Merge branch 'release/v4.3.0'
This commit is contained in:
commit
adf29bc63b
6 changed files with 67 additions and 99 deletions
|
@ -6,13 +6,13 @@ ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8 DEBIAN_FRONTEND=nonint
|
|||
RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
|
||||
apt-get -y update && \
|
||||
apt-get --force-yes -yq install wget apt-transport-https curl && \
|
||||
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys D9D0BF019CC8AC0D && \
|
||||
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CB2DE8E5 && \
|
||||
echo "deb http://archive.ubuntu.com/ubuntu precise main universe multiverse" >> /etc/apt/sources.list && \
|
||||
locale-gen en_US.UTF-8 && \
|
||||
curl -sL https://deb.nodesource.com/setup_6.x | bash - && \
|
||||
apt-get -y update && \
|
||||
echo ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true | debconf-set-selections && \
|
||||
apt-get --force-yes -yq install software-properties-common adduser postgresql redis-server rabbitmq-server nginx-extras nodejs libstdc++6 libcurl3 libxml2 libboost-regex-dev zlib1g supervisor fonts-dejavu fonts-liberation ttf-mscorefonts-installer fonts-crosextra-carlito fonts-takao-gothic fonts-opensymbol libxss1 libgtkglext1 libcairo2 xvfb libxtst6 libgconf2-4 libasound2 bomstrip libnspr4 libnss3 libnss3-nssdb nano htop && \
|
||||
apt-get --force-yes -yq install software-properties-common adduser postgresql postgresql-client redis-server rabbitmq-server nginx-extras nodejs libstdc++6 libcurl3 libxml2 libboost-regex-dev zlib1g supervisor fonts-dejavu fonts-liberation ttf-mscorefonts-installer fonts-crosextra-carlito fonts-takao-gothic fonts-opensymbol libxss1 libgtkglext1 libcairo2 xvfb libxtst6 libgconf2-4 libasound2 bomstrip libnspr4 libnss3 libnss3-nssdb nano htop && \
|
||||
sudo -u postgres psql -c "CREATE DATABASE onlyoffice;" && \
|
||||
sudo -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';" && \
|
||||
sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;" && \
|
||||
|
@ -41,6 +41,6 @@ RUN echo "$REPO_URL" | tee /etc/apt/sources.list.d/onlyoffice.list && \
|
|||
rm -rf /var/log/onlyoffice && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
VOLUME /etc/onlyoffice /var/log/onlyoffice /var/lib/onlyoffice /var/www/onlyoffice/Data
|
||||
VOLUME /etc/onlyoffice /var/log/onlyoffice /var/lib/onlyoffice /var/www/onlyoffice/Data /usr/share/fonts/truetype/custom
|
||||
|
||||
CMD bash -C '/app/onlyoffice/run-document-server.sh';'bash'
|
||||
|
|
11
README.md
11
README.md
|
@ -4,6 +4,7 @@
|
|||
* [Running Docker Image](#running-docker-image)
|
||||
* [Configuring Docker Image](#configuring-docker-image)
|
||||
- [Storing Data](#storing-data)
|
||||
- [Running ONLYOFFICE Document Server on Different Port](#running-onlyoffice-document-server-on-different-port)
|
||||
- [Running ONLYOFFICE Document Server using HTTPS](#running-onlyoffice-document-server-using-https)
|
||||
+ [Generation of Self Signed Certificates](#generation-of-self-signed-certificates)
|
||||
+ [Strengthening the Server Security](#strengthening-the-server-security)
|
||||
|
@ -66,6 +67,12 @@ To get access to your data from outside the container, you need to mount the vol
|
|||
|
||||
Storing the data on the host machine allows you to easily update ONLYOFFICE once the new version is released without losing your data.
|
||||
|
||||
### Running ONLYOFFICE Document Server on Different Port
|
||||
|
||||
To change the port, use the -p command. E.g.: to make your portal accessible via port 8080 execute the following command:
|
||||
|
||||
sudo docker run -i -t -d -p 8080:80 onlyoffice/documentserver
|
||||
|
||||
### Running ONLYOFFICE Document Server using HTTPS
|
||||
|
||||
sudo docker run -i -t -d -p 443:443 \
|
||||
|
@ -153,9 +160,7 @@ Below is the complete list of parameters that can be set using environment varia
|
|||
- **POSTGRESQL_SERVER_DB_NAME**: The name of a PostgreSQL database to be created on the image startup.
