From 395ce8491160d77f7e22eec218af6188036c879e Mon Sep 17 00:00:00 2001 From: Alexey Bannov Date: Fri, 17 Apr 2015 15:25:41 +0000 Subject: [PATCH] version: 3.0 --- Dockerfile | 31 ++++++ README.md | 191 ++++++++++++++++++++++++++++++++++++ config/nginx/onlyoffice-ssl | 110 +++++++++++++++++++++ run-document-server.sh | 64 ++++++++++++ 4 files changed, 396 insertions(+) create mode 100644 Dockerfile create mode 100644 README.md create mode 100644 config/nginx/onlyoffice-ssl create mode 100644 run-document-server.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d6c59d8 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,31 @@ +FROM ubuntu:14.04 +MAINTAINER Ascensio System SIA + +ENV LANG en_US.UTF-8 +ENV LANGUAGE en_US:en +ENV LC_ALL en_US.UTF-8 + +RUN apt-get update && apt-get -y -q install libreoffice + +RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \ + echo "deb http://static.teamlab.com.s3.amazonaws.com/repo/debian/ squeeze main" >> /etc/apt/sources.list && \ + apt-key adv --keyserver keyserver.ubuntu.com --recv-keys D9D0BF019CC8AC0D && \ + echo "deb http://download.mono-project.com/repo/debian wheezy main" | sudo tee /etc/apt/sources.list.d/mono-xamarin.list && \ + apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF && \ + DEBIAN_FRONTEND=noninteractive && \ + locale-gen en_US.UTF-8 && \ + apt-get update && \ + apt-get install --force-yes -yq onlyoffice-documentserver && \ + rm -rf /var/lib/apt/lists/* + +ADD config /app/onlyoffice/setup/config/ +ADD run-document-server.sh /app/onlyoffice/run-document-server.sh +RUN chmod 755 /app/onlyoffice/*.sh + +VOLUME ["/var/log/onlyoffice"] +VOLUME ["/var/www/onlyoffice/Data"] + +EXPOSE 80 +EXPOSE 443 + +CMD bash -C '/app/onlyoffice/run-document-server.sh';'bash' diff --git a/README.md b/README.md new file mode 100644 index 0000000..5f019a9 --- /dev/null +++ b/README.md @@ -0,0 +1,191 @@ +* [Overview](#overview) +* [Functionality](#functionality) +* [Recommended System Requirements](#recommended-system-requirements) +* [Running Docker Image](#running-docker-image) +* [Configuring Docker Image](#configuring-docker-image) + - [Running ONLYOFFICE Document Server on Different Port](#running-onlyoffice-document-server-on-different-port) + - [Running ONLYOFFICE Document Server using HTTPS](#running-onlyoffice-document-server-using-https) + + [Generation of Self Signed Certificates](#generation-of-self-signed-certificates) + + [Strengthening the Server Security](#strengthening-the-server-security) + + [Installation of the SSL Certificates](#installation-of-the-ssl-certificates) + + [Available Configuration Parameters](#available-configuration-parameters) +* [Installing ONLYOFFICE Document Server integrated with Community and Mail Servers](#installing-onlyoffice-document-server-integrated-with-community-and-mail-servers) +* [Project Information](#project-information) +* [User Feedback and Support](#user-feedback-and-support) + +## Overview + +ONLYOFFICE Document Server is an online office suite comprising viewers and editors for texts, spreadsheets and presentations, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time. + +## Functionality ## +* ONLYOFFICE Document Editor +* ONLYOFFICE Spreadsheet Editor +* ONLYOFFICE Presentation Editor +* ONLYOFFICE Documents application for iOS +* Collaborative editing +* Hieroglyph support +* Support for all the popular formats: DOC, DOCX, TXT, ODT, RTF, ODP, EPUB, ODS, XLS, XLSX, CSV, PPTX, HTML + +Integrating it with ONLYOFFICE Community Server you will be able to: +* view and edit files stored on Drive, Box, Dropbox, OneDrive, OwnCloud connected to ONLYOFFICE; +* share files; +* embed documents on a website; +* manage access rights to documents. + +## Recommended System Requirements + +* **RAM**: 4 GB or more +* **CPU**: dual-core 2 GHz or higher +* **Swap file**: at least 2 GB +* **HDD**: at least 2 GB of free space +* **Distributive**: 64-bit Red Hat, CentOS or other compatible distributive with kernel