OnlyOffice say "Download failed"

kt368 · June 16, 2018, 1:18pm

Hello

I’m trying to configure OnlyOffice via subfolder. My setup: Centos 7, Seafile 6.2, Nginx 1.10.2, https with letsencrypt, Server behind the router.

I’ve followed by official instruction, /onlyofficeds/welcome/ say that “Document Server is running”, but when I try to open seafile-tutorial.doc I see “Download failed”. I saw logs in docker container:

cat /var/log/onlyoffice/documentserver/converter/out.log
[2018-06-16 12:51:38.683] [ERROR] nodeJS - error downloadFile:url=https://kt368.ddns.info/seafhttp/files/4433877f-f6fb-45d0-acae-0f5e71be44c2/seafile-tutorial.doc;attempt=3;code:ECONNREFUSED;connect:undefined;(id=df516d1e278383c4beff)
Error: connect ECONNREFUSED 93.170.55.210:443
    at Object.exports._errnoException (util.js:1020:11)
    at exports._exceptionWithHostPort (util.js:1043:20)
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1099:14)

But, if I try to download file seafile-tutorial.doc manually using browser, using mentioned URL https://kt368.ddns.info/seafhttp/files/4433877f-f6fb-45d0-acae-0f5e71be44c2/seafile-tutorial.doc it downloading successfully.

This is config files:

cat ccnet.conf
[General]
USER_NAME = SweetHome
ID = 1d38ae3e49eb6746c3c1a46e7e6cb8687dcc104b
NAME = SweetHome
SERVICE_URL = https://kt368.ddns.info
[Client]
PORT = 13419
[Database]
ENGINE = mysql
HOST = 127.0.0.1
PORT = 3306
USER = seafile
PASSWD = seafile
DB = ccnet-db
CONNECTION_CHARSET = utf8

cat seahub_settings.py
SECRET_KEY = "j*3@*kpg##+$q9e2h3vx$)tkpqq2+=zp2v*ul6pj*g#koc+dg@"
HTTP_SERVER_ROOT = 'https://kt368.ddns.info/seafhttp'
FILE_SERVER_ROOT = 'https://kt368.ddns.info/seafhttp'
ENABLE_VIDEO_THUMBNAIL = True
THUMBNAIL_VIDEO_FRAME_TIME = 5
THUMBNAIL_ROOT = '/mnt/D/Documents/seafile/seafile-pro-server-6.2.13/seahub-data/thumbnail/thumb/'
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'seahub-db',
        'USER': 'seafile',
        'PASSWORD': 'seafile',
        'HOST': '127.0.0.1',
        'PORT': '3306'
    }
}

ENABLE_ONLYOFFICE = True
VERIFY_ONLYOFFICE_CERTIFICATE = False
ONLYOFFICE_APIJS_URL = 'https://kt368.ddns.info/onlyofficeds/web-apps/apps/api/documents/api.js'
ONLYOFFICE_FILE_EXTENSION = ('doc', 'docx', 'ppt', 'pptx', 'xls', 'xlsx', 'odt', 'fodt', 'odp', 'fodp', 'ods', 'fods')
ONLYOFFICE_EDIT_FILE_EXTENSION = ('docx', 'pptx', 'xlsx')

cat /etc/nginx/conf.d/seafile.conf
server {
        listen       80;
        server_name  kt368.ddns.info;
        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
        server_tokens off;
    }

server {
        listen 443 http2;
        listen [::]:443 http2;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/kt368.ddns.info/fullchain.pem;        # path to your cacert.pem
        ssl_certificate_key /etc/letsencrypt/live/kt368.ddns.info/privkey.pem;    # path to your privkey.pem
        server_name  kt368.ddns.info;
        proxy_set_header X-Forwarded-For $remote_addr;
        server_tokens off;

    location / {
        fastcgi_pass    127.0.0.1:8000;
        fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
        fastcgi_param   PATH_INFO           $fastcgi_script_name;

        fastcgi_param   SERVER_PROTOCOL     $server_protocol;
        fastcgi_param   QUERY_STRING        $query_string;
        fastcgi_param   REQUEST_METHOD      $request_method;
        fastcgi_param   CONTENT_TYPE        $content_type;
        fastcgi_param   CONTENT_LENGTH      $content_length;
        fastcgi_param   SERVER_ADDR         $server_addr;
        fastcgi_param   SERVER_PORT         $server_port;
        fastcgi_param   SERVER_NAME         $server_name;
        fastcgi_param   REMOTE_ADDR         $remote_addr;
        fastcgi_param   HTTPS               on;
        fastcgi_param   HTTP_SCHEME         https;

