Access to the onlyoffice application can be secured using SSL so as to prevent unauthorized access. While a CA certified SSL certificate allows for verification of trust via the CA, self signed certificates can also provide an equal level of trust verification as long as each client takes some additional steps to verify the identity of your website. Below the instructions on achieving this are provided.
可以使用 SSL 来保护对 OnlyOffice 应用程序的访问,以防止未经授权的访问。虽然 CA 认证的 SSL 证书可以通过 CA 进行信任验证,但自签名证书也可以提供相同级别的信任验证,只要每个客户端采取一些额外步骤来验证您网站的身份。以下提供了实现此目的的说明。
To secure the application via SSL basically two things are needed:
为了通过 SSL 保护应用程序,基本上需要两样东西:
- Private key (.key) 私钥(.key)
- SSL certificate (.crt) SSL 证书(.crt)
So you need to create and install the following files:
所以您需要创建并安装以下文件:
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
When using CA certified certificates (e.g Let's Encrypt), these files are provided to you by the CA. If you are using self-signed certificates, you need to generate these files yourself.
当使用 CA 认证的证书(例如 Let's Encrypt)时,这些文件由 CA 提供给您。如果您使用自签名证书,则需要自行生成这些文件。
Switching ONLYOFFICE Docs to HTTPS using certbot
使用 certbot 将 ONLYOFFICE Docs 切换到 HTTPS
The easiest way to switch ONLYOFFICE Docs to HTTPS is to automatically get Let's Encrypt SSL Certificates using certbot.
将 ONLYOFFICE Docs 切换到 HTTPS 的最简单方法是使用 certbot 自动获取 Let's Encrypt SSL 证书。
Run the ONLYOFFICE Docs Docker container specifying ports 80 and 443 and setting your own values for the variables:
运行 ONLYOFFICE Docs Docker 容器,指定端口 80 和 443,并为变量设置您自己的值:
Where: 在哪里:
- LETS_ENCRYPT_DOMAIN - a domain name to use for the certificate.
LETSENCRYPT_DOMAIN - 用于证书的域名。
- LETS_ENCRYPT_MAIL - an email used for registration and recovery contact.
LETS_ENCRYPT_MAIL - 用于注册和恢复联系的电子邮件。
The letsencrypt.org CA-signed certificate will be automatically generated and installed to your server. Now your ONLYOFFICE Docs should be available at the https://yourdomain.com address.
letsencrypt.org CA 签名的证书将自动生成并安装到您的服务器上。现在,您的 ONLYOFFICE Docs 应该可以通过 https://yourdomain.com 地址访问。
Generation of self signed certificates
生成自签名证书
Generation of self-signed SSL certificates involves a simple 3 step procedure
生成自签名 SSL 证书涉及一个简单的 3 步过程
STEP 1: Create the server private key
步骤 1:创建服务器私钥
openssl genrsa -out onlyoffice.key 2048
STEP 2: Create the certificate signing request (CSR)
步骤 2:创建证书签名请求(CSR)
openssl req -new -key onlyoffice.key -out onlyoffice.csr
STEP 3: Sign the certificate using the private key and CSR
步骤 3:使用私钥和 CSR 签署证书
openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out onlyoffice.crt
You have now generated an SSL certificate that's valid for 365 days.
您现在已生成了一个有效期为 365 天的 SSL 证书。
Strengthening the server security
加强服务器安全性
This section provides you with instructions to strengthen your server security.
本节为您提供了加强服务器安全性的指导。
To achieve this you need to generate stronger DHE parameters.
要实现这一目标,您需要生成更强大的 DHE 参数。
openssl dhparam -out dhparam.pem 2048
Installation of the SSL certificates
SSL 证书安装
Out of the four files generated above, you need to install the onlyoffice.key
, onlyoffice.crt
and dhparam.pem
files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
在上面生成的四个文件中,您需要在 onlyoffice 服务器上安装 onlyoffice.key
、 onlyoffice.crt
和 dhparam.pem
文件。不需要 CSR 文件,但请确保安全备份该文件(以防将来需要)。
The default path that the onlyoffice application is configured to look for the SSL certificates is at /var/www/onlyoffice/Data/certs
, this can however be changed using the SSL_KEY_PATH
, SSL_CERTIFICATE_PATH
and SSL_DHPARAM_PATH
configuration options.
onlyoffice 应用程序配置的默认路径用于查找 SSL 证书的位置是 /var/www/onlyoffice/Data/certs
,但可以使用 SSL_KEY_PATH
、 SSL_CERTIFICATE_PATH
和 SSL_DHPARAM_PATH
配置选项进行更改。
The /var/www/onlyoffice/Data/
path is the path of the data store, which means that you have to create a folder named certs inside /app/onlyoffice/DocumentServer/data/
and copy the files into it and as a measure of security you will update the permission on the onlyoffice.key
file to only be readable by the owner.