version 3.8 or later, 64-bit Debian, Ubuntu or other compatible distributive with kernel version 3.8 or later +* **Docker**: version 1.4.1 or later + +## Running Docker Image + + sudo docker run -i -t -d -p 80:80 onlyoffice/documentserver + +Use this command if you wish to install ONLYOFFICE Document Server separately. To install ONLYOFFICE Document Server integrated with Community and Mail Servers, refer to the corresponding instructions below. + +## Configuring Docker Image + +### Running ONLYOFFICE Document Server on Different Port + +To change the port, use the -p command. E.g.: to make your portal accessible via port 8080 execute the following command: + + sudo docker run -i -t -d -p 8080:80 onlyoffice/documentserver + +### Running ONLYOFFICE Document Server using HTTPS + + sudo docker run -i -t -d -p 443:443 \ + -v /opt/onlyoffice/Data:/var/www/onlyoffice/Data onlyoffice/documentserver + +Access to the onlyoffice application can be secured using SSL so as to prevent unauthorized access. While a CA certified SSL certificate allows for verification of trust via the CA, a self signed certificates can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. Below the instructions on achieving this are provided. + +To secure the application via SSL basically two things are needed: + +- **Private key (.key)** +- **SSL certificate (.crt)** + +So you need to create and install the following files: + + /opt/onlyoffice/Data/certs/onlyoffice.key + /opt/onlyoffice/Data/certs/onlyoffice.crt + +When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are have CA certified SSL certificates. + +#### Generation of Self Signed Certificates + +Generation of self-signed SSL certificates involves a simple 3 step procedure. + +**STEP 1**: Create the server private key + +```bash +openssl genrsa -out onlyoffice.key 2048 +``` + +**STEP 2**: Create the certificate signing request (CSR) + +```bash +openssl req -new -key onlyoffice.key -out onlyoffice.csr +``` + +**STEP 3**: Sign the certificate using the private key and CSR + +```bash +openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out onlyoffice.crt +``` + +You have now generated an SSL certificate that's valid for 365 days. + +#### Strengthening the server security + +This section provides you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). +To achieve this you need to generate stronger DHE parameters. + +```bash +openssl dhparam -out dhparam.pem 2048 +``` + +#### Installation of the SSL Certificates + +Out of the four files generated above, you need to install the `onlyoffice.key`, `onlyoffice.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again). + +The default path that the onlyoffice application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options. + +The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/opt/onlyoffice/Data/` and copy the files into it and as a measure of security you will update the permission on the `onlyoffice.key` file to only be readable by the owner. + +```bash +mkdir -p /opt/onlyoffice/Data/certs +cp onlyoffice.key /opt/onlyoffice/Data/certs/ +cp onlyoffice.crt /opt/onlyoffice/Data/certs/ +cp dhparam.pem /opt/onlyoffice/Data/certs/ +chmod 400 /opt/onlyoffice/Data/certs/onlyoffice.key +``` + +You are now just one step away from having our application secured. + +#### Available Configuration Parameters + +*Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command.