Fix ssl convertion issue

README.md

@@ -98,6 +98,8 @@ $ openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out on
 
 You have now generated an SSL certificate that's valid for 365 days.
 
+If you'd like to use Example with Self Signed Certificates then you need to [allow to use unauthorized storage](#allow-document-server-to-use-unauthorized-storage).
+
 #### Strengthening the server security
 
 This section provides you with instructions to [strengthen your server security](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html).
@@ -145,6 +147,14 @@ By default, HTTPS SSL port is 443. If you'd like to change it (say, to port 444)
 # snap set onlyoffice-ds onlyoffice.ds-ssl-port=444
 ```
 
+#### Allow document server to use unauthorized storage
+
+By default, document server is prevented from using an unauthorized storage. To allow it, run:
+
+```
+# snap set onlyoffice-ds onlyoffice.use-unautorized-storage=true
+```
+
 #### JSON Web Token
 
 - **jwt-enabled**: Specifies the enabling the JSON Web Token validation by the ONLYOFFICE Document Server. Defaults to `false`.

bin/documentserver-start.sh

@@ -33,4 +33,13 @@ else
     sed -i -e 's/autostart=true/autostart=false/'  $SNAP_DATA/etc/supervisor/conf.d/ds-example.conf
 fi
 
+USE_UNAUTHORIZED_STORAGE_ENABLED=$(snapctl get onlyoffice.use-unautorized-storage)
+if [ "${USE_UNAUTHORIZED_STORAGE_ENABLED}" == "true" ]; then
+    sed -i -e 's/"rejectUnauthorized": true/"rejectUnauthorized": false/' /var/snap/onlyoffice-ds/current/etc/onlyoffice/documentserver/local.json
+else
+    sed -i -e 's/"rejectUnauthorized": false/"rejectUnauthorized": true/' /var/snap/onlyoffice-ds/current/etc/onlyoffice/documentserver/local.json
+fi
+
+export LC_ALL=C.UTF-8
+
 $SNAP/usr/bin/python $SNAP/usr/bin/supervisord -n -c $SNAP_DATA/etc/supervisor/supervisord.conf

config/ds-ssl.conf.tmpl

@@ -32,6 +32,103 @@ server {
   rewrite ^ https://$host$request_uri? permanent;
 }
 
+#HTTP host for internal services
+server {
+  listen 127.0.0.1:80;
+  listen [::1]:80;
+  server_name localhost;
+  server_tokens off;
+
+  client_max_body_size 100m;
+
+  gzip on;
+  gzip_vary on;
+  gzip_types  text/plain
+              text/xml
+              text/css
+              text/csv
+              font/ttf
+              application/xml
+              application/javascript
+              application/x-javascript
+              application/json
+              application/octet-stream
+              application/x-font-ttf
+              application/rtf
+              application/wasm;
+
+  #welcome page
+  rewrite ^/$ $the_scheme://$the_host/welcome/ redirect;
+
+  #support old version
+  rewrite ^\/OfficeWeb(\/apps\/.*)$ $the_scheme://$the_host/0.0.0-0/web-apps$1 redirect;
+
+  #script caching protection
+  rewrite ^(\/web-apps\/apps\/(?!api\/).*)$ $the_scheme://$the_host/0.0.0-0$1 redirect;
+
+  #disable caching for api.js
+  location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps\/apps\/api\/documents\/api\.js)$ {
+    expires -1;
+    # gzip_static on;
+    alias  /snap/onlyoffice-ds/current/var/www/onlyoffice/documentserver/$2;
+  }
+
+  #suppress logging the unsupported locale error in web-apps
+  location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps)(\/.*\.json)$ {
+    expires 365d;
+    error_log /dev/null crit;
+    # gzip_static on;
+    alias /snap/onlyoffice-ds/current/var/www/onlyoffice/documentserver/$2$3;
+  }
+
+  #suppress logging the unsupported locale error in plugins
