Nextcloud and OnlyOffice on Ubuntu 20.04 LTS

Author: Paul Sueno
Created: 9/25/2021

 

Set up a private document server with seamless integration of productivity apps, built on Ubuntu 20 modified LEMP stack.

This tutorial will show you how to set up Nextcloud v21 and build OnlyOffice on top of that. It allows you to store whatever documents you want and have access to it wherever the internet is available. We will use this as a backend for a suite of free productivity software called OnlyOffice. This is like having your own Google Documents or MS Office 365 and having full control over it. Our user access will be based on emails, authenticated by Dovecot IMAP through a PostgreSQL database of virtual users. In other words, you will have your own web-based private document server. Both Nextcloud and OnlyOffice have paid versions of their products. This tutorial will show you how to set up the free versions.

If you haven't already:

If you're looking for the older version, go to the Ubuntu 18.04 version of the blog.

Nextcloud and OnlyOffice minimum requirements

Ever worry about having a handful of global companies have control over your documents? You wouldn't be reading this if you haven't thought of it. You can read more about the Nextcloud document server and OnlyOffice productivity suite on their sites.

Before we get going with installing these services, your server (I recommend cloud based) should meet OnlyOffice's minimum requirements. The information is below is accurate as of the time of writing this blog.

  • CPU single core 2 GHz or better
  • RAM 2 GB or more
  • HDD at least 40 GB of free space
  • Additional requirements at least 4 GB of swap

If you followed along in my tutorial, you probably selected Linode's Nanode. However, this won't meet the requirements. You may have to update your cloud server product to meet the requirement. You may also have to adjust your storage partitions to match the 4 GB swap minimum requirement.

Set up Let's Encrypt TLS and Nginx

As with the other web apps installed in some of the other tutorials on my site, I use Nginx virtual hosts and subdomains for my registered domain. I will do the same for Nextcloud and OnlyOffice. For the document server, I will use the subdomain drive; for the productivity suite, I will use apps. To be consistent with my tutorials, the FQDN would be drive.domain.com and apps.domain.com. Be sure to replace your own registered domain for domain.com. Remember this, because I won't be consistent with my reminders later on.

At this time, these subdomains should be added to your DNS name registrar: A and AAAA records for drive.domain.com and apps.domain.com. That way the DNS entries can be propagated through the web.

These instructions are based on the official installation documentation by Nextcloud for v21, and tailored to our system build. Let's create the Nginx virtual host for Nextcloud by running sudo nano /etc/nginx/sites-available/drive.domain.com.conf. Note the warning about HTTP Strict-Transport-Security by reading about it at https://hstspreload.org/.

upstream php-handler { server unix:/var/run/php/php7.4-fpm.sock; }
server {
  listen 80;
  listen [::]:80;
  server_name drive.domain.com;
  location ^~ /.well-known/acme-challenge/ { root /usr/share/nginx/drive; }
  # Enforce HTTPS
  return 301 https://$server_name$request_uri;
}
server {
  listen 443      ssl http2;
  listen [::]:443 ssl http2;
  server_name drive.domain.com;

  # Use Mozilla's guidelines for SSL/TLS settings
  # https://mozilla.github.io/server-side-tls/ssl-config-generator/
  # Nginx version 1.18.0, OpenSSL version 1.1.1f
  ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/www.domain.com/chain.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;

  # HSTS settings
  # WARNING: Only add the preload option once you read about
  # the consequences in https://hstspreload.org/. This option
  # will add the domain to a hardcoded list that is shipped
  # in all major browsers and getting removed from this list
  # could take several months.
  #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

  # set max upload size
  client_max_body_size 512M;
  fastcgi_buffers 64 4K;

  # Enable gzip but do not remove ETag headers
  gzip on;
  gzip_vary on;
  gzip_comp_level 4;
  gzip_min_length 256;
  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/>

  # Pagespeed is not supported by Nextcloud, so if your server is built
  # with the `ngx_pagespeed` module, uncomment this line to disable it.
  #pagespeed off;