|
||||
- **POSTGRESQL_SERVER_USER**: The new user name with superuser permissions for the PostgreSQL account.
|
||||
- **POSTGRESQL_SERVER_PASS**: The password set for the PostgreSQL account.
|
||||
- **RABBITMQ_SERVER_HOST**: The IP address or the name of the host where the RabbitMQ server is running.
|
||||
- **RABBITMQ_SERVER_USER**: The RabbitMQ server user name.
|
||||
- **RABBITMQ_SERVER_PASS**: The password set for the RabbitMQ account.
|
||||
- **RABBITMQ_SERVER_URL**: The [AMQP URL](http://www.rabbitmq.com/uri-spec.html "RabbitMQ URI Specification") to connect to RabbitMQ server.
|
||||
- **REDIS_SERVER_HOST**: The IP address or the name of the host where the Redis server is running.
|
||||
- **REDIS_SERVER_PORT**: The Redis server port number.
|
||||
- **NGINX_WORKER_PROCESSES**: Defines the number of nginx worker processes.
|
||||
|
|
|
@ -1,71 +0,0 @@
|
|||
include /etc/nginx/includes/onlyoffice-http.conf;
|
||||
|
||||
## Normal HTTP host
|
||||
server {
|
||||
listen 0.0.0.0:80;
|
||||
listen [::]:80 default_server;
|
||||
server_name _;
|
||||
server_tokens off;
|
||||
|
||||
## Redirects all traffic to the HTTPS host
|
||||
root /nowhere; ## root doesn't have to be a valid path since we are redirecting
|
||||
rewrite ^ https://$host$request_uri? permanent;
|
||||
}
|
||||
|
||||
#HTTP host for internal services
|
||||
server {
|
||||
listen 127.0.0.1:80;
|
||||
listen [::1]:80;
|
||||
server_name localhost;
|
||||
server_tokens off;
|
||||
|
||||
include /etc/nginx/includes/onlyoffice-documentserver-common.conf;
|
||||
include /etc/nginx/includes/onlyoffice-documentserver-docservice.conf;
|
||||
}
|
||||
|
||||
## HTTPS host
|
||||
server {
|
||||
listen 0.0.0.0:443 ssl;
|
||||
listen [::]:443 ssl default_server;
|
||||
server_tokens off;
|
||||
root /usr/share/nginx/html;
|
||||
|
||||
## Strong SSL Security
|
||||
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
||||
ssl on;
|
||||
ssl_certificate {{SSL_CERTIFICATE_PATH}};
|
||||
ssl_certificate_key {{SSL_KEY_PATH}};
|
||||
ssl_verify_client {{SSL_VERIFY_CLIENT}};
|
||||
ssl_client_certificate {{CA_CERTIFICATES_PATH}};
|
||||
|
||||
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
||||
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
add_header Strict-Transport-Security max-age={{ONLYOFFICE_HTTPS_HSTS_MAXAGE}};
|
||||
# add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
|
||||
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
|
||||
## Replace with your ssl_trusted_certificate. For more info see:
|
||||
## - https://medium.com/devops-programming/4445f4862461
|
||||
## - https://www.ruby-forum.com/topic/4419319
|
||||
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
|
||||
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
|
||||