* + +Below is the complete list of parameters that can be set using environment variables. + +- **ONLYOFFICE_HTTPS_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. +- **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`. +- **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.crt`. +- **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.key`. +- **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`. +- **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false` + +## Installing ONLYOFFICE Document Server integrated with Community and Mail Servers + +ONLYOFFICE Document Server is a part of ONLYOFFICE Free Edition that comprises also Community Server and Mail Server. To install them, follow these easy steps: + +**STEP 1**: Install ONLYOFFICE Document Server. + +```bash +sudo docker run -i -t -d --name onlyoffice-document-server onlyoffice/documentserver +``` + +**STEP 2**: Install ONLYOFFICE Mail Server. + +For the mail server correct work you need to specify its hostname 'yourdomain.com'. +To learn more, refer to the [ONLYOFFICE Mail Server documentation](https://github.com/ONLYOFFICE/MailServer "ONLYOFFICE Mail Server documentation"). + +```bash +sudo docker run --privileged -i -t -d --name onlyoffice-mail-server -p 25:25 -p 143:143 -p 587:587 \ +-h yourdomain.com onlyoffice/mailserver +``` + +**STEP 3**: Install ONLYOFFICE Community Server + +```bash +sudo docker run -i -t -d -p 80:80 -p 443:443 onlyoffice/communityserver \ +--link onlyoffice-mail-server:mail_server \ +--link onlyoffice-document-server:document_server +``` + +Alternatively, you can use [docker-compose](https://docs.docker.com/compose/install "docker-compose") to install the whole ONLYOFFICE Free Edition at once. For the mail server correct work you need to specify its hostname 'yourdomain.com'. Assuming you have docker-compose installed, execute the following command: + +```bash +wget https://raw.githubusercontent.com/ONLYOFFICE/Docker-CommunityServer/master/docker-compose.yml +docker-compose up -d +``` + +## Project Information + +Official website: [http://www.onlyoffice.org](http://onlyoffice.org "http://www.onlyoffice.org") + +Code repository: [https://github.com/ONLYOFFICE/DocumentServer](https://github.com/ONLYOFFICE/DocumentServer "https://github.com/ONLYOFFICE/DocumentServer") + +License: [Apache based license](http://www.gnu.org/licenses/agpl.html "Apache based license") + +SaaS version: [http://www.onlyoffice.com](http://www.onlyoffice.com "http://www.onlyoffice.com") + + +## User Feedback and Support + +If you have any problems with or questions about this image, please contact us through a [dev.onlyoffice.org][1]. + + [1]: http://dev.onlyoffice.org diff --git a/config/nginx/onlyoffice-ssl b/config/nginx/onlyoffice-ssl new file mode 100644 index 0000000..215c333 --- /dev/null +++ b/config/nginx/onlyoffice-ssl @@ -0,0 +1,110 @@ +## Normal HTTP host +server { + listen 0.0.0.0:80; + listen [::]:80 default_server; + server_name _; + server_tokens off; + + ## Redirects all traffic to the HTTPS host + root /nowhere; ## root doesn't have to be a valid path since we are redirecting + rewrite ^ https://$host$request_uri? permanent; +} + +upstream fastcgi_backend { + server 127.0.0.1:9001; + keepalive 32; +} + +## HTTPS host +server { + listen 0.0.0.0:443 ssl spdy; + listen [::]:443 ssl spdy default_server; + server_tokens off; + root /usr/share/nginx/html; + + ## Increase this if you want to upload large attachments + client_max_body_size 100m; + + ## Strong SSL Security + ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl on; + ssl_certificate {{SSL_CERTIFICATE_PATH}}; + ssl_certificate_key {{SSL_KEY_PATH}}; + ssl_verify_client {{SSL_VERIFY_CLIENT}}; + ssl_client_certificate {{CA_CERTIFICATES_PATH}}; + + ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_session_cache builtin:1000 shared:SSL:10m; + + ssl_prefer_server_ciphers on; + + add_header Strict-Transport-Security max-age={{ONLYOFFICE_HTTPS_HSTS_MAXAGE}}; + # add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + + ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL. + ## Replace with your ssl_trusted_certificate. For more info see: + ## - https://medium.com/devops-programming/4445f4862461 + ## - https://www.ruby-forum.com/topic/4419319 + ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx + # ssl_stapling on; + # ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; + # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired + # resolver_timeout 10s; + + ## [Optional] Generate a stronger