Switching ONLYOFFICE Docs to HTTPS protocol

Introduction

In most cases accessing the editors via HTTPS protocol is much more secure than via HTTP which is used by default. But to change the editors' access method, certain actions must be performed. Please follow the steps below to find out how to switch your ONLYOFFICE Docs to HTTPS protocol.

Switching ONLYOFFICE Docs to HTTPS using certbot

The easiest way to switch ONLYOFFICE Docs to HTTPS is to automatically get Let's Encrypt SSL Certificates using certbot.

Install certbot. This process differs depending on the operating system - DEB- or RPM-based. Please choose the corresponding tab to read instructions for your OS:

UbuntuCentOS

For example, on Ubuntu 20 this can be done with the following commands:

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

For example, on CentOS8 this can be done with the following commands:

sudo yum install snapd
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Once certbot is installed on your machine, run the script specifying your email and domain:

sudo bash /usr/bin/documentserver-letsencrypt.sh email@example.com yourdomain.com

The script will automatically create and install the letsencrypt.org CA-signed certificate to your server and restart the NGINX service for the changes to take effect.

Now, your ONLYOFFICE Docs should be available at the https://yourdomain.com address.

Switching ONLYOFFICE Docs v5.3 and later to HTTPS

Before you can start to switch your ONLYOFFICE Docs to HTTPS protocol, you will need to create a security certificate and the certificate private key. Put them into a folder on the computer where ONLYOFFICE Docs is installed.

Once you have the certificate, proceed with the steps below:

Stop the NGINX service:
```
sudo service nginx stop
```

Copy the ds-ssl.conf.tmpl file to the ds.conf file using the following command:

sudo cp -f /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds.conf

Edit the /etc/onlyoffice/documentserver/nginx/ds.conf file changing all the parameters in double curly brackets {{...}} for the actually used:
- {{SSL_CERTIFICATE_PATH}} - the path to the SSL certificate you have got;
- {{SSL_KEY_PATH}} - the path to the SSL certificate private key;
- {{SSL_VERIFY_CLIENT}} - whether the verification of client certificates is enabled (with available values of on, off, optional and optional_no_ca);
- {{CA_CERTIFICATES_PATH}} - the path to the client certificate, which will be verified if enabled with the previous parameter;
- {{ONLYOFFICE_HTTPS_HSTS_MAXAGE}} - advanced configuration option for setting the HSTS max-age in the ONLYOFFICE Docs NGINX vHost configuration, and applicable only when SSL is in use (usually defaults to 31536000 which is considered to be safe enough);
- {{SSL_DHPARAM_PATH}} - the path to the Diffie-Hellman parameter;
Please see NGINX documentation for more information on SSL parameters used in the configuration file.
When all the changes are made, you can start NGINX service again:
```
sudo service nginx start
```
Port 443 must be opened for correct portal operation.

Execute the following script:

sudo bash /usr/bin/documentserver-update-securelink.sh

Switching ONLYOFFICE Docs v5.2 to HTTPS

To switch ONLYOFFICE Docs v5.2 to HTTPS, you need to perform all the steps above, paying attention that the second and the third steps will look differently and must be like this:

Copy the onlyoffice-documentserver-ssl.conf.template file to the onlyoffice-documentserver.conf file using the following command:

sudo cp -f /etc/onlyoffice/documentserver/nginx/onlyoffice-documentserver-ssl.conf.template /etc/onlyoffice/documentserver/nginx/onlyoffice-documentserver.conf

Edit the /etc/onlyoffice/documentserver/nginx/onlyoffice-documentserver.conf file by changing all the parameters in double curly brackets {{...}} for the actually used...
...

Switching ONLYOFFICE Docs v4.3 to 5.1 to HTTPS

To switch ONLYOFFICE Docs v4.3/5.1 to HTTPS, you need to perform all the steps, above paying attention that the second and the third steps will look differently and must be like this:

Copy the onlyoffice-documentserver-ssl.conf.template file to the onlyoffice-documentserver.conf file using the following command:

sudo cp -f /etc/onlyoffice/documentserver/nginx/onlyoffice-documentserver-ssl.conf.template /etc/nginx/conf.d/onlyoffice-documentserver.conf

Edit the /etc/nginx/conf.d/onlyoffice-documentserver.conf file by changing all the parameters in double curly brackets {{...}} for the actually used...
...

Switching ONLYOFFICE Docs v3.6 to 4.2 to HTTPS

To switch ONLYOFFICE Docs v3.6/4.2 to HTTPS, you need to perform all the steps above, paying attention that the second step will look differently and must be like this:

Open the /etc/nginx/conf.d/onlyoffice-documentserver.conf configuration file and delete all its contents. Copy the contents of the SSL config file to your /etc/nginx/conf.d/onlyoffice-documentserver.conf.

Show the SSL config file contents

include /etc/nginx/includes/onlyoffice-http.conf;
## Normal HTTP host
server {
  listen 0.0.0.0:80;
  listen [::]:80 default_server;
  server_name _;
  server_tokens off;
  ## Redirects all traffic to the HTTPS host
  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
  rewrite ^ https://$host$request_uri? permanent;
}
#HTTP host for internal services
server {
  listen 127.0.0.1:80;
  listen [::1]:80;
  server_name localhost;
  server_tokens off;
  include /etc/nginx/includes/onlyoffice-documentserver-common.conf;
  include /etc/nginx/includes/onlyoffice-documentserver-docservice.conf;
}
## HTTPS host
server {
  listen 0.0.0.0:443 ssl;
  listen [::]:443 ssl default_server;
  server_tokens off;
  root /usr/share/nginx/html;
  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl on;
  ssl_certificate {{SSL_CERTIFICATE_PATH}};
  ssl_certificate_key {{SSL_KEY_PATH}};
  ssl_verify_client {{SSL_VERIFY_CLIENT}};
  ssl_client_certificate {{CA_CERTIFICATES_PATH}};
  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache  builtin:1000  shared:SSL:10m;
  ssl_prefer_server_ciphers   on;
  add_header Strict-Transport-Security max-age={{ONLYOFFICE_HTTPS_HSTS_MAXAGE}};
  # add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;
  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
  ## Replace with your ssl_trusted_certificate. For more info see:
  ## - https://medium.com/devops-programming/4445f4862461
  ## - https://www.ruby-forum.com/topic/4419319
  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
  # ssl_stapling on;
  # ssl_stapling_verify on;
  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
  # resolver_timeout 10s;
  ## [Optional] Generate a stronger DHE parameter:
  ##   cd /etc/ssl/certs
  ##   sudo openssl dhparam -out dhparam.pem 4096
  ##
  ssl_dhparam {{SSL_DHPARAM_PATH}};
  include /etc/nginx/includes/onlyoffice-documentserver-*.conf;
}

The current actual config file is always available via this link.

Switching ONLYOFFICE Docs v3.5 and older to HTTPS

To switch ONLYOFFICE Docs v3.5/3.0 to HTTPS, you need to perform all the steps above, paying attention that the second and the third steps will look differently and must be like this:

...
Open the /etc/nginx/sites-available/onlyoffice-documentserver configuration file and delete all its contents. Go to https://raw.githubusercontent.com/ONLYOFFICE/Docker-DocumentServer/v3.6/config/nginx/onlyoffice-ssl and copy the contents of the SSL config file to your /etc/nginx/sites-available/onlyoffice-documentserver.
Edit the /etc/nginx/sites-available/onlyoffice-documentserver configuration file by changing all the parameters in double curly brackets {{...}} for the actually used as described in the instructions above.
...

Host ONLYOFFICE Docs on your own server or use it in the cloud

Get it now Use in the cloud