# resolver_timeout 10s;
|
||||
|
||||
## [Optional] Generate a stronger DHE parameter:
|
||||
## cd /etc/ssl/certs
|
||||
## sudo openssl dhparam -out dhparam.pem 4096
|
||||
##
|
||||
ssl_dhparam {{SSL_DHPARAM_PATH}};
|
||||
|
||||
include /etc/nginx/includes/onlyoffice-documentserver-*.conf;
|
||||
|
||||
}
|
|
@ -1,8 +0,0 @@
|
|||
include /etc/nginx/includes/onlyoffice-http.conf;
|
||||
server {
|
||||
listen 0.0.0.0:80;
|
||||
listen [::]:80 default_server;
|
||||
server_tokens off;
|
||||
|
||||
include /etc/nginx/includes/onlyoffice-documentserver-*.conf;
|
||||
}
|
|
@ -9,9 +9,7 @@ services:
|
|||
- POSTGRESQL_SERVER_PORT=5432
|
||||
- POSTGRESQL_SERVER_DB_NAME=onlyoffice
|
||||
- POSTGRESQL_SERVER_USER=onlyoffice
|
||||
- RABBITMQ_SERVER_HOST=onlyoffice-rabbitmq
|
||||
- RABBITMQ_SERVER_USER=guest
|
||||
- RABBITMQ_SERVER_PASS=guest
|
||||
- RABBITMQ_SERVER_URL=amqp://guest:guest@onlyoffice-rabbitmq
|
||||
- REDIS_SERVER_HOST=onlyoffice-redis
|
||||
- REDIS_SERVER_PORT=6379
|
||||
stdin_open: true
|
||||
|
|
|
@ -18,7 +18,10 @@ ONLYOFFICE_HTTPS_HSTS_ENABLED=${ONLYOFFICE_HTTPS_HSTS_ENABLED:-true}
|
|||
ONLYOFFICE_HTTPS_HSTS_MAXAGE=${ONLYOFFICE_HTTPS_HSTS_MAXAG:-31536000}
|
||||
SYSCONF_TEMPLATES_DIR="/app/onlyoffice/setup/config"
|
||||
|
||||
NGINX_ONLYOFFICE_PATH="/etc/nginx/conf.d/onlyoffice-documentserver.conf";
|
||||
NGINX_CONFD_PATH="/etc/nginx/conf.d";
|
||||
NGINX_ONLYOFFICE_PATH="${NGINX_CONFD_PATH}/onlyoffice-documentserver.conf";
|
||||
NGINX_ONLYOFFICE_INCLUDES_PATH="/etc/nginx/includes";
|
||||
NGINX_ONLYOFFICE_EXAMPLE_PATH=${NGINX_ONLYOFFICE_INCLUDES_PATH}/onlyoffice-documentserver-example.conf
|
||||
|
||||
NGINX_CONFIG_PATH="/etc/nginx/nginx.conf"
|
||||
NGINX_WORKER_PROCESSES=${NGINX_WORKER_PROCESSES:-$(grep processor /proc/cpuinfo | wc -l)}
|
||||
|
@ -37,16 +40,55 @@ read_setting(){
|
|||
POSTGRESQL_SERVER_USER=${POSTGRESQL_SERVER_USER:-$(${JSON} services.CoAuthoring.sql.dbUser)}
|
||||
POSTGRESQL_SERVER_PASS=${POSTGRESQL_SERVER_PASS:-$(${JSON} services.CoAuthoring.sql.dbPass)}
|
||||
|
||||
RABBITMQ_SERVER_URL=$(${JSON} rabbitmq.url)
|
||||
RABBITMQ_SERVER_HOST=${RABBITMQ_SERVER_HOST:-${RABBITMQ_SERVER_URL#'amqp://'}}
|
||||
RABBITMQ_SERVER_USER=${RABBITMQ_SERVER_USER:-$(${JSON} rabbitmq.login)}
|
||||
RABBITMQ_SERVER_PASS=${RABBITMQ_SERVER_PASS:-$(${JSON} rabbitmq.password)}
|
||||
RABBITMQ_SERVER_PORT=${RABBITMQ_SERVER_PORT:-"5672"}
|
||||
RABBITMQ_SERVER_URL=${RABBITMQ_SERVER_URL:-$(${JSON} rabbitmq.url)}
|
||||
parse_rabbitmq_url
|
||||
|
||||
REDIS_SERVER_HOST=${REDIS_SERVER_HOST:-$(${JSON} services.CoAuthoring.redis.host)}
|
||||
REDIS_SERVER_PORT=${REDIS_SERVER_PORT:-$(${JSON} services.CoAuthoring.redis.port)}
|
||||
}
|
||||
|
||||
parse_rabbitmq_url(){
|
||||
local amqp=${RABBITMQ_SERVER_URL}
|
||||
|
||||
