OnlyOffice Secret


#1

Hello,
I am trying to integrate OnlyOffice with Seafile Pro but I have a question.

I am running OnlyOffice with a secret key in order to secure the OnlyOffice server so other people will not be able to use my installation.

I read this manual page but it doesn’t include any information about secret key. How can I add it?

Thank you


#2

Can anyone help?


#3

I don’t know how to do such thing, as I’d like this to be added to the Seafile server(seahub) config. The server pushes the secret key to the doc server when opening a document right?

@daniel.pan @xiez
Can you please have a look at this? Right now document servers must be available publicly so others don’t use them.
This is far from good. :frowning:


#4

Yeah, everyone that is using onlyoffice with seafile, has an opened document server to the world. This means everyone can use it.


#5

@daniel.pan @xiez
I have had a look at this. Does not seem to be that complex and should be minor to implement, increasing the security for all onlyoffice document servers a lot.

Can you please add this to the patch of 6.2.3?

Thanks!


#6

We will add it in our roadmap.


#7

@daniel.pan

I hope this can help you to implement this feature. It will be nice to have this function in next release.

Best Regards


#8

Thank you very much. We will review the code.


#9

Was this implementation merged into the stable branch already? Manual content updated?


#10

We are reviewing the code currently.


#11

@daniel.pan Any updates to this?
I’ve got the integration setup with OnlyOffice but cannot enable the OnlyOffice service until this security hole is patched.

Thanks.


#12

This is on our plan list. But I’m sorry it is still delayed by other urgent fix tasks.


#13

Hello, when I learned more about OnlyOffice, I found this, maybe it will meet your need without change Seafile code (or wait for the future version).

Hello!
Later we will implement a more advanced solution JWT and inform you about it.
In the current version of DS you may restrict access from alternative file storages by editing Document Server configuration file /etc/onlyoffice/documentserver/default.json. Find the section 'filter' and change it to the following look :

                   "rules": [
                     {
                       "address": "IP_or_DN",
                       "allowed": true
                     },
                     {
                       "address": "*",
                       "allowed": false
                     }
                   ],
                   "useforrequest": true,
                   "errorcode": 403
                 }
After editing configuration file use the command 'supervisorctl restart all'.
As you are using Docker version at first enter the container with 'docker exec -it container_ID /bin/bash' and then perform previously mentioned operations.
Thank you for the interest in ONLYOFFICE.

And we will look into the JWT token solution later if it is necessary.


#14

Thanks for the info but it is necessary to implement the token solution. Changing the code inside the docker containers is not a solution and could be incompatible any time.
There are updates for the docker images and they are replaced entirely for the document server. Messing with the code is not a good idea. :expressionless:


#15

Good hint. I will try to implement and test the token solution, if everything goes well, you will see it in the next version.


#16

That’s awesome thank you! :smiley:

I have tested editing the .json file in the docker image, and whilst it does seem to work, like @DerDanilo says, this isn’t a supported change of config to the container and any future update may alter this leaving the deployment open again without any notification.

JWT would be awesome to see, cheers @lian !


#17

@daniel.pan @lian

The docker container for onlyoffice document server has recently been updated, and the unsupported work-around described here breaks the server after the update.

The web token is the only supported way of securing the server.


Seafile server 6.3 is ready for testing! A WYSIWYG Markdown editor and more
#18

The PR linked above is now outdated. Is there any interest in reviving it?

Right now, anyone can open a document for viewing and switch to editing, or guess the key (it’s computed from public information) and connect directly to OnlyOffice. Moreover, it’s easy for a user to change their username. These are rather big security flaws.


#19

Please have a look at this blog post. It might be helpful. It is a German blog post - just have Chrome do the translation for you and I guess you will get the idea.


#20

i dont think that this really does the trick.
Most users uses the recommended way with docker and nginx reverse proxy, If you now limit the onlyoffice to 127.0.0.1 or a domain its still exposed because the reverse proxy itself can still access it (and there is no way to change this because the user has to access the server).
you can only limit access if the onlyoffice and seafile server share a private secret.