/var/www/onlyoffice/Data/
路径是数据存储路径,这意味着您必须在 /app/onlyoffice/DocumentServer/data/
中创建一个名为 certs 的文件夹,并将文件复制到其中,并作为安全措施,您将更新 onlyoffice.key
文件的权限,使其只能被所有者读取。
mkdir -p /app/onlyoffice/DocumentServer/data/certs
cp onlyoffice.key /app/onlyoffice/DocumentServer/data/certs/
cp onlyoffice.crt /app/onlyoffice/DocumentServer/data/certs/
cp dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
And restart Docker container:
重新启动 Docker 容器:
sudo docker restart {{DOCUMENT_SERVER_ID}}
You are now just one step away from having our application secured.
您现在离我们的应用程序安全仅一步之遥。
Available configuration parameters
可用的配置参数
Please refer the docker run command options for the --env-file
flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command.
请参考 docker run 命令选项 --env-file
标志,您可以在单个文件中指定所有必需的环境变量。这将避免您编写一个可能很长的 docker run 命令。
Below is the complete list of parameters that can be set using environment variables.
以下是可以使用环境变量设置的参数的完整列表。
- ONLYOFFICE_HTTPS_HSTS_ENABLED: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to
true
.
ONLYOFFICE_HTTPS_HSTS_ENABLED:用于关闭 HSTS 配置的高级配置选项。仅在使用 SSL 时适用。默认为 true
。
- ONLYOFFICE_HTTPS_HSTS_MAXAGE: Advanced configuration option for setting the HSTS max-age in the onlyoffice NGINX vHost configuration. Applicable only when SSL is in use. Defaults to
31536000
.
ONLYOFFICE_HTTPS_HSTS_MAXAGE: 用于设置 onlyoffice NGINX vHost 配置中 HSTS 最大年龄的高级配置选项。仅在使用 SSL 时适用。默认为 31536000
。
- SSL_CERTIFICATE_PATH: The path to the SSL certificate to use. Defaults to
/var/www/onlyoffice/Data/certs/tls.crt
.
SSL_CERTIFICATE_PATH: 要使用的 SSL 证书路径。默认为 /var/www/onlyoffice/Data/certs/tls.crt
。
- SSL_KEY_PATH: The path to the SSL certificate private key. Defaults to
/var/www/onlyoffice/Data/certs/tls.key
.
SSL_KEY_PATH: SSL 证书私钥的路径。默认为 /var/www/onlyoffice/Data/certs/tls.key
。
- SSL_DHPARAM_PATH: The path to the Diffie-Hellman parameter. Defaults to
/var/www/onlyoffice/Data/certs/dhparam.pem
.
SSL_DHPARAM_PATH: Diffie-Hellman 参数的路径。默认为 /var/www/onlyoffice/Data/certs/dhparam.pem
。
- SSL_VERIFY_CLIENT: Enable verification of client certificates using the
CA_CERTIFICATES_PATH file
. Defaults to false
.
SSL_VERIFY_CLIENT: 启用使用 CA_CERTIFICATES_PATH file
验证客户端证书。默认为 false
。
- DB_TYPE: The database type. Supported values are
postgres
, mariadb
or mysql
. Defaults to postgres
.
DB_TYPE:数据库类型。支持的值为 postgres
, mariadb
或 mysql
。默认为 postgres
。
- DB_HOST: The IP address or the name of the host where the database server is running.
DB_HOST: 数据库服务器运行的 IP 地址或主机名。
- DB_PORT: The database server port number.
DB_PORT: 数据库服务器端口号。
- DB_NAME: The name of a database to be created on the image startup.
DB_NAME: 在镜像启动时要创建的数据库名称。
- DB_USER: The new user name with superuser permissions for the database account.
DB_USER: 具有数据库帐户超级用户权限的新用户名。
- DB_PWD: The password set for the database account.
DB_PWD: 为数据库帐户设置的密码。
- AMQP_URI: The AMQP URI to connect to the message broker server.
AMQP_URI: 用于连接到消息代理服务器的 AMQP URI。
- AMQP_TYPE: The message broker type. Supported values are
rabbitmq
or activemq
. Defaults to rabbitmq
.
AMQP_TYPE: 消息代理类型。支持的值为 rabbitmq
或 activemq
。默认为 rabbitmq
。
- REDIS_SERVER_HOST: The IP address or the name of the host where the Redis server is running.
