Switching ONLYOFFICE Workspace Community to HTTPS protocol

Introduction

In most cases accessing the portal via HTTPS protocol is much more secure than via HTTP which is used by default. But to change the portal access method certain actions must be performed.

Before you can start to switch your ONLYOFFICE Workspace Community to HTTPS protocol, you will need to create a security certificate in .pem format.

Once you have the certificate, proceed with the steps below to find out how to switch your ONLYOFFICE Workspace Community to HTTPS protocol.

Switching ONLYOFFICE Workspace Community to HTTPS using the provided script

The faster way to switch ONLYOFFICE Workspace Community to HTTPS is to use the provided script. Please refer to this article to find out how this can be done.

Switching ONLYOFFICE Community Server version 8.5 and later to HTTPS manually

You can perform all the script actions manually. For that follow the steps below.

Version 8.5 uses IIS 7 which has its own peculiarities. You will need to bind your security certificate to ONLYOFFICE Community Server using the in-built IIS tools.

If you have a security certificate (either self-signed or issued by a third party), you can bind it to ONLYOFFICE Community Server:

1. Enter the Internet Information Services (IIS) Manager.
2. Select the site you need to bind certificate to (ONLYOFFICE portal).
3. Use the Bindings... option of the right-side menu to open the Site Bindings dialog window.
4. In the opened window click the Add... button.
5. Change the type for https and select the previously created certificate from the SSL certificate drop down menu.
6. Click OK and after that close the Site Bindings window.

After that your certificate will be bound to ONLYOFFICE Community Server. If you have more questions about certificates in IIS 7, please refer to the appropriate Microsoft knowledge base articles.

Now you need to enable the rewrite rules for your server, so that it processed HTTPS requests instead of HTTP ones only. To do that:

1. Enter the Internet Information Services (IIS) Manager.
2. Select the site you need enable HTTPS for.
3. Use the URL Rewrite option of the right-side menu to open the URL Rewrite window.
4. Find the following rules: HTTP to HTTPS and Add Strict-Transport-Security when HTTPS and select the Enable Rule for each of them at the right-side panel.

The next steps are not obligatory, but if you want to safeguard your ONLYOFFICE Community Server installation, we strongly recommend that you do it. Go to the IIS Crypto webpage. This is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website. Download and run it, select Best Practices and then Apply. After that reboot your server.

Now you can check if everything is done correct the following way:

• Open your portal using the https:// prefix. If it opens and works then you did everything alright.
• If your ONLYOFFICE Community Server is available via the internet, you can test its security using the SSL Server Test website. Enter your domain name to the Hostname field and click Submit. Wait for the results. Your security rating should be not worse than A.

Switching ONLYOFFICE Community Server version 7.7.1 and later to HTTPS (prior to 8.5)

1. Create the ssl_cert folder in the c:\Program Files\Ascensio System SIA\ONLYOFFICE\Router\ directory.
2. Copy the certificate in .pem format into this newly created directory.
3. Restart the ONLYOFFICE Router service.
   Port 443 must be opened for correct portal operation.
4. Locate and open the Web.config file in the WebStudio folder (you will need administrator access rights to save the changes), and find the following section in it:

   <rewrite><rules>
           ...
       </rules></rewrite>

   Replace everything within this section (marked by "..." above) with the following rules:

   <rule name="HTTP to HTTPS" stopProcessing="true">
       <match url=".*" />
       <conditions>
           <add input="{HTTPS}" pattern="off" />
           <add input="{REQUEST_URI}" pattern="^/api/2.0/" negate="true" />
           <add input="{REQUEST_URI}" pattern="products/files/services/wcfservice/service.svc.*" negate="true" />
       </conditions>
       <action type="Redirect" url="https://{HTTP_HOST}/{R:0}" appendQueryString="true" redirectType="Temporary" />
   </rule>      
   <rule name="WCF files HTTPS to HTTP" stopProcessing="true">
       <match url="products/files/services/wcfservice/service.svc.*" />
       <conditions>
           <add input="{HTTPS}" pattern="on" /> 
       </conditions>
       <action type="Rewrite" url="http://{HTTP_HOST}/{R:0}" appendQueryString="true" />
   </rule>

Switching older versions of ONLYOFFICE Community Server to HTTPS (prior to 7.7.1)

Switching older ONLYOFFICE Community Server versions to HTTPS require the following steps for correct work:

1. Put the certificate in the .pem format with private key to some folder on the computer with ONLYOFFICE Community Server installed.
2. Go to the c:\Program Files\Ascensio System SIA\ONLYOFFICE\Router\ folder and open the config.js file with some text editor. You need to use administrator access rights to be able to save the changes.
3. Locate the following line:

   config.sslCertPath = '../Cert/https-cert.pem';

   replace the ../Cert/https-cert.pem with the path where you put the certificate.
   Please note that you need to write the absolute path to the certificate file (e.g. C:/Cert/mycertificate.pem) and forward slashes (not backslashes!) must be used in the path, just as shown in the example.
4. Restart the ONLYOFFICE Router service.
   The appropriate ports must be opened and node.js must be added to firewall exceptions or allow rules.

You might also need to change sslCertPath to sslCert in the config.sslCertPath parameter line.