HOW TO: Deploy OnlyOffice in Seafile servers subdomain subfolder - CE 6.1+

DerDanilo · May 31, 2017, 12:38pm

UPDATE

The manual for this HOW TO is available now:
https://manual.seafile.com/deploy/only_office.html

UPDATE

What the Seafile server manual (more or less) suggests:

https://seafile.domain.com
https://onlyoffice.domain.com

What I want to achieve:

https://seafile.domain.com
https://seafile.domain.com/onlyofficeds

I don’t want to use another subdomain, it should run on a subfolder and not on an subdomain.

Onlyoffice docker image setup and exposed locally under port 88
docker run -i -t -d -p 88:80 onlyoffice/documentserver

As I understand it is not neccessary to mount/map any local folders to the docker image as everything that is beeing pushed there will be temporary and does not need saving.

Nginx config

 server {
        listen       80;
        server_name  seafile.domain.com;
        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
    }

 # Required for only office document server
 map $http_x_forwarded_proto $the_scheme {
        default $http_x_forwarded_proto;
        "" $scheme;
    }

 map $http_x_forwarded_host $the_host {
        default $http_x_forwarded_host;
        "" $host;
    }

 map $http_upgrade $proxy_connection {
        default upgrade;
        "" close;
    }

 server {
        listen 443 http2;
        ssl on;
        ssl_certificate /etc/ssl/cacert.pem;        # path to your cacert.pem
        ssl_certificate_key /etc/ssl/privkey.pem;    # path to your privkey.pem
        server_name seafile.domain.com;
        proxy_set_header X-Forwarded-For $remote_addr;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    server_tokens off;

    location / {
        fastcgi_pass    127.0.0.1:8000;
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
        fastcgi_param   PATH_INFO           $fastcgi_script_name;

        fastcgi_param   SERVER_PROTOCOL        $server_protocol;
        fastcgi_param   QUERY_STRING        $query_string;
        fastcgi_param   REQUEST_METHOD      $request_method;
        fastcgi_param   CONTENT_TYPE        $content_type;
        fastcgi_param   CONTENT_LENGTH      $content_length;
        fastcgi_param   SERVER_ADDR         $server_addr;
        fastcgi_param   SERVER_PORT         $server_port;
        fastcgi_param   SERVER_NAME         $server_name;
        fastcgi_param   REMOTE_ADDR         $remote_addr;
        fastcgi_param   HTTPS               on;
        fastcgi_param   HTTP_SCHEME         https;

        access_log      /var/log/nginx/seahub.access.log;
        error_log       /var/log/nginx/seahub.error.log;
        fastcgi_read_timeout 36000;
        client_max_body_size 0;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
    }

    location /media {
        root /home/user/haiwen/seafile-server-latest/seahub;
    }

    location /seafdav {
     fastcgi_pass    127.0.0.1:8080;
     fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
     fastcgi_param   PATH_INFO           $fastcgi_script_name;
     fastcgi_param   SERVER_PROTOCOL     $server_protocol;
     fastcgi_param   QUERY_STRING        $query_string;
     fastcgi_param   REQUEST_METHOD      $request_method;
     fastcgi_param   CONTENT_TYPE        $content_type;
     fastcgi_param   CONTENT_LENGTH      $content_length;
     fastcgi_param   SERVER_ADDR         $server_addr;
     fastcgi_param   SERVER_PORT         $server_port;
     fastcgi_param   SERVER_NAME         $server_name;
     fastcgi_param   HTTPS               on;
     client_max_body_size 0;
     access_log      /var/log/nginx/seafdav.access.log;
     error_log       /var/log/nginx/seafdav.error.log;
  }

	location /onlyofficeds/ {

	# THIS ONE IS IMPORTANT ! - Trailing slash !
	proxy_pass http://127.0.0.1:88/;

	proxy_http_version 1.1;
	ProxyPassReverse https://seafile.domain.com/onlyofficeds http://127.0.0.1:88/
	client_max_body_size 100; # Limit Document size to 100MB
	proxy_read_timeout 3600s;
	proxy_connect_timeout 3600s;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $proxy_connection;

	# THIS ONE IS IMPORTANT ! - Subfolder and NO trailing slash !
	proxy_set_header X-Forwarded-Host $the_host/onlyofficeds;

	proxy_set_header X-Forwarded-Proto $the_scheme;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
}

Seafile config in seahub__settings.py :

ENABLE_ONLYOFFICE = True
VERIFY_ONLYOFFICE_CERTIFICATE = False
ONLYOFFICE_APIJS_URL = ‘https://seafile.domain.com/onlyofficeds/web-apps/apps/api/documents/api.js’
ONLYOFFICE_FILE_EXTENSION = (‘doc’, ‘docx’, ‘ppt’, ‘pptx’, ‘xls’, ‘xlsx’, ‘odt’, ‘fodt’, ‘odp’, ‘fodp’, ‘ods’, ‘fods’)

Hosting like this works fine, easy to setup. Can be setup via script within seconds to minutes, depending on bandwith available.

