This commit is contained in:
Alexey Golubev 2020-05-22 11:25:18 +03:00
commit c2bcd00322
6 changed files with 101 additions and 15 deletions

@ -3,6 +3,26 @@ language: generic
dist: trusty dist: trusty
env: env:
# certificates (default tls if onlyoffice not exists)
- config: certs.yml
ssl: true
# certificates (default onlyoffice if exists)
- config: certs.yml
ssl: true
private_key: onlyoffice.key
certificate_request: onlyoffice.csr
certificate: onlyoffice.crt
# custom certificates
- config: certs-customized.yml
ssl: true
private_key: mycert.key
certificate_request: mycert.csr
certificate: mycert.crt
SSL_CERTIFICATE_PATH: /var/www/onlyoffice/Data/certs/mycert.crt
SSL_KEY_PATH: /var/www/onlyoffice/Data/certs/mycert.key
# postgresql # postgresql
- config: postgres.yml - config: postgres.yml

@ -96,8 +96,8 @@ To secure the application via SSL basically two things are needed:
So you need to create and install the following files: So you need to create and install the following files:
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.key /app/onlyoffice/DocumentServer/data/certs/tls.key
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt /app/onlyoffice/DocumentServer/data/certs/tls.crt
When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are have CA certified SSL certificates. When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are have CA certified SSL certificates.
@ -108,19 +108,19 @@ Generation of self-signed SSL certificates involves a simple 3 step procedure.
**STEP 1**: Create the server private key **STEP 1**: Create the server private key
```bash ```bash
openssl genrsa -out onlyoffice.key 2048 openssl genrsa -out tls.key 2048
``` ```
**STEP 2**: Create the certificate signing request (CSR) **STEP 2**: Create the certificate signing request (CSR)
```bash ```bash
openssl req -new -key onlyoffice.key -out onlyoffice.csr openssl req -new -key tls.key -out tls.csr
``` ```
**STEP 3**: Sign the certificate using the private key and CSR **STEP 3**: Sign the certificate using the private key and CSR
```bash ```bash
openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out onlyoffice.crt openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt
``` ```
You have now generated an SSL certificate that's valid for 365 days. You have now generated an SSL certificate that's valid for 365 days.
@ -136,18 +136,18 @@ openssl dhparam -out dhparam.pem 2048
#### Installation of the SSL Certificates #### Installation of the SSL Certificates
Out of the four files generated above, you need to install the `onlyoffice.key`, `onlyoffice.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again). Out of the four files generated above, you need to install the `tls.key`, `tls.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
The default path that the onlyoffice application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options. The default path that the onlyoffice application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options.
The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `onlyoffice.key` file to only be readable by the owner. The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `tls.key` file to only be readable by the owner.
```bash ```bash
mkdir -p /app/onlyoffice/DocumentServer/data/certs mkdir -p /app/onlyoffice/DocumentServer/data/certs
cp onlyoffice.key /app/onlyoffice/DocumentServer/data/certs/ cp tls.key /app/onlyoffice/DocumentServer/data/certs/
cp onlyoffice.crt /app/onlyoffice/DocumentServer/data/certs/ cp tls.crt /app/onlyoffice/DocumentServer/data/certs/
cp dhparam.pem /app/onlyoffice/DocumentServer/data/certs/ cp dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
``` ```
You are now just one step away from having our application secured. You are now just one step away from having our application secured.
@ -160,8 +160,8 @@ Below is the complete list of parameters that can be set using environment varia
- **ONLYOFFICE_HTTPS_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`. - **ONLYOFFICE_HTTPS_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`.
- **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`. - **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.
- **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.crt`. - **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/tls.crt`.
- **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.key`. - **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/tls.key`.
- **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`. - **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`.
- **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false` - **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false`
- **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb` or `mysql`. Defaults to `postgres`. - **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb` or `mysql`. Defaults to `postgres`.

@ -16,8 +16,16 @@ ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
ONLYOFFICE_DATA_CONTAINER_PORT=80 ONLYOFFICE_DATA_CONTAINER_PORT=80
SSL_CERTIFICATES_DIR="${DATA_DIR}/certs" SSL_CERTIFICATES_DIR="${DATA_DIR}/certs"
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.crt} if [[ -z $SSL_CERTIFICATE_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/onlyoffice.crt ]]; then
SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.key} SSL_CERTIFICATE_PATH=${SSL_CERTIFICATES_DIR}/onlyoffice.crt
else
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/tls.crt}
fi
if [[ -z $SSL_KEY_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/onlyoffice.key ]]; then
SSL_KEY_PATH=${SSL_CERTIFICATES_DIR}/onlyoffice.key
else
SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/tls.key}
fi
CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem} CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem}
SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem} SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem}
SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off} SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}

@ -0,0 +1,18 @@
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
build:
context: ../.
environment:
- SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-/var/www/onlyoffice/Data/certs/tls.crt}
- SSL_KEY_PATH=${SSL_KEY_PATH:-/var/www/onlyoffice/Data/certs/tls.key}
- CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-/var/www/onlyoffice/Data/certs/ca-certificates.pem}
- SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-/var/www/onlyoffice/Data/certs/dhparam.pem}
stdin_open: true
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./data:/var/www/onlyoffice/Data

13
tests/certs.yml Normal file

@ -0,0 +1,13 @@
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
build:
context: ../.
stdin_open: true
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./data:/var/www/onlyoffice/Data

@ -1,5 +1,32 @@
#!/bin/bash #!/bin/bash
ssl=${ssl:-false}
private_key=${private_key:-tls.key}
certificate_request=${certificate_request:-tls.csr}
certificate=${certificate:-tls.crt}
# Generate certificate
if [[ $ssl == "true" ]]; then
url=${url:-"https://localhost"}
mkdir -p data/certs
pushd data/certs
openssl genrsa -out ${private_key} 2048
openssl req \
-new \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-key ${private_key} \
-out ${certificate_request}
openssl x509 -req -days 365 -in ${certificate_request} -signkey ${private_key} -out ${certificate}
openssl dhparam -out dhparam.pem 2048
chmod 400 ${private_key}
popd
else
url=${url:-"http://localhost"}
fi
# Check if the yml exists # Check if the yml exists
if [[ ! -f $config ]]; then if [[ ! -f $config ]]; then
echo "File $config doesn't exist!" echo "File $config doesn't exist!"
@ -14,7 +41,7 @@ wakeup_timeout=30
# Get documentserver healthcheck status # Get documentserver healthcheck status
echo "Wait for service wake up" echo "Wait for service wake up"
sleep $wakeup_timeout sleep $wakeup_timeout
healthcheck_res=$(wget --no-check-certificate -qO - localhost/healthcheck) healthcheck_res=$(wget --no-check-certificate -qO - ${url}/healthcheck)
# Fail if it isn't true # Fail if it isn't true
if [[ $healthcheck_res == "true" ]]; then if [[ $healthcheck_res == "true" ]]; then