I have Seafile Server installed in a docker environment, works great. The subdomain I use for that is secured with SSL and HSTS.
I have OnlyOffice installed as well, solely for the purpose of editing office files in the Seafile environment. I have setup the link from Seafile to connect to the OnlyOffice server (running in docker). This is working well.
I am using Nginx Proxy Manager to manage the secure forwarding of subdomains. Both the Seafile and OnlyOffice subdomains are configured to point to the correct server at the backend. In Nginx Proxy Manager I have for both subdomains SSL certificates.
Everything is working, until I switch on HSTS on the OnlyOffice subdomain in the Nginx Proxy Manager. Then, whenever I open an office document in Seafile, I will have a message: “To protect your security, [onlyoffice subdomain] will not allow Firefox to display the page if another site has embedded it.”
Any clue why this is the case, and what I can do to fix this? Seems to be that the option ‘X-Frame-Options’ to ‘sameorigin’ may be the reason why Firefox does not allow it.
Another way I guess is that I may have to move to a direct Nginx environment to get more configuration options.
You can run your site through https://securityheaders.com to confirm if it has the X-Frame-Options headers already. Or you can see that if you load the site, hit F12, go to network tab, F5 to refresh the site, click on one of the items here with a “status” of 200, and look at the headers on the right side.
I’m no expert, but I believe this same message can also happen because of the settings in the content-security-policy header.
I don’t know anything about npm, but there’s probably a place in there to put in nginx config options to have it build them into the nginx config it generates.
I am indeed trying to secure the onlyoffice subdomain, and using security headers to check the situation. And indeed the solution lies in the correct configuration of the Nginx Proxy Manager (NPM) reverse proxy.
I am running the onlyoffice service on another subdomain. Within Seafile, document preview is done by loading onlyoffice inside a frame within the seafile subdomain, so setting The X-Frame-Options "SAMEORIGIN" will mess that up. And unfortunately NPM is not so evident to get this fixed.
I got it working using NPM, security headers now give A+ and previews are working as expected!
Since there may be more people running Seafile with OnlyOffice both on their own subdomain behind NPM as reverse proxy. Assuming integration between the two works, but you’re not getting the A+ security headers, NPM is the culprit, and this is what I’ve done. I got it working with information from these NPM discussions:
In NPM for the proxy host for the onlyoffice subdomain, I switched off the ‘toggle’ for HSTS and added the security headers manually by adding a custom location ‘/’ and add the headers directly under advanced configuration, explicitly removing
add_header X-Frame-Options "SAMEORIGIN";
and adding the following line (I’ve changed the source to seafile.example.com her below, but obviously you should put the source to be the Seafile subdomain, since that is the calling parent):
So for that specific proxy with NPM the custom location looks like this:
The HSTS toggles are no longer needed, since we will add this ourself manually as below (leaving the toggle on will give duplicate entries in the header which may mess up a browser (you get warnings on securityheaders.com for this)
Would you mind sharing some more details for your setup? I’ve been trying to get OnlyOffice and Seafile integration on my server but haven’t had any luck. Every time I open a document in Seafile it loads a blank white screen.
Hi! Sorry for this late reply. I am not frequently visiting the forum.
One thing I have done to make OnlyOffice integrate with Seafile is to also add a (https) available via NPM, so, OnlyOffice is also accessable from the outside. After I did that I was able to get it working.
I am not sure if you have found a solution already, but if you are still trying to get it working, I can dive a bit deeper into my setup. As with most of my stuff, I have it set and forget (of course with keeping things up to date).
I was able to get it working thankfully. I don’t remember what my original issue was, but getting my SSL certs copied over from NPM to only office was definitely needed. I wasn’t able to get it to work over http on my LAN.
Even though I struggled quite a bit the documentation is actually pretty good and I think it covered everything required.
Not really. As @faethon said, you can proxy OO as well; that way the TLS termination is done by the reverse proxy and you don’t have to configure OO itself to do it.