@daniel.pan
I will update the Seafile manual once I got this working right.
It should contain some hints how to deploy OnlyOffice locally rather then external.

Of course the minimum server requirements are higher in combination with Seafile than a stand alone server for each app. I will write the recommendation for this up in the manual as well.

mdovey · May 31, 2017, 1:21pm

I tried this and abandoned it. There were a number of places where the onlyoffice code generates a URL, in the returned html or javascript, or when sending data to the seafile callback etc, assuming that it is running on the root of the server. So I don’t think it is currently possible to run onlyoffice on https://myserver/onlyoffice (as opposed to https://myserver/) without modifying the onlyoffice source code.

mdovey · May 31, 2017, 1:28pm

P.S.

“To increase security Onlyoffice should only be allowed to be called directly from the seafile server and block all other IPs if possible. As I understand Onlyoffice runs in an iframe window that Seafile server generates, correct? If this is so, it should not be a problem to block all but local IPs for OnlyOffice, this can be done with nginx config”

Incorrect - the editor page generated by seafile calls a javascript located on the onlyoffice server, so the end user ip address needs access to the onlyoffice server to download the script.

(in any case, it is the browser which loads the content in an iframe, so even if it did use an iframe, the end user ip address would still need access to the onlyoffice server).

Edited to add: Actually looking in more detail, the javascript called on the onlyoffice server does programmatically create an iframe. However, as above the end user ip will need access in order to access the script in the first instance, and than populate the iframe once the script has created it.

DerDanilo · May 31, 2017, 2:09pm

I managed to get the onlyoffice running and nginx config correct.

What is missing is an nginx rewrite rule that requites every request coming/going from/to the onlyoffice url. What do you think?

Otherwise we need to encorrage the OnlyOffice community to support a subfolder for the document server. (I signed up for the OnlyOffice DEV forum and asked for this. I*ll provide the link once the post was approved)

I’d wait until they respond and see what they say before I deploy the document server on another URl.

DerDanilo · May 31, 2017, 2:10pm

Thanks for this info, didn’t know this. I know OnlyOffice since years but never used it. Removed this part from my initial post.

But how to secure the server from abusive use?
Noone except the users that are supposed to use the document server.

Can one protect this via an API key or something?

DerDanilo · June 5, 2017, 7:59pm

I have had a response from the devs and they told me that the document server works fine on a subdomain if the proxy settings are correct. Please check out my changed config above and test again.

As I understood it is important to do the trailing slashes where required and set the X-Forwarded-Host path correct.
Additionally one needs to define the maping for variables so the document server works with it.

I tested it and it works on my site now!!

Here is my config that I build based on https://github.com/ONLYOFFICE/document-server-proxy/tree/master/nginx

   location /onlyofficeds/ {

   # THIS ONE IS IMPORTANT ! - Trailing slash "
   proxy_pass http://127.0.0.1:88/;

   proxy_http_version 1.1;
   ProxyPassReverse https://seafile.domain.com/onlyofficeds http://127.0.0.1:88/
   client_max_body_size 100; # Limit Document size to 100MB
   proxy_read_timeout 3600s;
   proxy_connect_timeout 3600s;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection $proxy_connection;

   # THIS ONE IS IMPORTANT ! - Subfolder and NO trailing slash !
   proxy_set_header X-Forwarded-Host $the_host/onlyofficeds;

   proxy_set_header X-Forwarded-Proto $the_scheme;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

DerDanilo · June 6, 2017, 4:21pm

@daniel.pan @xiez
I finished the documentation page for OnlyOffice, please approve the pull request.
This way other users can use OnlyOffice easily. We can discuss and adopt the guide if required.