  # HTTP response headers borrowed from Nextcloud `.htaccess`
  add_header Referrer-Policy                      "no-referrer"   always;
  add_header X-Content-Type-Options               "nosniff"       always;
  add_header X-Download-Options                   "noopen"        always;
  add_header X-Frame-Options                      "SAMEORIGIN"    always;
  add_header X-Permitted-Cross-Domain-Policies    "none"          always;
  add_header X-Robots-Tag                         "none"          always;
  add_header X-XSS-Protection                     "1; mode=block" always;

  # Remove X-Powered-By, which is an information leak
  fastcgi_hide_header X-Powered-By;

  # Path to the root of your installation
  root /usr/share/nginx/drive;

  # Specify how to handle directories -- specifying `/index.php$request_uri`
  # here as the fallback means that Nginx always exhibits the desired behaviour
  # when a client requests a path that corresponds to a directory that exists
  # on the server. In particular, if that directory contains an index.php file,
  # that file is correctly served; if it doesn't, then the request is passed to
  # the front-end controller. This consistent behaviour means that we don't need
  # to specify custom rules for certain paths (e.g. images and other assets,
  # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
  # `try_files $uri $uri/ /index.php$request_uri`
  # always provides the desired behaviour.
  index index.php index.html /index.php$request_uri;

  # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
  location = / {
    if ( $http_user_agent ~ ^DavClnt ) {
      return 302 /remote.php/webdav/$is_args$args;
    }
  }
  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  # Make a regex exception for `/.well-known` so that clients can still
  # access it despite the existence of the regex rule
  # `location ~ /(\.|autotest|...)` which would otherwise handle requests
  # for `/.well-known`.
  location ^~ /.well-known {
    # The following 6 rules are borrowed from `.htaccess`
    location = /.well-known/carddav     { return 301 /remote.php/dav/; }
    location = /.well-known/caldav      { return 301 /remote.php/dav/; }
    # Let's Encrypt web root
    location ^~ /.well-known/acme-challenge/ { try_files $uri $uri/ =404; }
    # Anything else is dynamically handled by Nextcloud
    location ^~ /.well-known            { return 301 /index.php$uri; }
    try_files $uri $uri/ =404;
  }

  # Rules borrowed from `.htaccess` to hide certain paths from clients
  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

  # Ensure this block, which passes PHP files to the PHP process, is above the blocks
  # which handle static assets (as seen below). If this block is not declared first,
  # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
  # to the URI, resulting in a HTTP 500 error response.
  location ~ \.php(?:$|/) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    set $path_info $fastcgi_path_info;
    try_files $fastcgi_script_name =404;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
    fastcgi_param front_controller_active true;     # Enable pretty urls
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
  }

  location ~ \.(?:css|js|svg|gif)$ {
    try_files $uri /index.php$request_uri;
    expires 6M;         # Cache-Control policy borrowed from `.htaccess`
    access_log off;     # Optional: Don't log access to assets
  }
  location ~ \.woff2?$ {
    try_files $uri /index.php$request_uri;
    expires 7d;         # Cache-Control policy borrowed from `.htaccess`
    access_log off;     # Optional: Don't log access to assets
  }
  location / {
    try_files $uri $uri/ /index.php$request_uri;
  }
}

OnlyOffice requires its own Nginx virtual host, though it does not have a user interface at all through that virtual host. The documents are created and edited through Nextcloud directly. Nextcloud accesses OnlyOffice through the virtual host. It'll make sense once it's all put together. For now, we will create a temporary Nginx virtual host configuration file for OnlyOffice; so that we can create the Let's Encrypt Certbot TLS certificate. Once we install OnlyOffice, it will automatically install it's own Nginx virtual host configuration files. We'll then disable the temporary one we will be creating shortly and modify the installed files. Let's create the temporary OnlyOffice virtual host file by running sudo nano /etc/nginx/sites-available/apps.domain.com.conf.

server {
  listen 80;
  listen [::]:80;
  server_name apps.domain.com;
  root /usr/share/nginx/apps;
  index index.php index.html;
  location / { try_files $uri $uri/ =404; }
}

Now that the virtual host configuration files have been created, we have link them to the enabled directory.

sudo ln -s /etc/nginx/sites-available/drive.domain.com.conf /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/apps.domain.com.conf /etc/nginx/sites-enabled/
sudo service nginx reload

For the TLS certificates to be created, we need to set up the webroot directories for each Nginx virtual host.