REDIS_SERVER_HOST: Redis 服务器运行的 IP 地址或主机名。
- REDIS_SERVER_PORT: The Redis server port number.
REDIS_SERVER_PORT: Redis 服务器端口号。
- REDIS_SERVER_PASS: The Redis server password. The password is not set by default.
REDIS_SERVER_PASS:Redis 服务器密码。默认情况下未设置密码。
- NGINX_WORKER_PROCESSES: Defines the number of NGINX worker processes.
NGINX_WORKER_PROCESSES:定义 NGINX 工作进程的数量。
- NGINX_WORKER_CONNECTIONS: Sets the maximum number of simultaneous connections that can be opened by a NGINX worker process.
NGINX_WORKER_CONNECTIONS:设置 NGINX 工作进程可以打开的最大同时连接数。
- SECURE_LINK_SECRET: Defines secret for the nginx config directive secure_link_md5. Defaults to
random string
.
SECURE_LINK_SECRET: 定义 nginx 配置指令 secure_link_md5 的密钥。默认为 random string
。
- JWT_ENABLED: Specifies the enabling the JSON web token validation by ONLYOFFICE Docs. Defaults to
true
.
JWT_ENABLED: 指定是否启用 ONLYOFFICE Docs 的 JSON Web 令牌验证。默认为 true
。
- JWT_SECRET: Defines the secret key to validate the JSON web token in the request to ONLYOFFICE Docs. Defaults to random value.
JWT_SECRET: 定义用于验证发送到 ONLYOFFICE Docs 的请求中的 JSON Web 令牌的密钥。默认为随机值。
- JWT_HEADER: Defines the HTTP header that will be used to send the JSON web token. Defaults to
Authorization
.
JWT_HEADER: 定义用于发送 JSON Web 令牌的 HTTP 标头。默认为 Authorization
。
- JWT_IN_BODY: Specifies the enabling the token validation in the request body to the ONLYOFFICE Docs. Defaults to
false
.
JWT_IN_BODY: 指定在请求体中启用令牌验证以连接到 ONLYOFFICE Docs。默认为 false
。
- ALLOW_META_IP_ADDRESS: Defines if it is allowed to connect meta IP address or not. Defaults to
false
.
ALLOW_META_IP_ADDRESS: 定义是否允许连接到元 IP 地址。默认为 false
。
- ALLOW_PRIVATE_IP_ADDRESS: Defines if it is allowed to connect private IP address or not. Defaults to
false
.
ALLOW_PRIVATE_IP_ADDRESS: 定义是否允许连接私有 IP 地址。默认为 false
。
- WOPI_ENABLED: Specifies the enabling the wopi handlers. Defaults to
false
.
WOPI_ENABLED: 指定启用 wopi 处理程序。默认为 false
。
- USE_UNAUTHORIZED_STORAGE: Set to
true
if using self-signed certificates for your storage server, e.g. Nextcloud. Defaults to false
.
USE_UNAUTHORIZED_STORAGE: 如果您的存储服务器(例如 Nextcloud)使用自签名证书,请设置为 true
。默认为 false
。
- GENERATE_FONTS: When
true
, regenerates fonts list and the fonts thumbnails etc. at each start. Defaults to true
.
生成字体:当 true
时,在每次启动时重新生成字体列表、字体缩略图等。默认为 true
。
- METRICS_ENABLED: Specifies the enabling StatsD for ONLYOFFICE Docs. Defaults to
false
.
METRICS_ENABLED: 指定是否启用 ONLYOFFICE Docs 的 StatsD。默认为 false
。
- METRICS_HOST: Defines StatsD listening host. Defaults to
localhost
.
METRICS_HOST: 定义 StatsD 监听主机。默认为 localhost
。
- METRICS_PORT: Defines StatsD listening port. Defaults to
8125
.
METRICS_PORT: 定义 StatsD 监听端口。默认为 8125
。
- METRICS_PREFIX: Defines StatsD metrics prefix for backend services. Defaults to
ds.
.
METRICS_PREFIX: 为后端服务定义 StatsD 指标前缀。默认为 ds.
。
- LETS_ENCRYPT_DOMAIN: Defines the domain for Let's Encrypt certificate.
LETS_ENCRYPT_DOMAIN: 定义 Let's Encrypt 证书的域名。
- LETS_ENCRYPT_MAIL: Defines the domain administrator mail address for Let's Encrypt certificate.
LETSENCRYPT_MAIL:为 Let's Encrypt 证书定义域管理员邮件地址。