• Home
  • Switching ONLYOFFICE Workspace to HTTPS protocol

Switching ONLYOFFICE Workspace to HTTPS protocol

Introduction

In most cases accessing the portal via HTTPS protocol is much more secure than via HTTP which is used by default. But to change the portal access method, certain actions must be performed. Please follow the steps below to find out how to switch your ONLYOFFICE Workspace to HTTPS protocol.

Creating security certificate and private key

Before you can start to switch your ONLYOFFICE Workspace to HTTPS protocol, you will need to create a security certificate and the certificate private key.

To automatically generate an SSL certificate using the letsencrypt service, you can refer to this article.

Once you have the certificate, proceed with the steps below.

Switching ONLYOFFICE Workspace to HTTPS using the provided script

The faster way to switch ONLYOFFICE Workspace to HTTPS is to use the provided script. It is located here:

/var/www/onlyoffice/Tools/default-onlyoffice-ssl.sh

Place the created certificates to the /var/www/onlyoffice/Data/certs/. There must be two files there:

  • /var/www/onlyoffice/Data/certs/onlyoffice.crt
  • /var/www/onlyoffice/Data/certs/onlyoffice.key

And run the script:

sudo bash /var/www/onlyoffice/Tools/default-onlyoffice-ssl.sh

It will do everything needed to switch your ONLYOFFICE Workspace installation to HTTPS.

Switching ONLYOFFICE Workspace to HTTPS manually

You can perform all the script actions manually. For that, do the following:

  1. Stop the NGINX service: 
    sudo service nginx stop
  2. Copy the /etc/nginx/includes/onlyoffice-communityserver-common-ssl.conf.template file to the /etc/nginx/sites-available/onlyoffice file for Debian-based systems or to the /etc/nginx/conf.d/onlyoffice.conf for RPM-based systems.

    Use the following command for Debian-based systems:

    sudo cp -f /etc/nginx/includes/onlyoffice-communityserver-common-ssl.conf.template /etc/nginx/sites-available/onlyoffice

    Use the following command for RPM-based systems:

    sudo cp -f /etc/nginx/includes/onlyoffice-communityserver-common-ssl.conf.template /etc/nginx/conf.d/onlyoffice.conf
  3. Edit the /etc/nginx/sites-available/onlyoffice file for Debian-based systems or the /etc/nginx/conf.d/onlyoffice.conf file for RPM-based systems. Change all the parameters in double curly brackets {{...}} for the actually used:
    • {{SSL_CERTIFICATE_PATH}} - the path to the SSL certificate you have got;
    • {{SSL_KEY_PATH}} - the path to the SSL certificate private key;
    • {{SSL_VERIFY_CLIENT}} - whether the verification of client certificates is enabled (with available values of on, off, optional and optional_no_ca);
    • {{CA_CERTIFICATES_PATH}} - the path to the client certificate, which will be verified if enabled with the previous parameter;
    • {{ONLYOFFICE_HTTPS_HSTS_MAXAGE}} - advanced configuration option for setting the HSTS max-age in the ONLYOFFICE Workspace NGINX vHost configuration, and applicable only when SSL is in use (usually defaults to 31536000 which is considered to be safe enough);
    • {{SSL_DHPARAM_PATH}} - the path to the Diffie-Hellman parameter;
    • {{ONLYOFFICE_NGINX_KEEPLIVE}} - the maximum number of idle keep-alive connections to upstream servers that are preserved in the cache of each worker process (for more information on this parameter, please see NGINX documentation);
    • {{DOCKER_ONLYOFFICE_SUBNET}} - the Docker internal subnet value (in case ONLYOFFICE Workspace is installed using Docker);
    • {{SSL_OCSP_CERTIFICATE_PATH}} - the path to a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP (Online Certificate Status Protocol) responses if ssl_stapling is enabled.
    Please see NGINX documentation for more information on SSL parameters used in the configuration file.
  4. Open the /var/www/onlyoffice/Services/MailAggregator/ASC.Mail.Aggregator.CollectionService.exe.config configuration file and set the mail.default-api-scheme parameter value to https. After that, restart the mail aggregator service: 
    onlyofficeMailAggregator restart
  5. Switch Talk to TLS protocol. See this article to find out how this can be done.
  6. When all the changes are made, you can start NGINX service again: 
    sudo service nginx start
    Port 443 must be opened for correct portal operation.

Host ONLYOFFICE Docs on your own server or use it in the cloud

Download
Article with the tag:
Browse all tags