        access_log      /var/log/nginx/seahub.access.log;
        error_log       /var/log/nginx/seahub.error.log;
        fastcgi_read_timeout 36000;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
        proxy_request_buffering off;
    }

    location /media {
        root /mnt/D/Documents/seafile/seafile-server-latest/seahub;
    }
    location '/.well-known/acme-challenge' {
        default_type "text/plain";
        root /mnt/D/Documents/seafile/certbot-webroot;
    }
    location /onlyofficeds/ {

        proxy_pass http://127.0.0.1:88/;

        proxy_http_version 1.1;
        client_max_body_size 100M; # Limit Document size to 100MB
        proxy_read_timeout 3600s;
        proxy_connect_timeout 3600s;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $proxy_connection;

        proxy_set_header X-Forwarded-Host $the_host/onlyofficeds;

        proxy_set_header X-Forwarded-Proto $the_scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

map $http_x_forwarded_proto $the_scheme {
        default $http_x_forwarded_proto;
        "" $scheme;
    }

map $http_x_forwarded_host $the_host {
        default $http_x_forwarded_host;
        "" $host;
    }

map $http_upgrade $proxy_connection {
        default upgrade;
        "" close;
    }

bionade24 · June 16, 2018, 2:27pm

You should move from fastcgi to proxy_pass like described in the manual. You can’t steer OnlyOffice with fastcgi.

kt368 · June 17, 2018, 11:47am

Okay, I’ve move from fastcgi to proxy_pass, but when I try open seafile-tutorial.doc, I does not matter see error “Download failed.” it’s my new nginx config and converter error log files:

cat seafile.conf
server {
    listen 80;
    server_name  kt368.ddns.info;
    rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
    server_tokens off;
}

server {
    listen 443 http2;
    listen [::]:443 http2;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/kt368.ddns.info/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/kt368.ddns.info/privkey.pem;
    server_name kt368.ddns.info;
    proxy_set_header X-Forwarded-For $remote_addr;
    server_tokens off;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    location / {
        proxy_pass         http://127.0.0.1:8000;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_set_header   X-Forwarded-Proto https;
        access_log      /var/log/nginx/seahub.access.log;
        error_log       /var/log/nginx/seahub.error.log;
        proxy_read_timeout  1200s;
        client_max_body_size 0;
    }

    location /seafhttp {
        rewrite ^/seafhttp(.*)$ $1 break;
        proxy_pass http://127.0.0.1:8082;
        client_max_body_size 0;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout  36000s;
        proxy_read_timeout  36000s;
        proxy_send_timeout  36000s;
        send_timeout  36000s;
        proxy_request_buffering off;
    }

    location /media {
        root /mnt/D/Documents/seafile/seafile-server-latest/seahub;
    }
    location '/.well-known/acme-challenge' {
        default_type "text/plain";
        root /mnt/D/Documents/seafile/certbot-webroot;
    }
    location /onlyofficeds/ {
        # THIS ONE IS IMPORTANT ! - Trailing slash !
        proxy_pass http://127.0.0.1:88/;
        proxy_http_version 1.1;
        client_max_body_size 100M; # Limit Document size to 100MB
        proxy_read_timeout 3600s;
        proxy_connect_timeout 3600s;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $proxy_connection;
        # THIS ONE IS IMPORTANT ! - Subfolder and NO trailing slash !
        proxy_set_header X-Forwarded-Host $the_host/onlyofficeds;
        proxy_set_header X-Forwarded-Proto $the_scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

map $http_x_forwarded_proto $the_scheme {
        default $http_x_forwarded_proto;
        "" $scheme;
    }

map $http_x_forwarded_host $the_host {
        default $http_x_forwarded_host;
        "" $host;
    }

map $http_upgrade $proxy_connection {
        default upgrade;
        "" close;

This is converter out.log from docker:

cat documentserver/converter/out.log
[2018-06-17 11:35:30.290] [ERROR] nodeJS - dnsLookup error: hostname = kt368.ddns.info
Error: getaddrinfo EAI_AGAIN
    at Object.exports._errnoException (util.js:1020:11)
    at errnoException (dns.js:33:15)
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:76:26)
[2018-06-17 11:35:30.291] [ERROR] nodeJS - checkIpFilter error:url=https://kt368.ddns.info/seafhttp/files/57dfa2e8-90ea-49ea-bc51-9e591d74b200/seafile-tutorial.doc;code:401;(id=df516d1e278383c4beff)

Looks like onlyoffice server can’t resolve my seahub domain name?

kt368 · June 17, 2018, 6:25pm

I try check name resolve inside docker container, simple curl from some web site. And domain name wasn’t resolved. Then I try check
cat /etc/resolv.conf
And I see, that container try to use IP of host machine as DNS server. But, there is no DNS server at this host, DNS server situated at my home router.

How I can configure docker, for using correct DNS server?

mercury · June 17, 2018, 7:17pm

To specify DNS in the installation of the OnlyOffice container use the following form:

docker run -dit -p 88:80 --dns=80.80.80.80 --restart always --name oods onlyoffice/documentserver

substituting --dns as required. Apparently OnlyOffice uses Google 8.8.8.8 by default.

More on DNS and OnlyOffice in Seafile can be found here and here.

See Container Networking (DNS services) for more on configuring DNS with Docker containers.

I hope this helps.

kt368 · June 18, 2018, 7:08am

Problem with dns was caused by disabled firewalld at host machine (it was disabled for test purposes when I’ve configured proxy_pass).
OK, domain names are resolving correctly now.
Second trouble: now from docker container I can’t wget any file, for example

root@8bb78e54091d:/tmp# wget http://atola.com/img/tf/forensic-imager-shadow-2000.jpg
--2018-06-18 05:06:34--  http://atola.com/img/tf/forensic-imager-shadow-2000.jpg
Resolving atola.com (atola.com)... 104.24.19.51, 104.24.18.51
Connecting to atola.com (atola.com)|104.24.19.51|:80... failed: Connection refused.
Connecting to atola.com (atola.com)|104.24.18.51|:80... failed: Connection refused.
root@8bb78e54091d:/tmp#

But from host machine this file file is downloading thru wget correctly:

[root@SweetHome tmp]# wget http://atola.com/img/tf/forensic-imager-shadow-2000.jpg
--2018-06-18 08:05:16--  http://atola.com/img/tf/forensic-imager-shadow-2000.jpg
Resolving atola.com (atola.com)... 104.24.18.51, 104.24.19.51
Connecting to atola.com (atola.com)|104.24.18.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 276914 (270K) [image/jpeg]
Saving to: ‘forensic-imager-shadow-2000.jpg’

100%[===================================================================================================================================================================================================>] 276,914     --.-K/s   in 0.02s

2018-06-18 08:05:16 (10.9 MB/s) - ‘forensic-imager-shadow-2000.jpg’ saved [276914/276914]

[root@SweetHome tmp]#

Also I can’t find ping, yum or traceroute in container, so I can’t try to ping from container. I’ve find only nc, so I tried to nc SSH port of my home router, thet is between host machine and internet:

root@8bb78e54091d:/tmp# nc -nv 192.168.1.1 22
(UNKNOWN) [192.168.1.1] 22 (ssh) open
SSH-2.0-dropbear
        ▒2▒w▒/֟q▒>mcurve25519-sha256@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexguess2@matt.ucc.asn.aussh-rsaaes128-ctr,aes256-ctraes128-ctr,aes256-ctrhmac-sha1,hmac-sha2-256hmac-sha1,hmac-sha2-256nonenone▒▒Ŗg"p4^C
root@8bb78e54091d:/tmp#

But nc of internet IP return Connection refused

root@8bb78e54091d:/tmp# nc -nv 91.198.36.14 443
(UNKNOWN) [91.198.36.14] 443 (https) : Connection refused
root@8bb78e54091d:/tmp#

Again, this IP is accesseble from host machine:

[root@SweetHome ~]# nc -nv 91.198.36.14 443
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 91.198.36.14:443.
^C
[root@SweetHome ~]#

How to figure, why I can’t acces internet from docker?

kt368 · June 23, 2018, 4:18am

I’ve solved this problem!
The error was caused by wrong iptables rule, that I was added before. Removing that rule fixed all problems with OnlyOffice.