I don’t know how to do such thing, as I’d like this to be added to the Seafile server(seahub) config. The server pushes the secret key to the doc server when opening a document right?
@daniel.pan@xiez
Can you please have a look at this? Right now document servers must be available publicly so others don’t use them.
This is far from good.
@daniel.pan@xiez
I have had a look at this. Does not seem to be that complex and should be minor to implement, increasing the security for all onlyoffice document servers a lot.
@daniel.pan Any updates to this?
I’ve got the integration setup with OnlyOffice but cannot enable the OnlyOffice service until this security hole is patched.
Hello, when I learned more about OnlyOffice, I found this, maybe it will meet your need without change Seafile code (or wait for the future version).
Hello!
Later we will implement a more advanced solution JWT and inform you about it.
In the current version of DS you may restrict access from alternative file storages by editing Document Server configuration file /etc/onlyoffice/documentserver/default.json. Find the section 'filter' and change it to the following look :
"rules": [
{
"address": "IP_or_DN",
"allowed": true
},
{
"address": "*",
"allowed": false
}
],
"useforrequest": true,
"errorcode": 403
}
After editing configuration file use the command 'supervisorctl restart all'.
As you are using Docker version at first enter the container with 'docker exec -it container_ID /bin/bash' and then perform previously mentioned operations.
Thank you for the interest in ONLYOFFICE.
And we will look into the JWT token solution later if it is necessary.
Thanks for the info but it is necessary to implement the token solution. Changing the code inside the docker containers is not a solution and could be incompatible any time.
There are updates for the docker images and they are replaced entirely for the document server. Messing with the code is not a good idea.
I have tested editing the .json file in the docker image, and whilst it does seem to work, like @DerDanilo says, this isn’t a supported change of config to the container and any future update may alter this leaving the deployment open again without any notification.
The docker container for onlyoffice document server has recently been updated, and the unsupported work-around described here breaks the server after the update.
The web token is the only supported way of securing the server.
The PR linked above is now outdated. Is there any interest in reviving it?
Right now, anyone can open a document for viewing and switch to editing, or guess the key (it’s computed from public information) and connect directly to OnlyOffice. Moreover, it’s easy for a user to change their username. These are rather big security flaws.
Please have a look at this blog post. It might be helpful. It is a German blog post - just have Chrome do the translation for you and I guess you will get the idea.
i dont think that this really does the trick.
Most users uses the recommended way with docker and nginx reverse proxy, If you now limit the onlyoffice to 127.0.0.1 or a domain its still exposed because the reverse proxy itself can still access it (and there is no way to change this because the user has to access the server).
you can only limit access if the onlyoffice and seafile server share a private secret.