# extract the protocol
|
||||
local proto="$(echo $amqp | grep :// | sed -e's,^\(.*://\).*,\1,g')"
|
||||
# remove the protocol
|
||||
local url="$(echo ${amqp/$proto/})"
|
||||
|
||||
# extract the user and password (if any)
|
||||
local userpass="`echo $url | grep @ | cut -d@ -f1`"
|
||||
local pass=`echo $userpass | grep : | cut -d: -f2`
|
||||
|
||||
local user
|
||||
if [ -n "$pass" ]; then
|
||||
user=`echo $userpass | grep : | cut -d: -f1`
|
||||
else
|
||||
user=$userpass
|
||||
fi
|
||||
echo $user
|
||||
|
||||
# extract the host
|
||||
local hostport="$(echo ${url/$userpass@/} | cut -d/ -f1)"
|
||||
# by request - try to extract the port
|
||||
local port="$(echo $hostport | sed -e 's,^.*:,:,g' -e 's,.*:\([0-9]*\).*,\1,g' -e 's,[^0-9],,g')"
|
||||
|
||||
local host
|
||||
if [ -n "$port" ]; then
|
||||
host=`echo $hostport | grep : | cut -d: -f1`
|
||||
else
|
||||
host=$hostport
|
||||
port="5672"
|
||||
fi
|
||||
|
||||
# extract the path (if any)
|
||||
local path="$(echo $url | grep / | cut -d/ -f2-)"
|
||||
|
||||
RABBITMQ_SERVER_HOST=$host
|
||||
RABBITMQ_SERVER_USER=$user
|
||||
RABBITMQ_SERVER_PASS=$pass
|
||||
RABBITMQ_SERVER_PORT=$port
|
||||
}
|
||||
|
||||
waiting_for_connection(){
|
||||
until nc -z -w 3 "$1" "$2"; do
|
||||
>&2 echo "Waiting for connection to the $1 host on port $2"
|
||||
|
@ -77,9 +119,7 @@ update_postgresql_settings(){
|
|||
}
|
||||
|
||||
update_rabbitmq_setting(){
|
||||
${JSON} -I -e "this.rabbitmq.url = 'amqp://${RABBITMQ_SERVER_HOST}'"
|
||||
${JSON} -I -e "this.rabbitmq.login = '${RABBITMQ_SERVER_USER}'"
|
||||
${JSON} -I -e "this.rabbitmq.password = '${RABBITMQ_SERVER_PASS}'"
|
||||
${JSON} -I -e "this.rabbitmq.url = '${RABBITMQ_SERVER_URL}'"
|
||||
}
|
||||
|
||||
update_redis_settings(){
|
||||
|
@ -112,7 +152,7 @@ update_nginx_settings(){
|
|||
|
||||
# setup HTTPS
|
||||
if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" ]; then
|
||||
cp ${SYSCONF_TEMPLATES_DIR}/nginx/onlyoffice-documentserver-ssl.conf ${NGINX_ONLYOFFICE_PATH}
|
||||
cp ${NGINX_CONFD_PATH}/onlyoffice-documentserver-ssl.conf.template ${NGINX_ONLYOFFICE_PATH}
|
||||
|
||||
# configure nginx
|
||||
sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i ${NGINX_ONLYOFFICE_PATH}
|
||||
|
@ -139,7 +179,11 @@ update_nginx_settings(){
|
|||
sed '/{{ONLYOFFICE_HTTPS_HSTS_MAXAGE}}/d' -i ${NGINX_ONLYOFFICE_PATH}
|
||||
fi
|
||||
else
|
||||
cp ${SYSCONF_TEMPLATES_DIR}/nginx/onlyoffice-documentserver.conf ${NGINX_ONLYOFFICE_PATH}
|
||||
cp ${NGINX_CONFD_PATH}/onlyoffice-documentserver.conf.template ${NGINX_ONLYOFFICE_PATH}
|
||||
fi
|
||||
|
||||
if [ -f "${NGINX_ONLYOFFICE_EXAMPLE_PATH}" ]; then
|
||||
sed 's/linux/docker/' -i ${NGINX_ONLYOFFICE_EXAMPLE_PATH}
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue