

  'onlyoffice' =>
  array (
    'verify_peer_off' => true,
    'jwt_secret' => 'ase45dFGSyqefghsd$6eayaedrhdz',
    'jwt_header' => 'Authorization',
  ),

2. Erased server/secret info in Nextcloud Settings > ONLYOFFICE and SAVED
3. DISABLED, then REMOVED the OnlyOffice Connector App in Nextcloud
4. Downloaded and installed the ONLYOFFICE Connector App
5. Re-configured Nextcloud Settings > ONLYOFFICE with server/secret and IT WORKED

This took me an entire day testing stuff.
I guess it now stores info in the database.
The info I had into the config.php was not currently valid (I guess it overrides the database one).

Updating to DocumentServer 6.4

I started by taking a snapshot of my container.

Then, I made a backup of the /etc/onlyoffice folder inside the container

mkdir backup
cd backup
cp -R /etc/onlyoffice ./etc-onlyoffice

Now update lists (accept new servers if needed -eg- oldstable)

sudo apt update

And then just upgrade everything

sudo apt upgrade

The new default.json was quite different, so I applied the new one.

If we start it now, it will be accessible but not working in Nextcloud.
So first we need to copy the local.js back with our config (the backup folder we saved has it).
We will backup the original file.

sudo cp /etc/onlyoffice/documentserver/local.json /etc/onlyoffice/documentserver/local-json-backup
sudo cp backup/etc-onlyoffice/documentserver/local.json /etc/onlyoffice/documentserver/local.json

And then we restart it all

sudo supervisorctl restart all

Because I use some local servers redirected, I also got another error in Nextcloud.
"Host violates local access rules"
To solve this, I added the following line to my nextcloud config file (which is in another container):

sudo -u www-data nano /var/www/nextcloud/config/config.php

Add

  'allow_local_remote_servers' => true,

And now it is working from Nextcloud.

Cheers!

reserved

gnupg shold be installed as well
The way the gpg key is added also changed:

mkdir -p ~/.gnupg
chmod 700 ~/.gnupg
gpg --no-default-keyring --keyring gnupg-ring:/tmp/onlyoffice.gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
chmod 644 /tmp/onlyoffice.gpg
sudo chown root:root /tmp/onlyoffice.gpg
sudo mv /tmp/onlyoffice.gpg /etc/apt/trusted.gpg.d/

I could not connect onlyoffice as I kept getting this error from NC
Error when trying to connect (Error occurred in the document service: Unknown error) (version 8.0.0.99)

The Onlyoffice out.log showed this:
[2024-02-03T17:56:08.192] [ERROR] [localhost] [conv_check_1236454926_docx] [userId] nodeJS - convertRequest error: error: relation “task_result” does not exist at /snapshot/server/DocService/node_modules/pg-pool/index.js:45:11 at processTicksAndRejections (node:internal/process/task_queues:96:5)

Apparently it was a database issues so I fixed it by changing the owner of the onlyoffice database in postgres from postgres to onlyoffice. This site helped me https://forum.onlyoffice.com/t/error-relation-task-result-does-not-exist/7517/17