sudo mkdir -p /usr/share/nginx/drive/.well-known/acme-challenge/
sudo mkdir -p /usr/share/nginx/apps/.well-known/acme-challenge/
sudo chown -R www-data:www-data /usr/share/nginx

To create the TLS certificate, be sure to note which subdomains have already been associated with your primary TLS certificate. Run this command to find out: sudo certbot certificates. We will also need to recall what the webroot directories are for each subdomain. If you've followed along with the tutorial, your command to expand the Let's Encrypt Certbot TLS certificates should be similar to the example below.

sudo certbot certonly --expand --webroot \
  -w /usr/share/nginx/html -d www.domain.com -d domain.com -d host.domain.com \
  -w /usr/share/nginx/db -d db.domain.com \
  -w /usr/share/nginx/mail -d mail.domain.com \
  -w /usr/share/nginx/drive -d drive.domain.com \
  -w /usr/share/nginx/apps -d apps.domain.com

Make sure to select (E)xpand and that the message Congratulations! Your certificate and chain have been saved shows up.

Nextcloud - required packages and install files

As you may imagine, a document server will be resource intensive. We will need to be as efficent as possible for the resources we pay for in our cloud server. Nextcloud allows memory caching, and I chose to do it through Redis because OnlyOffice also required it. The FFmpeg allows our media documents to be played. The other packages are required for Nextcloud's to work with the proper PHP extensions.

Update the apt repositories and install the prerequisite packages.

sudo apt update
sudo apt install php-apcu php-bz2 php-curl php-gd php-imagick php-intl php-json php-mbstring php-pgsql php-redis php-xml php-zip ffmpeg redis-server

Now that the required packages are installed, it's time for Nextcloud. We will download the installation files. Let's find out the current version. As of writing this blog, it is version 21.0.4. To find the download link, go to https://nextcloud.com/install and click on Download for server, then on Details and download options. Right-click over the .tar.bz2 link and copy it. Remember, the current version may not be what is in the example below. Also, be cautious about downloading or updating to most recent. Be sure all your Nextcloud Apps are available for the most recent version.

cd ~
wget https://download.nextcloud.com/server/releases/nextcloud-21.0.4.tar.bz2
tar -xvf nextcloud-21.0.4.tar.bz2

Copy the Nextcloud files to its own system directory. Be sure to replace your own username for [user]. We will also replace the Nginx drive subdirectory with a symbolic link from the Nextcloud system directory; and will create the webroot subdirectory for our TLS certificate renewals.

sudo rsync -Aavx /home/[user]/nextcloud /usr/share/
sudo rm -rf /usr/share/nginx/drive
sudo ln -s /usr/share/nextcloud /usr/share/nginx/drive
sudo mkdir -p /usr/share/nginx/drive/.well-known/acme-challenge/
sudo chown www-data:www-data -R /usr/share/nextcloud

The actual documents our server will host on Nextcloud (or the documents you want access to over the internet) will be stored elsewhere. I promised my users I would encrypt the files for their peace-of-mind. More on this later. Let's set that up the directory first.

sudo mkdir /var/nextcloud
sudo chown www-data:www-data /var/nextcloud
sudo chmod 770 /var/nextcloud

Nextcloud - PHP, PostgreSQL and install wizard

We will need to allow PHP access to our Ubuntu system environment variables. To do this, we have to modify our PHP-fpm. Let back up and modify the PHP pool configuration file by running sudo cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/www.conf.bak && sudo nano /etc/php/7.4/fpm/pool.d/www.conf.

Modify around line 113: pm.max_children = 120
Modify around line 118: pm.start_servers = 12
Modify around line 123: pm.min_spare_servers = 6
Modify around line 128: pm.max_spare_servers = 18
Modify/uncomment around line 396: clear_env = no

Let's also increase the memory usage and upload file sizes allowed. But first, back up the file by running sudo cp /etc/php/7.4/fpm/php.ini /etc/php/7.4/fpm/php.ini.bak. Now let's edit the file by running sudo nano /etc/php/7.4/fpm/php.ini.

