+1

Local network ONLYOFFICE implementation

Matt V 2 years ago in Feature requests updated 1 month ago 11

Hi Vlad,


I would like to be able to connect my ONLYOFFICE document server implementation locally, rather than through an external A-record DNS call. Is this possible?


Usage case: I have my ONLYOFFICE document server installed on a local LXC with hostname ONLYOFFICE. It has a self-signed certificate. I add the URL https://OnlyOffice to the plugin settings.


Problem: Only computers on the local network can connect to it. Furthermore, because it has a self-signed certificate, only computers with that certificate added as an exception can connect. Else, you get a blank page.


Potential alternative solution: Set up a DNS server, and purchase/configure a FQDN for the ONLYOFFICE server. Also must configure a valid SSL certificate. This requires a lot more work and resources than necessary, plus, it opens up some potential security issues since the ONLYOFFICE server is now open to the WWW.


Thanks,

-Mattv8

Hi Matt!

You can use ONLYOFFICE via the server's IP address as well, not only via hostname or domain name.

When we'll add support for Document Server 4.2+, which supports protection via authentication tokens, then having the server exposed to the Internet won't be a problem.

I must note that you cannot use the server's IP address over HTTPS. There is no way to load the certificate, so a blank screen is shown. You can connect over HTTP however using the server's IP address.

Thanks for your hard work, looking forward to seeing the auth token update!

Hi Matt,


We do this using nginx's reverse proxy, this allows us to host the onlyoffice document server 5.1.4-22 (in the below example on 192.0.2.1) internal on https (self signed certificate). The nginx instance (which also hosts our FileRun) proxys these locations:

location ^~ /exampleproxy
location ^~ /2018-05-22-13-26
location ^~ /cache

using these options (for each location):

proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
proxy_http_version 1.1;

respectively pointing them to:

proxy_pass https://192.0.2.1/
proxy_pass https://192.0.2.1/2018-05-22-13-26/
proxy_pass https://192.0.2.1/cache/

Then in FileRun set the "ONLYOFFICE server URL" to https://example.com/exampleproxy


Best wishes, Jan.

Thanks for the advice Jan, I ended up using something very similar to your suggestion. However, the only way I could figure out how to achieve it was to use FQDN's, so currently you can access my ONLYOFFICE server via "https://editor.docs.example.com". I will play around with this a bit and see if I can get it to work so it is not exposed to the web, but still accessible through Filerun.

Hello. I cannot get this to work. 

My OnlyOffice server is on my internal network but my Filerun is public via Nginx reverse proxy. I cannot open or create files using the OnlyOffice server with this setup. I get a blank browser page. 

Accessing the internal URL/PORT of my OnlyOffice server via my browser gives me the OnlyOffice welcome page, as expected, but Filerun is not able to work with it.

Do I have to make my OnlyOffice publicly accessible? Note that I have not generated self-signed certs for OnlyOffice, so it's operating in http mode only right now. 

And I know the OnlyOffice installation is working correctly, as I have another app that integrates with it (internal) and it opens/creates documents no problem. 

I ended up getting this working by just making onlyoffice public. If there's a way to get this to work while it's still private, I never was able to figure it out after banging my head against a wall for a long time.

You made the right decision. The only way I could get it to work was by making my Onlyoffice instance public. I buried the URL under a couple subdomains so I have a bit of security by obscurity. Just sign the site with a LetsEncrypt cert.

By "buried the URL" I mean:

you can make a secret for it which adds another layer. 

Can you link to a guide or documentation that's applicable to Filerun?

+2

OnlyOffice has a variable called "JWT_SECRET" that can be set and another variable called JWT_ENABLED which should be 'true'.. Depending on how you install your OnlyOffice, it is set in different ways. I personally install it via Docker container. So you set a container variable for it called "JWT_SECRET" and the value is the secret itself, and JWT_ENABLED to 'true'. Filerun has a field to match this value in the plugin config for OnlyOffice. That's about it.

Ah, that is much easier than I thought it would be. Thanks!