DHE parameter: + ## cd /etc/ssl/certs + ## sudo openssl dhparam -out dhparam.pem 4096 + ## + ssl_dhparam {{SSL_DHPARAM_PATH}}; + + gzip on; + gzip_types text/plain + text/xml + text/css + text/csv + application/xml + application/javascript + application/x-javascript + application/json + application/octet-stream + application/pdf + application/rtf + application/msword + application/vnd.ms-excel + application/vnd.ms-powerpoint; + #application/vnd.oasis.opendocument.text + #application/vnd.oasis.opendocument.spreadsheet + #application/vnd.oasis.opendocument.presentation + #application/vnd.openxmlformats-officedocument.wordprocessingml.document + #application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + #application/vnd.openxmlformats-officedocument.presentationml.presentation; + + + location / { + root /var/www/onlyoffice/documentserver/DocService/; + index index.html index.htm default.aspx Default.aspx; + fastcgi_index Default.aspx; + fastcgi_keep_conn on; + fastcgi_pass fastcgi_backend; + include /var/www/onlyoffice/documentserver/fastcgi_params; + } + + location /coauthoring/ { + proxy_pass http://localhost:8000/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /spellchecker/ { + proxy_pass http://localhost:8080/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} + diff --git a/run-document-server.sh b/run-document-server.sh new file mode 100644 index 0000000..ab6af1c --- /dev/null +++ b/run-document-server.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +sed "/user=/s/onlyoffice/root/" -i /etc/supervisor/conf.d/CoAuthoringService.conf +sed "/user=/s/onlyoffice/root/" -i /etc/supervisor/conf.d/DocService.conf +sed "/user=/s/onlyoffice/root/" -i /etc/supervisor/conf.d/FileConverterService.conf +sed "/user=/s/onlyoffice/root/" -i /etc/supervisor/conf.d/LibreOfficeService.conf +sed "/user=/s/onlyoffice/root/" -i /etc/supervisor/conf.d/SpellCheckerService.conf + +chown root /var/www/onlyoffice +chown root /var/lib/onlyoffice + + +DATA_DIR="/var/www/onlyoffice/Data" +LOG_DIR="/var/log/onlyoffice" + +ONLYOFFICE_HTTPS=${ONLYOFFICE_HTTPS:-false} + +SSL_CERTIFICATES_DIR="${DATA_DIR}/certs" +SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.crt} +SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.key} +SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem} +SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off} +ONLYOFFICE_HTTPS_HSTS_ENABLED=${ONLYOFFICE_HTTPS_HSTS_ENABLED:-true} +ONLYOFFICE_HTTPS_HSTS_MAXAGE=${ONLYOFFICE_HTTPS_HSTS_MAXAG:-31536000} +SYSCONF_TEMPLATES_DIR="/app/onlyoffice/setup/config" + +NGINX_ONLYOFFICE_PATH="/etc/nginx/sites-enabled/onlyoffice-documentserver"; + +# setup HTTPS +if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" ]; then + cp ${SYSCONF_TEMPLATES_DIR}/nginx/onlyoffice-ssl ${NGINX_ONLYOFFICE_PATH} + + mkdir ${DATA_DIR} + mkdir ${LOG_DIR}/nginx + + # configure nginx + sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i ${NGINX_ONLYOFFICE_PATH} + sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i ${NGINX_ONLYOFFICE_PATH} + + # if dhparam path is valid, add to the config, otherwise remove the option + if [ -r "${SSL_DHPARAM_PATH}" ]; then + sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i ${NGINX_ONLYOFFICE_PATH} + else + sed '/ssl_dhparam {{SSL_DHPARAM_PATH}};/d' -i ${NGINX_ONLYOFFICE_PATH} + fi + + sed 's,{{SSL_VERIFY_CLIENT}},'"${SSL_VERIFY_CLIENT}"',' -i ${NGINX_ONLYOFFICE_PATH} + + if [ -f /usr/local/share/ca-certificates/ca.crt ]; then + sed 's,{{CA_CERTIFICATES_PATH}},'"${CA_CERTIFICATES_PATH}"',' -i ${NGINX_ONLYOFFICE_PATH} + else + sed '/{{CA_CERTIFICATES_PATH}}/d' -i ${NGINX_ONLYOFFICE_PATH} + fi + + if [ "${ONLYOFFICE_HTTPS_HSTS_ENABLED}" == "true" ]; then + sed 's/{{ONLYOFFICE_HTTPS_HSTS_MAXAGE}}/'"${ONLYOFFICE_HTTPS_HSTS_MAXAGE}"'/' -i ${NGINX_ONLYOFFICE_PATH} + else + sed '/{{ONLYOFFICE_HTTPS_HSTS_MAXAGE}}/d' -i ${NGINX_ONLYOFFICE_PATH} + fi +fi + +service mysql start +service nginx start +service supervisor start