Modify around line 846: upload_max_filesize = 20M
Modify around line 694: post_max_size = 20M
Modify around line 409: memory_limit = 512M
Modify/uncomment around line 1768: opcache.enable=1
Modify/uncomment around line 1774: opcache.memory_consumption=128
Modify/uncomment around line 1777: opcache.interned_strings_buffer=8
Modify/uncomment around line 1781: opcache.max_accelerated_files=10000
Modify/uncomment around line 1799: opcache.revalidate_freq=1
Modify/uncomment around line 1806: opcache.save_comments=1

Now let's reload PHP and Nginx by running sudo service php7.4-fpm reload && sudo service nginx reload.

Let's create the PostgreSQL users and databases that Nextcloud and OnlyOffice will use. For the password, I'd recommend a random alpha-numeric string, e.g., cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1. Please don't use password in the example below; and make sure they're different!

sudo -i -u postgres psql -c "CREATE USER nextcloud WITH PASSWORD 'password';"
sudo -i -u postgres psql -c "CREATE USER onlyoffice WITH PASSWORD 'password';"
sudo -i -u postgres psql -c "CREATE DATABASE nextcloud OWNER nextcloud ENCODING unicode;"
sudo -i -u postgres psql -c "CREATE DATABASE onlyoffice OWNER onlyoffice ENCODING unicode;"
sudo -i -u postgres psql -c "GRANT ALL ON DATABASE nextcloud TO nextcloud;"
sudo -i -u postgres psql -c "GRANT ALL ON DATABASE onlyoffice TO onlyoffice;"

Now that the basic prerequisites and files are installed, let's load up Nextcloud. Go to a browser and load your Nextcloud web app by typing in http://drive.domain.com. You should see that it redirects to the https site automatically.

Create a username/password combination for your admin account. Be sure to edit the Data folder to /var/nextcloud.

In the section Configure the database, be sure PostgreSQL is noted as available. For the Database user, Database password and Database name, use the values we created above. Keep localhost as the Database host. I kept the box Install recommended apps selected. Now click Finish setup. It may time out and show a 504 error. Don't worry, it did it to me too. We'll find out what happened in the next section. Most likely, there was a timeout between PHP and PostgreSQL when creating the tables. Just refresh your browser and log in with the Nextcloud admin account you just created.

Nextcloud - Redis and optimize server

Redis and APCu will be used to cache our PHP scripts in the background in our cloud server's memory. These measures improve performance. We have to modify a few things in the background first. Ubuntu 20.04 disables the older rc.local, but the Redis implementation that works for me requires this. Let's create the file by running sudo nano /etc/rc.local.

#!/bin/bash
sysctl -w net.core.somaxconn=1024
echo never > /sys/kernel/mm/transparent_hugepage/enabled
exit 0

The file needs to be executable so run sudo chmod 755 /etc/rc.local. We then create the service file by running sudo nano /etc/systemd/system/rc-local.service.

[Unit]
  Description=/etc/rc.local Compatibility
  ConditionPathExists=/etc/rc.local

[Service]
  Type=forking
  ExecStart=/etc/rc.local start
  TimeoutSec=0
  StandardOutput=tty
  RemainAfterExit=yes
  SysVStartPriority=99

[Install]
  WantedBy=multi-user.target

We then back up and modify the Redis service file by running sudo cp /etc/systemd/system/redis.service /etc/systemd/system/redis.service.bak && sudo nano /etc/systemd/system/redis.service.

Edit line: After=network.target rc-local.service
Edit line: Group=www-data

The service daemons have to be enabled and reloaded.

sudo systemctl enable rc-local.service
sudo systemctl daemon-reload

The Redis configuration will be backed up and modified by running sudo cp /etc/redis/redis.conf /etc/redis/redis.conf.bak && sudo nano /etc/redis/redis.conf.

Comment out around line 69: #bind 127.0.0.1 ::1
Uncomment/modify around line 109: unixsocket /var/run/redis/redis-server.sock
Uncomment/modify around line 110: unixsocketperm 775

Now change some system-wide settings regarding users, groups and directories.

sudo usermod -a -G redis www-data
sudo usermod -g www-data redis
sudo mkdir -p /var/run/redis/
sudo chown -R redis:www-data /var/run/redis

Nextcloud needs to know that Redis is how we will handle memory caching. Run sudo cp /usr/share/nextcloud/config/config.php /usr/share/nextcloud/config/config.php.bak && sudo nano /usr/share/nextcloud/config/config.php. The current version of Nextcloud also requires a default telephone country/region. Add these lines to the bottom of the $CONFIG array.

'default_phone_region' => 'US',
'filelocking.enabled' => true,
'memcache.local' => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => [
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
],

Redis requires a configuration file to be modified, so let's back it up first then modify. Run sudo cp /etc/sysctl.conf /etc/sysctl.conf.bak && sudo nano /etc/sysctl.conf. Add the line to the bottom of the file.

vm.overcommit_memory = 1

Have Ubuntu reload this file by running sudo sysctl -p. Now reboot the system. If you set up your system like I did, then this is how you do it. Shutdown the system first by running sudo shutdown now. Go to a browser and log into Linode. Go to the Disks/Configs section, select the options for your Ubuntu system and click on Boot This Config. Click on Launch Console and then Glish. Now type in your password (may need to press arrow keys to load the screen). Now restart your terminal window.

Redis is now set up correctly. To verify, run sudo cat /var/log/redis/redis-server.log. There should be no errors or warnings after the reboot. You can compare this to the prior time it was loaded by scrolling up in the log. Now to the Nextcloud app itself.

Let's see if there are any steps we have to run manually from the install. Go to your document server web app, and click on the user icon on the upper right corner of the screen. It defaults to the first letter of the user name in a circle. Click on the first option Settings. On the left panel, click on Overview under Administration. It may give a command that starts with occ that they recommend you running. Only run the following command, if your Nextcloud app asked you to do so. If it did not ask you to run any occ commands, then skip to the next step.

cd /usr/share/nextcloud
sudo -u www-data php occ db:add-missing-indices
sudo -u www-data php occ db:convert-filecache-bigint
[Select y when prompted]

Also, feel free to change the Nginx configuration file for Nextcloud to be compatible for HSTS. The file has commented sections that explains this better. Do this only when you are ready!

Refresh the Overview page under Administration Settings to make sure it shows All checks passed. Let's set up automatic Nextcloud maintenance through cron. To do the command through user www-data, we will add the file to the /etc/cron.d folder with the user specified in the file itself. Run sudo nano /etc/cron.d/nextcloud.

*/5 * * * * www-data php -f /usr/share/nextcloud/cron.php

This will run the command every 5 minutes. Under the Settings page, click on Basic settings under Administration in the left panel. In the main panel, select Cron in the Background jobs section.

Nextcloud can send out automated emails regarding the web app. Because we already set up our own Postfix mail server, let's set this up. Staying in the Basic settings page, focus on the Email server section on the main panel. Select SMTP with SSL/TLS encryption. You can use your own email address, set up a new email address or a alias an email address to yours. Whichever you choose, enter this in the From address. Under Authentication method, select Plain and check the option Authentication required. Use your mail server address (e.g., mail.domain.com) via port 465.

Nextcloud - IMAP user access

Because we set up our own email server, our users who have access to our email server can also have access to our document server. Let's connect the two by downloading a plugin. Go back to the Apps page and click on Security on the left. The plugins should be listed alphabetically; look for User and Group SQL Backends. Click on Download and enable.

To modify the SQL backends settings, go back to Settings by clicking on the user icon in the upper right corner. You'll find a new setting in the left panel called SQL Backends, click on it. If you followed along in my tutorials, your PostgreSQL username/role and database names should be the same: virtualmail. Some browsers will pre-populate your Password, UID and maybe other fields (if you save passwords on your browser). Be sure to delete the pre-populated data and replace or leave empty as required! Use the following settings:

SQL Driver: PostgreSQL
Hostname: localhost
Database: virtualmail
Username: virtualmail
Password: [use your own]
Hash algorithm: SHA512 (Crypt)
Use cache: checked
Email sync: SQL always win
User table, Table name: virtual_users
User table, UID: email
User table, Email: email
User table, password: password

I wrote about encrypting user files in a prior blog. Feel free to read the prior version for more information about this. We'll skip it this time.

The Nextcloud document server web app is now set up. You can upload, download and share files from anywhere in the world as long as you have internet access. Now let's allow document editing by integrating productivity suite OnlyOffice.

