Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Command missing to set HTTPS port #27

Closed
jassonmc opened this issue Dec 1, 2019 · 18 comments
Closed

Command missing to set HTTPS port #27

jassonmc opened this issue Dec 1, 2019 · 18 comments

Comments

@jassonmc
Copy link

jassonmc commented Dec 1, 2019

We can set the HTTP port with that:
snap set onlyoffice-ds onlyoffice.ds-port=8888

But there does not seem to to be one for HTTPS port.

Please add something similar like:
snap set onlyoffice-ds onlyoffice.ds-sport=4433

Cheers
jassonmc
@IcemanFlo
Copy link

I've got the same problem. Would be nice if the feature can be included in the upcoming release.

Cheers
Florian

@agolybev
Copy link
Contributor

Hi, I don't think is a problem.
To my mind, it's normal to use a standard port for SSL connections. For example, popular online ssl tools don't recognize other port than 443. If your DS is behind a proxy you have to provide ssl connections there and use any custom HTTP port for DS.

@jassonmc
Copy link
Author

jassonmc commented Dec 16, 2019
edited

With Snap it's probably a bit different.
I am running Snaps of Nextcloud and Onlyoffice DS on the same machine.
The App that needs a standard Port 443 is in that very common combo Nextcloud, while Nextcloud can internally talk through another port with Onlyoffice DS.

@agolybev
Copy link
Contributor

@jassonmc, I think the right way was placed both servers behind a proxy server. But your argument is valuable.

@IcemanFlo
Copy link

I've the same use case as @jassonmc, putting the DS on the same machine as nextcloud. The onlyoffice-ds shall only be accessibly by the nextcloud, so i want to run nextcloud on 443 and onlyoffice-ds on a different https port.

@duderino416
Copy link

What people are asking for won't work because SSL works on 443, for SSL to work for ONLYOFFICE which is needed it needs 443 open and it needs to be using it. If your Nextcloud is HTTPS that is.

What you can do to run both on the same machine is put ONLYOFFICE inside of an LXC container and reverse proxy to it as if it was another machine using the Apache or NGINX solutions provided on the main site.

@jassonmc
Copy link
Author

jassonmc commented Dec 27, 2019
edited

@duderino416
I am already running Nextcloud snap and Onlyoffice DS snap on the very same machine.
Onlyoffice DS uses in that case HTTPS port 443 and Nextcloud uses HTTPS port 444.
Works with self signed certificates and does what it should, no LXC needed, nor wanted.
I surely could also manually adjust the https port of Onlyoffice DS snap, but from my point of view it would be just logical to allow adjusting the https port, since http is possible as well via built in tools.
The snap would port wise be on par what Nextcloud offers with their snap, where you can easily adjust both ports.

@gilluc
Copy link

gilluc commented Jan 5, 2020

@jassonmc
i made it like you say (on the same 'snap' machine):

  • nextcloud https via nextcloud.https-enable then modify https port to 444
  • onlyoffice-ds restarted after self-signed certs, operating on port 443
    https on onlyoffice runs fine
    https on nextcloud:444 runs fine to
    BUT onlyoffice plugin in nextcloud does not accept any https address for onlyoffice!!
    ending with:
    HealthcheckRequest on check error: cURL error 60: SSL certificate problem: self signed certificate (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

Apache under nextcloud is expecting the same certificates as nginx under onlyoffice ???

thanks in advance.
gilles

@gilluc
Copy link

gilluc commented Jan 5, 2020

@jassonmc
I tried first:
`cp cert.pem /var/snap/nextcloud/current/certs
cp privkey.pem /var/snap/nextcloud/current/certs
snap restart nextcloud

cp cert.pem /var/snap/onlyoffice-ds/current/var/www/onlyoffice/Data/certs/onlyoffice.crt
cp privkey.pem /var/snap/onlyoffice-ds/current/var/www/onlyoffice/Data/certs/onlyoffice.key
rm /var/snap/onlyoffice-ds/current/var/www/onlyoffice/Data/certs/dh*
snap restart onlyoffice-ds
then cp onlyoffice.crt /var/snap/nextcloud/current/certs/cert.pem
cp onlyoffice.key /var/snap/nextcloud/current/certs/privkey.pem
snap restart nextcloud

cp onlyoffice.crt /var/snap/onlyoffice-ds/current/var/www/onlyoffice/Data/certs
cp onlyoffice.key /var/snap/onlyoffice-ds/current/var/www/onlyoffice/Data/certs
cp dhparam.pem /var/snap/onlyoffice-ds/current/var/www/onlyoffice/Data/certs
snap restart onlyoffice-ds
`
each time, https to nextcloud:444 and onlyoffice worked fine and plugin wont work with https://debian.local/ which work fine to onlyoffice in browser.