TMHBOFH · June 6, 2017, 7:51pm

Hi De Danilo,
thanks for nice documentation, the subfolder strategy is for me very helpful.
But with the location path “/onlyoffice/” it will not work, because the “Callback handler” of seafile is located(“https://seafile-server/onlyoffice/editor-callback/”) at this path.
I test it with path “/ooffice/” and it works fine.

best regards

daniel.pan · June 7, 2017, 1:03am

Compared to our original document, the method of deploying OnlyOffice in subdomain is more complicated and easily lead to config errors. The original document is also consistent with other solutions (integrating with MS Office online server and Collabora Online).

It is better to keep the original version. And leave this advanced method in the forum for reference.

Robbie · June 7, 2017, 6:06am

How about some Apache love…

DerDanilo · June 7, 2017, 6:24am

Thanks, didn’t know that. Was just testing the subfolder issue, not in connection with callbacks/editing yet. Changed it.

DerDanilo · June 7, 2017, 6:27am

So I will change the documentation to show your original part for subdomain deployment and add a 2nd part below for subfolder deployment then.

Subfolder deployment is very easy and should be available, not just to the community. Finding this documentation anywhere in the net is difficult. I have had to search and put it together in colloboration with the OnlyOffice devs, so it would be a pitty if we didn’t put it up to the server manual.

Can you please comment in Github what you mean exactly? This way we can work more efficient and don’t need to talk around.

DerDanilo · June 7, 2017, 6:30am

You are welcome to post the configuration for subfolder deployment. It seems way more complex with apache than it is with nginx. Please test your config before posting.

I will add your config to the documentation once you got it working.

Please have a look here for an apache example:

daniel.pan · June 7, 2017, 2:40pm

Yes, this is better. Keep the original subdomain deployment as the first section. Then add subfolder deployment as second option. Our team will test subdomain installation when some code is changed and leave the subdomain deployment tested by the community.

DerDanilo · June 7, 2017, 3:56pm

Just finished, please check and publish.

We still need to figure out what to do with formats that OnlyOffice messes up, would it be possible for you to implement that one can define which formats to view only?

Something like

ENABLE_ONLYOFFICE = True
VERIFY_ONLYOFFICE_CERTIFICATE = True
ONLYOFFICE_APIJS_URL = 'http{s}://{your Seafile server's domain or IP}/{your subdolder}/web-apps/apps/api/documents/api.js'
ONLYOFFICE_FILE_EXTENSION_READ_WRITE = ('doc', 'docx', 'ppt', 'pptx', 'xls', 'xlsx')
ONLYOFFICE_FILE_EXTENSION_READ = ('odt', 'fodt', 'odp', 'fodp', 'ods', 'fods')

TMHBOFH · June 7, 2017, 4:00pm

I hope this might help

DerDanilo · June 7, 2017, 5:34pm

Thx, so the documentation has to be updated once my manual is out?
I think it’s easier to have mine publish first and then add this information.

Will it be merged with 6.1.1 stable?

@TMHBOFH @mdovey @shoeper
The manual was pulled. As it’s not perfect, please suggest changes, especially regarding the file extension.
https://manual.seafile.com/deploy/deploy/deploy/deploy/deploy/deploy/only_office.md#deployment-of-documentserver-via-subdomain

@daniel.pan
What happened to the path here? How many nested folders “deploy” are there?
Maybe https://getgrav.org/ could be an alternative to gitbook, it is also OpenSource and supports Markdown.
Additionally it looks way cleaner and nicer than Gitbook.

Good example: https://docs.danami.com/warden/basics/install-debian-ubuntu

mobizent · June 14, 2017, 12:30pm

hi when i run

sudo docker run -i -t -d -p 88:80 onlyoffice/documentserver --restart=always --name oods

i get this error message

d92dc300d03b7202ce987a786eec3d4bb58aa252d5ce80712670725913411742
docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "exec: \"--restart=always\": executable file not found in $PATH".

However if i run

docker run -i -t -d -p 88:80 onlyoffice/documentserver

it seems to work without error

any idea why?

Update: i also tried

docker run -i -t -d -p 88:80 onlyoffice/documentserver --restart always

still same error

DerDanilo · June 14, 2017, 12:39pm

What distro? I tested this on Debian and Ubuntu, but it should be basically the same for CentOS.

You need the restart=always to have the image start with every machine boot automatically, otherwise you’ll have to start it manually all the time.
https://docs.docker.com/engine/admin/start-containers-automatically/

mobizent · June 14, 2017, 1:24pm

its Ubuntu 16.04

finally this is what worked for me

docker run -dit -p 88:80 --restart always onlyoffice/documentserver

dont ask me why