updated for onlyoffice-documentserver v4.0

config/nginx/onlyoffice-documentserver-ssl.conf

@@ -0,0 +1,71 @@
+include /etc/nginx/includes/onlyoffice-http.conf;
+
+## Normal HTTP host
+server {
+  listen 0.0.0.0:80;
+  listen [::]:80 default_server;
+  server_name _;
+  server_tokens off;
+
+  ## Redirects all traffic to the HTTPS host
+  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
+  rewrite ^ https://$host$request_uri? permanent;
+}
+
+#HTTP host for internal services
+server {
+  listen 127.0.0.1:80;
+  listen [::1]:80;
+  server_name localhost;
+  server_tokens off;
+  
+  include /etc/nginx/includes/onlyoffice-documentserver-common.conf;
+  include /etc/nginx/includes/onlyoffice-documentserver-docservice.conf;
+}
+
+## HTTPS host
+server {
+  listen 0.0.0.0:443 ssl spdy;
+  listen [::]:443 ssl spdy default_server;
+  server_tokens off;
+  root /usr/share/nginx/html;
+
+  ## Strong SSL Security
+  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+  ssl on;
+  ssl_certificate {{SSL_CERTIFICATE_PATH}};
+  ssl_certificate_key {{SSL_KEY_PATH}};
+  ssl_verify_client {{SSL_VERIFY_CLIENT}};
+  ssl_client_certificate {{CA_CERTIFICATES_PATH}};
+
+  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+  ssl_session_cache  builtin:1000  shared:SSL:10m;
+
+  ssl_prefer_server_ciphers   on;
+
+  add_header Strict-Transport-Security max-age={{ONLYOFFICE_HTTPS_HSTS_MAXAGE}};
+  # add_header X-Frame-Options SAMEORIGIN;
+  add_header X-Content-Type-Options nosniff;
+
+  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
+  ## Replace with your ssl_trusted_certificate. For more info see:
+  ## - https://medium.com/devops-programming/4445f4862461
+  ## - https://www.ruby-forum.com/topic/4419319
+  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
+  # ssl_stapling on;
+  # ssl_stapling_verify on;
+  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
+  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
+  # resolver_timeout 10s;
+
+  ## [Optional] Generate a stronger DHE parameter:
+  ##   cd /etc/ssl/certs
+  ##   sudo openssl dhparam -out dhparam.pem 4096
+  ##
+  ssl_dhparam {{SSL_DHPARAM_PATH}};
+
+  include /etc/nginx/includes/onlyoffice-documentserver-*.conf;
+
+}

config/nginx/onlyoffice-documentserver.conf

@@ -0,0 +1,8 @@
+include /etc/nginx/includes/onlyoffice-http.conf;
+server {
+  listen 0.0.0.0:80;
+  listen [::]:80 default_server;
+  server_tokens off;
+  
+  include /etc/nginx/includes/onlyoffice-documentserver-*.conf;
+}

config/nginx/onlyoffice-ssl

@@ -1,114 +0,0 @@
-## Normal HTTP host
-server {
-  listen 0.0.0.0:80;
-  listen [::]:80 default_server;
-  server_name _;
-  server_tokens off;
-
-  ## Redirects all traffic to the HTTPS host
-  root /nowhere; ## root doesn't have to be a valid path since we are redirecting
-  rewrite ^ https://$host$request_uri? permanent;
-}
-
-upstream fastcgi_backend {
-    server 127.0.0.1:9001;
-    keepalive 32;
-}
-
-## HTTPS host
-server {
-  listen 0.0.0.0:443 ssl spdy;
-  listen [::]:443 ssl spdy default_server;
-  server_tokens off;
-  root /usr/share/nginx/html;
-
-  ## Increase this if you want to upload large attachments
-  client_max_body_size 100m;
-
-  ## Strong SSL Security
-  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-  ssl on;
-  ssl_certificate {{SSL_CERTIFICATE_PATH}};
-  ssl_certificate_key {{SSL_KEY_PATH}};
-  ssl_verify_client {{SSL_VERIFY_CLIENT}};
-  ssl_client_certificate {{CA_CERTIFICATES_PATH}};
-
-  ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-
-  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
-  ssl_session_cache  builtin:1000  shared:SSL:10m;
-
-  ssl_prefer_server_ciphers   on;
-
-  add_header Strict-Transport-Security max-age={{ONLYOFFICE_HTTPS_HSTS_MAXAGE}};
-  # add_header X-Frame-Options SAMEORIGIN;
-  add_header X-Content-Type-Options nosniff;
-
-  ## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
-  ## Replace with your ssl_trusted_certificate. For more info see:
-  ## - https://medium.com/devops-programming/4445f4862461
-  ## - https://www.ruby-forum.com/topic/4419319
-  ## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
-  # ssl_stapling on;
-  # ssl_stapling_verify on;
-  # ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
-  # resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
-  # resolver_timeout 10s;
-
-  ## [Optional] Generate a stronger DHE parameter:
-  ##   cd /etc/ssl/certs
-  ##   sudo openssl dhparam -out dhparam.pem 4096
-  ##
-  ssl_dhparam {{SSL_DHPARAM_PATH}};
-
-        gzip on;
-        gzip_types      text/plain
-                                text/xml
-                                text/css
-                                text/csv
-                                application/xml
-                                application/javascript
-                                application/x-javascript
-                                application/json
-                                application/octet-stream
-                                application/pdf
-                                application/rtf
-                                application/msword
-                                application/vnd.ms-excel
-                                application/vnd.ms-powerpoint;
-                                #application/vnd.oasis.opendocument.text
-                                #application/vnd.oasis.opendocument.spreadsheet
-                                #application/vnd.oasis.opendocument.presentation
-                                #application/vnd.openxmlformats-officedocument.wordprocessingml.document
-                                #application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
-                                #application/vnd.openxmlformats-officedocument.presentationml.presentation;
-
-
-        location / {
-                root /var/www/onlyoffice/documentserver/DocService/;
-                index index.html index.htm default.aspx Default.aspx;
-                fastcgi_index Default.aspx;
-                fastcgi_keep_conn on;
-                fastcgi_pass fastcgi_backend;
-                include /etc/onlyoffice/documentserver/fastcgi_params;
-        }
-
-        location ~ \/OfficeWeb\/(?!sdk\/Fonts\/) {
-                root /var/www/onlyoffice/documentserver/DocService;
-        }
-
-        location /coauthoring/ {
-                proxy_pass http://localhost:8000/;
-                proxy_http_version 1.1;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "upgrade";
-        }
-
-        location /spellchecker/ {
-                proxy_pass http://localhost:8080/;
-                proxy_http_version 1.1;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "upgrade";
-        }
-}
-