From c58e1e6623cdabe62671e9a83f827c51398e05a4 Mon Sep 17 00:00:00 2001 From: Roman Demidov Date: Fri, 26 Mar 2021 10:41:18 +0300 Subject: [PATCH] Fix ssl convertion issue (#63) * Fix ssl convertation issue * Fix locale issue --- README.md | 10 ++++ bin/documentserver-start.sh | 9 ++++ config/ds-ssl.conf.tmpl | 97 +++++++++++++++++++++++++++++++++++++ config/local.json | 3 ++ snap/hooks/configure | 44 ++++++++++++++++- 5 files changed, 162 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7bb0d5b..4a6d3ea 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,8 @@ $ openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out on You have now generated an SSL certificate that's valid for 365 days. +If you'd like to use Example with Self Signed Certificates then you need to [allow to use unauthorized storage](#allow-document-server-to-use-unauthorized-storage). + #### Strengthening the server security This section provides you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html). @@ -145,6 +147,14 @@ By default, HTTPS SSL port is 443. If you'd like to change it (say, to port 444) # snap set onlyoffice-ds onlyoffice.ds-ssl-port=444 ``` +#### Allow document server to use unauthorized storage + +By default, document server is prevented from using an unauthorized storage. To allow it, run: + +``` +# snap set onlyoffice-ds onlyoffice.use-unautorized-storage=true +``` + #### JSON Web Token - **jwt-enabled**: Specifies the enabling the JSON Web Token validation by the ONLYOFFICE Document Server. Defaults to `false`. diff --git a/bin/documentserver-start.sh b/bin/documentserver-start.sh index 671ef07..befa8d2 100755 --- a/bin/documentserver-start.sh +++ b/bin/documentserver-start.sh @@ -33,4 +33,13 @@ else sed -i -e 's/autostart=true/autostart=false/' $SNAP_DATA/etc/supervisor/conf.d/ds-example.conf fi +USE_UNAUTHORIZED_STORAGE_ENABLED=$(snapctl get onlyoffice.use-unautorized-storage) +if [ "${USE_UNAUTHORIZED_STORAGE_ENABLED}" == "true" ]; then + sed -i -e 's/"rejectUnauthorized": true/"rejectUnauthorized": false/' /var/snap/onlyoffice-ds/current/etc/onlyoffice/documentserver/local.json +else + sed -i -e 's/"rejectUnauthorized": false/"rejectUnauthorized": true/' /var/snap/onlyoffice-ds/current/etc/onlyoffice/documentserver/local.json +fi + +export LC_ALL=C.UTF-8 + $SNAP/usr/bin/python $SNAP/usr/bin/supervisord -n -c $SNAP_DATA/etc/supervisor/supervisord.conf diff --git a/config/ds-ssl.conf.tmpl b/config/ds-ssl.conf.tmpl index bf40202..ff0f047 100644 --- a/config/ds-ssl.conf.tmpl +++ b/config/ds-ssl.conf.tmpl @@ -32,6 +32,103 @@ server { rewrite ^ https://$host$request_uri? permanent; } +#HTTP host for internal services +server { + listen 127.0.0.1:80; + listen [::1]:80; + server_name localhost; + server_tokens off; + + client_max_body_size 100m; + + gzip on; + gzip_vary on; + gzip_types text/plain + text/xml + text/css + text/csv + font/ttf + application/xml + application/javascript + application/x-javascript + application/json + application/octet-stream + application/x-font-ttf + application/rtf + application/wasm; + + #welcome page + rewrite ^/$ $the_scheme://$the_host/welcome/ redirect; + + #support old version + rewrite ^\/OfficeWeb(\/apps\/.*)$ $the_scheme://$the_host/0.0.0-0/web-apps$1 redirect; + + #script caching protection + rewrite ^(\/web-apps\/apps\/(?!api\/).*)$ $the_scheme://$the_host/0.0.0-0$1 redirect; + + #disable caching for api.js + location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps\/apps\/api\/documents\/api\.js)$ { + expires -1; + # gzip_static on; + alias /snap/onlyoffice-ds/current/var/www/onlyoffice/documentserver/$2; + } + + #suppress logging the unsupported locale error in web-apps + location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps)(\/.