OnlyOffice Secret


#1

Hello,
I am trying to integrate OnlyOffice with Seafile Pro but I have a question.

I am running OnlyOffice with a secret key in order to secure the OnlyOffice server so other people will not be able to use my installation.

I read this manual page but it doesn’t include any information about secret key. How can I add it?

Thank you


#2

Can anyone help?


#3

I don’t know how to do such thing, as I’d like this to be added to the Seafile server(seahub) config. The server pushes the secret key to the doc server when opening a document right?

@daniel.pan @xiez
Can you please have a look at this? Right now document servers must be available publicly so others don’t use them.
This is far from good. :frowning:


#4

Yeah, everyone that is using onlyoffice with seafile, has an opened document server to the world. This means everyone can use it.


#5

@daniel.pan @xiez
I have had a look at this. Does not seem to be that complex and should be minor to implement, increasing the security for all onlyoffice document servers a lot.

Can you please add this to the patch of 6.2.3?

Thanks!


#6

We will add it in our roadmap.


#7

@daniel.pan

I hope this can help you to implement this feature. It will be nice to have this function in next release.

Best Regards


#8

Thank you very much. We will review the code.


#9

Was this implementation merged into the stable branch already? Manual content updated?


#10

We are reviewing the code currently.


#11

@daniel.pan Any updates to this?
I’ve got the integration setup with OnlyOffice but cannot enable the OnlyOffice service until this security hole is patched.

Thanks.


#12

This is on our plan list. But I’m sorry it is still delayed by other urgent fix tasks.


#13

Hello, when I learned more about OnlyOffice, I found this, maybe it will meet your need without change Seafile code (or wait for the future version).

Hello!
Later we will implement a more advanced solution JWT and inform you about it.
In the current version of DS you may restrict access from alternative file storages by editing Document Server configuration file /etc/onlyoffice/documentserver/default.json. Find the section 'filter' and change it to the following look :

                   "rules": [
                     {
                       "address": "IP_or_DN",
                       "allowed": true
                     },
                     {
                       "address": "*",
                       "allowed": false
                     }
                   ],
                   "useforrequest": true,
                   "errorcode": 403
                 }
After editing configuration file use the command 'supervisorctl restart all'.
As you are using Docker version at first enter the container with 'docker exec -it container_ID /bin/bash' and then perform previously mentioned operations.
Thank you for the interest in ONLYOFFICE.

And we will look into the JWT token solution later if it is necessary.


#14

Thanks for the info but it is necessary to implement the token solution. Changing the code inside the docker containers is not a solution and could be incompatible any time.
There are updates for the docker images and they are replaced entirely for the document server. Messing with the code is not a good idea. :expressionless:


#15

Good hint. I will try to implement and test the token solution, if everything goes well, you will see it in the next version.


#16

That’s awesome thank you! :smiley:

I have tested editing the .json file in the docker image, and whilst it does seem to work, like @DerDanilo says, this isn’t a supported change of config to the container and any future update may alter this leaving the deployment open again without any notification.

JWT would be awesome to see, cheers @lian !


#17

@daniel.pan @lian

The docker container for onlyoffice document server has recently been updated, and the unsupported work-around described here breaks the server after the update.

The web token is the only supported way of securing the server.


Seafile server 6.3 is ready for testing! A WYSIWYG Markdown editor and more