OnlyOffice

Note

For Nextcloud

The Onlyoffice server is set as a docker service, for office.happyngreen.fr(the link send to a information page as it is not designed for direct access).

Docker Compose

Here is the present docker compose file used to drive the service. The setup is minimum to only support Nextcloud (No DB...)

services:
  onlyoffice-document-server:
    image: onlyoffice/documentserver:latest
    container_name: onlyoffice-document-server
    restart: always
    environment:
      JWT_ENABLED: "true"
      JWT_SECRET: ${ONLYOFFICE_JWT_SECRET}
      JWT_HEADER: Authorization
      JWT_IN_BODY: "true"
    volumes:
      - /mnt/data/office/Data:/var/www/onlyoffice/Data
      - /var/log:/var/log/onlyoffice
      - /var/cache/onlyoffice:/var/lib/onlyoffice/documentserver/App_Data/cache
    networks:
      - office
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=office"
      - "traefik.http.routers.office.entrypoints=web"
      - "traefik.http.routers.office.rule=Host(`${ONLYOFFICE_DOMAIN}`)"
      # Workaround a bug in OnlyOffice, see the issue tracker: https://github.com/ONLYOFFICE/DocumentServer/issues/2186
      - "traefik.http.middlewares.onlyoffice_redirect_http2https_header.headers.contentSecurityPolicy=upgrade-insecure-requests"
      - "traefik.http.routers.office.middlewares=onlyoffice_redirect_http2https_header,redirect-to-https@docker"
      - "traefik.http.routers.office-secure.entrypoints=web-secure"
      - "traefik.http.routers.office-secure.rule=Host(`${ONLYOFFICE_DOMAIN}`)"
      - "traefik.http.routers.office-secure.middlewares=onlyoffice_redirect_http2https_header"
      - "traefik.http.routers.office-secure.service=office-secure"
      - "traefik.http.services.office-secure.loadbalancer.server.port=80"

networks:
  office:
    name: office
    driver: bridge

The secret is set in the corresponding .env (value is in Bitwarden) alongsite the site URL A Json token is used to allow Nextcloud to use the Onlyoffice service. For the volume part, the cache is set to the SSD disk to improve performance while the log is sent to regular /var/log, into a directory documentserver

Warning

Beware, a specific Traefik set up needs to be done to avoid the browser triggering a mixed content error (Http in Https page)

As usual, the port 80 is redirected to 443, but also, the header field contentSecurityPolicy is set to upgrade-insecure-requests in both routers to force to https protocol!