*\.json)$ { + expires 365d; + error_log /dev/null crit; + # gzip_static on; + alias /snap/onlyoffice-ds/current/var/www/onlyoffice/documentserver/$2$3; + } + + #suppress logging the unsupported locale error in plugins + location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(sdkjs-plugins)(\/.*\.json)$ { + expires 365d; + error_log /dev/null crit; + # gzip_static on; + alias /snap/onlyoffice-ds/current/var/www/onlyoffice/documentserver/$2$3; + } + + location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps|sdkjs|sdkjs-plugins|fonts)(\/.*)$ { + expires 365d; + # gzip_static on; + alias /snap/onlyoffice-ds/current/var/www/onlyoffice/documentserver/$2$3; + } + + location ~* ^(\/cache\/files.*)(\/.*) { + alias /var/snap/onlyoffice-ds/common/var/lib/onlyoffice/documentserver/App_Data$1; + add_header Content-Disposition "$arg_disposition; filename*=UTF-8''$arg_filename"; + + set $secret_string verysecretstring; + secure_link $arg_md5,$arg_expires; + secure_link_md5 "$secure_link_expires$uri$secret_string"; + + if ($secure_link = "") { + return 403; + } + + if ($secure_link = "0") { + return 410; + } + } + + # Allow internal service only from 127.0.0.1 + location ~* ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(info|internal)(\/.*)$ { + allow 127.0.0.1; + deny all; + proxy_pass http://localhost:8000/$2$3; + } + + location / { + proxy_pass http://localhost:8000; + } + + location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?(\/doc\/.*) { + proxy_pass http://localhost:8000$2; + proxy_http_version 1.1; + } +} + server { listen 0.0.0.0:DSS_PORT ssl; listen [::]:DSS_PORT ssl default_server; diff --git a/config/local.json b/config/local.json index 7095713..98b70ce 100644 --- a/config/local.json +++ b/config/local.json @@ -69,6 +69,9 @@ "outbox": { "header": "Authorization" } + }, + "requestDefaults": { + "rejectUnauthorized": true } } }, diff --git a/snap/hooks/configure b/snap/hooks/configure index 8f4034f..2aa3a76 100755 --- a/snap/hooks/configure +++ b/snap/hooks/configure @@ -8,6 +8,7 @@ DEFAULT_JWT_ENABLED="false" DEFAULT_JWT_SECRET="secret" DEFAULT_JWT_HEADER="Authorization" DEFAULT_EXAMPLE_ENABLED="false" +DEFAULT_USE_UNAUTHORIZED_STORAGE="false" nginx_onlyoffice_http_port() @@ -309,6 +310,46 @@ set_previous_onlyoffice_example_enabled() snapctl set private.onlyoffice.example-enabled="$1" } +onlyoffice_use_unautorized_storage() +{ + onlyoffice_use_unautorized_storage="$(onlyoffice_use_unautorized_storage)" + previous_onlyoffice_use_unautorized_storage="$(previous_onlyoffice_use_unautorized_storage)" + + # If no changes were requested, then there's nothing to do here. + if [ "$onlyoffice_use_unautorized_storage" = "$previous_onlyoffice_use_unautorized_storage" ]; then + return 0 + fi + set_onlyoffice_use_unautorized_storage "$onlyoffice_use_unautorized_storage" + set_previous_onlyoffice_use_unautorized_storage $onlyoffice_use_unautorized_storage +} + +set_onlyoffice_use_unautorized_storage() +{ + snapctl set onlyoffice.use-unautorized-storage="$1" +} + +onlyoffice_use_unautorized_storage() +{ + port="$(snapctl get onlyoffice.use-unautorized-storage)" + if [ -z "$port" ]; then + port="$DEFAULT_USE_UNAUTHORIZED_STORAGE" + set_onlyoffice_use_unautorized_storage $port + set_previous_onlyoffice_use_unautorized_storage $port + fi + + echo "$port" +} + +previous_onlyoffice_use_unautorized_storage() +{ + snapctl get private.onlyoffice.use-unautorized-storage +} + +set_previous_onlyoffice_use_unautorized_storage() +{ + snapctl set private.onlyoffice.use-unautorized-storage="$1" +} + @@ -317,4 +358,5 @@ db_onlyoffice_db_port && \ token_onlyoffice_jwt_enabled && \ token_onlyoffice_jwt_secret && \ token_onlyoffice_jwt_header && \ -onlyoffice_example_enabled +onlyoffice_example_enabled && \ +onlyoffice_use_unautorized_storage