OnlyOffice - Nextcloud integration

This tutorial is based on the official documentation by OnlyOffice. We already created the PostgreSQL user/role and database for OnlyOffice above. We have to install RabbitMQ message broker.

sudo apt install rabbitmq-server

The OnlyOffice apt package repository will be added and package installed.

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys CB2DE8E5
sudo echo "deb https://download.onlyoffice.com/repo/debian squeeze main" | sudo tee /etc/apt/sources.list.d/onlyoffice.list
sudo apt update
sudo apt install onlyoffice-documentserver ttf-mscorefonts-installer

During the installation process, you'll be asked to provide a password for the onlyoffice PostgreSQL user. Please enter the onlyoffice password you created above. Also accept the Microsoft fonts End User License Agreement, may need to hit Tab before hitting Enter.

We will change OnlyOffice to using the HTTPS (443) connection. The OnlyOffice configuration file has to be created and modified. Do this by running sudo cp -f /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds.conf && sudo nano /etc/onlyoffice/documentserver/nginx/ds.conf. Be sure to replace domain.com with your registered domain.

Modify line 7: server_name apps.domain.com;
Add around line 31: server_name apps.domain.com;
Delete around line 36: ssl on;
Delete around line 37: #ssl_certificate {{SSL_CERTIFICATE_PATH}};
Delete around line 38: #ssl_certificate_key {{SSL_KEY_PATH}};
Add following lines right below the lines deleted above:
  ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/www.domain.com/chain.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/ssl/private/dhparam.pem;
  ssl_stapling on;
  ssl_stapling_verify on;
Delete the lines starting and including, around line 43: # Uncomment string below and specify the path ...
Delete up through and including, around line 52: ssl_prefer_server_ciphers   on;
Add following lines to the bottom of this server block, around line 66:
  location /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /usr/share/nginx/apps;
  }

Reload the Nginx service by running sudo service nginx reload. Verify that everything is working by going to a browser and loading the page apps.domain.com. You should see it automatically redirects to HTTPS and it should show Document Server is running.

You can harden the OnlyOffice document server by restricting access to your Ubuntu server only and to any subdomain on your registered domain. To find your ip addresses, run ifconfig. Look for inet and inet6 (one that does not start with fe80); these are your ipv4 and ipv6 respectively. Back up and modify the configuration file by running sudo cp /etc/onlyoffice/documentserver/default.json /etc/onlyoffice/documentserver/default.json.bak && sudo nano /etc/onlyoffice/documentserver/default.json. In the example below, be sure to replace ipv4 and ipv6 with your own. You can also add your workstation's public ip address. If you don't do this, going to apps.domain.com will show an error. You can skip adding your workstation's public ip address, and just ignore that error should you go to that web page.

Delete the section and modify starting around line 153:
"ipfilter": {
  "rules": [
    {
      "address": "ipv4",
      "allowed": true
    },
    {
      "address": "ipv6",
      "allowed": true
    },
    {
      "address": "*.domain.com",
      "allowed": true
    },
    {
      "address": "[workstation public ip]",
      "allowed": true
    },
    {
      "address": "*",
      "allowed": false
    }
  ],
  "useforrequest": true,
  "errorcode": 403
},  

Now to integrate the two. Go back to the Nextcloud document server web app, click on the user icon in the upper right corner and click on Apps. Click on Office & text in the left panel. Look for ONLYOFFICE and click on Download and enable. Let's go to Settings via the user icon in the upper right corner. Click on ONLYOFFICE in the left panel. In ONLYOFFICE Docs address type in https://apps.domain.com (using your own domain.com). The browser may pre-populate the Secret key (leave blank to disable) field (thinking it is a saved password). Delete anything that might be in that field. Click Save.

Let's test it out. Click on the file folder icon (Files) in the top menu bar. Click on the plus icon. Click on Document and name it whatever you want. A new browser tab should load with a Word-like document editor. And there you go. You now have a fully functional alternative to Google Docs and Microsoft Office 365. Woo hoo!!

 
 
media,300x250,768834772
media,300x250,455609681
media,300x250,441509316
media,300x250,405423243
media,300x250,128775369
media,300x250,655659614
media,320x50,606581042
media,320x50,235324397

Suenotek Blog

Seattle, Washington

Cookies | Privacy | Policy

About | Contact Us