Сухость и комфорт не гарантированы.
Running ONLYOFFICE Community Server using HTTPS
sudo docker run -i -t -d -p 80:80 -p 443:443 \
-v /opt/onlyoffice/Data:/var/www/onlyoffice/Data onlyoffice/communityserver
Access to the onlyoffice application can be secured using SSL so as to prevent unauthorized access. While a CA certified SSL certificate allows for verification of trust via the CA, a self signed certificates can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. Below the instructions on achieving this are provided.
To secure the application via SSL basically two things are needed:
Private key (.key)
SSL certificate (.crt)
So you need to create and install the following files:
/opt/onlyoffice/Data/certs/onlyoffice.key
/opt/onlyoffice/Data/certs/onlyoffice.crt
When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are have CA certified SSL certificates.
Generation of Self Signed Certificates
Generation of self-signed SSL certificates involves a simple 3 step procedure.
STEP 1: Create the server private key
openssl genrsa -out onlyoffice.key 2048
STEP 2: Create the certificate signing request (CSR)
openssl req -new -key onlyoffice.key -out onlyoffice.csr
STEP 3: Sign the certificate using the private key and CSR
openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out onlyoffice.crt
You have now generated an SSL certificate that’s valid for 365 days.
Strengthening the server security
This section provides you with instructions to strengthen your server security. To achieve this you need to generate stronger DHE parameters.
openssl dhparam -out dhparam.pem 2048
Installation of the SSL Certificates
Out of the four files generated above, you need to install the onlyoffice.key, onlyoffice.crt and dhparam.pem files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
The default path that the onlyoffice application is configured to look for the SSL certificates is at /var/www/onlyoffice/Data/certs, this can however be changed using the SSL_KEY_PATH, SSL_CERTIFICATE_PATH and SSL_DHPARAM_PATH configuration options.
The /var/www/onlyoffice/Data/ path is the path of the data store, which means that you have to create a folder named certs inside /opt/onlyoffice/Data/ and copy the files into it and as a measure of security you will update the permission on the onlyoffice.key file to only be readable by the owner.
mkdir -p /opt/onlyoffice/Data/certs
cp onlyoffice.key /opt/onlyoffice/Data/certs/
cp onlyoffice.crt /opt/onlyoffice/Data/certs/
cp dhparam.pem /opt/onlyoffice/Data/certs/
chmod 400 /opt/onlyoffice/Data/certs/onlyoffice.key
You are now just one step away from having our application secured.
Available Configuration Parameters
Please refer the docker run command options for the —env-file flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command.
Below is the complete list of parameters that can be set using environment variables.
ONLYOFFICE_HTTPS_HSTS_ENABLED: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to true.
ONLYOFFICE_HTTPS_HSTS_MAXAGE: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to 31536000.
SSL_CERTIFICATE_PATH: The path to the SSL certificate to use. Defaults to /var/www/onlyoffice/Data/certs/onlyoffice.crt.
SSL_KEY_PATH: The path to the SSL certificate’s private key. Defaults to /var/www/onlyoffice/Data/certs/onlyoffice.key.
SSL_DHPARAM_PATH: The path to the Diffie-Hellman parameter. Defaults to /var/www/onlyoffice/Data/certs/dhparam.pem.
SSL_VERIFY_CLIENT: Enable verification of client certificates using the CA_CERTIFICATES_PATH file. Defaults to false
MYSQL_SERVER_HOST: The IP address or the name of the host where the server is running.
MYSQL_SERVER_PORT: The port number.
MYSQL_SERVER_DB_NAME: The name of a MySQL database to be created on image startup.
MYSQL_SERVER_USER: The new user name with superuser permissions for the MySQL account.
MYSQL_SERVER_PASS: The password set for the MySQL account.
https://github.com/ONLYOFFICE/Docker-CommunityServer#running-onlyoffice-community-server-using-https