help!
gilles

@gilluc
Copy link

gilluc commented Jan 5, 2020

@jassonmc
both https access (nextclous and onlyoffice) work but
my chrome browser says "invalid certificate" no matter of the self-signed certificate i use (nextcloud one or onlyoffice one)

is there any clue to create a self signed certificate that works on my local machine?
gilles

@gilluc
Copy link

gilluc commented Jan 5, 2020

@jassonmc
using mkcert for windows to create certificate for my local server.
works as expected with https on onlyoffice (i got the green icon)
does not work on nextcloud as starting nextcloud snap seems to re-create the self signed certificate ... so removing my mkcert certificate...
gosh...

@jassonmc
Copy link
Author

jassonmc commented Jan 5, 2020

@gilluc
I copy/paste my internal notes I used to install on a vanilla CentOS 7 VM.
Only showing the most important steps though, omitting the cert creation process.
I went the standard route of creating a root CA, intermediate CA and finally the server cert from the intermediate CA. The root CA cert and intermediate CA cert went into the chain.pem file for Nextcloud. I'm not sure what you would insert into the chain.pem if you only have a self-signed single certificate, probably nothing, since there is no chain.

Unfortunately, using self-signed cert or a non-public CA cert makes the adjustments in the configs as explained below a necessity.

Hope that helps ;)

Nextcloud setup

snap install nextcloud
mkdir /var/snap/nextcloud/current/certs/custom/
chmod 700 /var/snap/nextcloud/current/certs/custom/
cp /root/CERT/pem_nextcloud/* /var/snap/nextcloud/current/certs/custom/
nextcloud.enable-https custom /certs/custom/cert.pem /certs/custom/privkey.pem /certs/custom/chain.pem
snap set nextcloud ports.http=888 ports.https=444

Adjust config for Nextcloud

vi /var/snap/nextcloud/current/nextcloud/config/config.php
'onlyoffice' =>
array (
'verify_peer_off' => TRUE,
),

snap restart nextcloud

Onlyoffice setup

snap install onlyoffice-ds
cp /root/CERT/onlyoffice.key /var/snap/onlyoffice-ds/current/var/www/onlyoffice/Data/certs/onlyoffice.key
cp /root/CERT/onlyoffice.crt /var/snap/onlyoffice-ds/current/var/www/onlyoffice/Data/certs/onlyoffice.crt
snap set onlyoffice-ds onlyoffice.ds-port=889

Adjust config for Onlyoffice

vi /var/snap/onlyoffice-ds/current/etc/onlyoffice/documentserver/default.json -> "rejectUnauthorized": false

snap restart onlyoffice-ds

@gilluc
Copy link

gilluc commented Jan 5, 2020 via email

@gilluc
Copy link

gilluc commented Jan 7, 2020 via email

@Buliwif
Copy link

Buliwif commented Jan 15, 2020
edited

Great, thank you !
It work like a charm a give us the avaibility to work both snap on the same machine.

However, for obvious reasons it would be helfull to access https://nexcloud.domain.tdl and not https://nextcloud.domain.tld:444
Is it impossible to change the Onlyoffice snap https port ?

@gilluc
Copy link

gilluc commented Jan 15, 2020 via email

@Buliwif
Copy link

Buliwif commented Jan 16, 2020

The best way I find is to add a DNS entries pointing on the IP adress of my router, and define a NAT which translate 433 to 444.
Happy to find a different way than using a reverse proxy.
It works fine :)

@jassonmc
Copy link
Author

I haven't found a way to adjust the port for https.
Since the Snap and its configs are immutable, meaning its running from a mounted Squashfs filesystem, which is read-only, there is no obvious way to alter it.

To me, this also the biggest draw back from the Snap technology; its super secure immutability makes it also super unflexible, since you cannot adjust any config, not even to fix something...

It would help tremendously, if there would be a way to serve an alternative file for one that's stored immutable on Squashfs. Something like Docker layering tech or similar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@agolybev @duderino416 @IcemanFlo @jassonmc @gilluc @Buliwif