+  location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(sdkjs-plugins)(\/.*\.json)$ {
+    expires 365d;
+    error_log /dev/null crit;
+    # gzip_static on;
+    alias /snap/onlyoffice-ds/current/var/www/onlyoffice/documentserver/$2$3;
+  }
+
+  location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps|sdkjs|sdkjs-plugins|fonts)(\/.*)$ {
+    expires 365d;
+    # gzip_static on;
+    alias /snap/onlyoffice-ds/current/var/www/onlyoffice/documentserver/$2$3;
+  }
+
+  location ~* ^(\/cache\/files.*)(\/.*) {
+    alias /var/snap/onlyoffice-ds/common/var/lib/onlyoffice/documentserver/App_Data$1;
+    add_header Content-Disposition "$arg_disposition; filename*=UTF-8''$arg_filename";
+
+    set $secret_string verysecretstring;
+    secure_link $arg_md5,$arg_expires;
+    secure_link_md5 "$secure_link_expires$uri$secret_string";
+
+    if ($secure_link = "") {
+      return 403;
+    }
+
+    if ($secure_link = "0") {
+      return 410;
+    }
+  }
+
+  # Allow internal service only from 127.0.0.1
+  location ~* ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(info|internal)(\/.*)$ {
+    allow 127.0.0.1;
+    deny all;
+    proxy_pass http://localhost:8000/$2$3;
+  }
+
+  location / {
+    proxy_pass http://localhost:8000;
+  }
+
+  location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?(\/doc\/.*) {
+    proxy_pass http://localhost:8000$2;
+    proxy_http_version 1.1;
+  }
+}
+
 server {
   listen 0.0.0.0:DSS_PORT ssl;
   listen [::]:DSS_PORT ssl default_server;

config/local.json

@@ -69,6 +69,9 @@
 			"outbox": {
 				"header": "Authorization"
 			}
+		},
+		"requestDefaults": {
+			"rejectUnauthorized": true
 		}
 	  }
 	},

snap/hooks/configure

@@ -8,6 +8,7 @@ DEFAULT_JWT_ENABLED="false"
 DEFAULT_JWT_SECRET="secret"
 DEFAULT_JWT_HEADER="Authorization"
 DEFAULT_EXAMPLE_ENABLED="false"
+DEFAULT_USE_UNAUTHORIZED_STORAGE="false"
 
 
 nginx_onlyoffice_http_port()
@@ -309,6 +310,46 @@ set_previous_onlyoffice_example_enabled()
 	snapctl set private.onlyoffice.example-enabled="$1"
 }
 
+onlyoffice_use_unautorized_storage()
+{
+	onlyoffice_use_unautorized_storage="$(onlyoffice_use_unautorized_storage)"
+	previous_onlyoffice_use_unautorized_storage="$(previous_onlyoffice_use_unautorized_storage)"
+
+	# If no changes were requested, then there's nothing to do here.
+	if [ "$onlyoffice_use_unautorized_storage" = "$previous_onlyoffice_use_unautorized_storage" ]; then
+		return 0
+	fi
+	set_onlyoffice_use_unautorized_storage "$onlyoffice_use_unautorized_storage"
+	set_previous_onlyoffice_use_unautorized_storage $onlyoffice_use_unautorized_storage
+}
+
+set_onlyoffice_use_unautorized_storage()
+{
+	snapctl set onlyoffice.use-unautorized-storage="$1"
+}
+
+onlyoffice_use_unautorized_storage()
+{
+	port="$(snapctl get onlyoffice.use-unautorized-storage)"
+	if [ -z "$port" ]; then
+		port="$DEFAULT_USE_UNAUTHORIZED_STORAGE"
+		set_onlyoffice_use_unautorized_storage $port
+		set_previous_onlyoffice_use_unautorized_storage $port
+	fi
+
+	echo "$port"
+}
+
+previous_onlyoffice_use_unautorized_storage()
+{
+	snapctl get private.onlyoffice.use-unautorized-storage
+}
+
+set_previous_onlyoffice_use_unautorized_storage()
+{
+	snapctl set private.onlyoffice.use-unautorized-storage="$1"
+}
+
 
 
 
@@ -317,4 +358,5 @@ db_onlyoffice_db_port && \
 token_onlyoffice_jwt_enabled && \
 token_onlyoffice_jwt_secret && \
 token_onlyoffice_jwt_header && \
-onlyoffice_example_enabled
+onlyoffice_example_enabled && \
+onlyoffice_use_unautorized_storage