This commit is contained in:
Alexey Golubev 2020-05-22 11:21:42 +03:00
commit 91815ac24a
15 changed files with 175 additions and 151 deletions

View file

@ -3,6 +3,26 @@ language: generic
dist: trusty
env:
# certificates (default tls if onlyoffice not exists)
- config: certs.yml
ssl: true
# certificates (default onlyoffice if exists)
- config: certs.yml
ssl: true
private_key: onlyoffice.key
certificate_request: onlyoffice.csr
certificate: onlyoffice.crt
# custom certificates
- config: certs-customized.yml
ssl: true
private_key: mycert.key
certificate_request: mycert.csr
certificate: mycert.crt
SSL_CERTIFICATE_PATH: /var/www/onlyoffice/Data/certs/mycert.crt
SSL_KEY_PATH: /var/www/onlyoffice/Data/certs/mycert.key
# postgresql
- config: postgres.yml
@ -16,43 +36,24 @@ env:
# deprecated variables
- config: postgres-old.yml
POSTGRESQL_SERVER_HOST: onlyoffice-postgresql
POSTGRESQL_SERVER_PORT: 5432
POSTGRESQL_SERVER_DB_NAME: onlyoffice
POSTGRESQL_SERVER_USER: onlyoffice
POSTGRESQL_SERVER_PASS: onlyoffice
# mysql
- config: mysql.yml
DB_TYPE: mysql
DB_HOST: onlyoffice-mysql
DB_PORT: 3306
# mariadb
- config: mariadb.yml
DB_TYPE: mysql
DB_HOST: db
DB_PORT: 3306
# activemq
- config: activemq.yml
AMQP_TYPE: activemq
AMQP_URI: amqp://guest:guest@onlyoffice-activemq
# rabbitmq
- config: rabbitmq.yml
AMQP_TYPE: rabbitmq
AMQP_URI: amqp://guest:guest@onlyoffice-rabbitmq
# rabbitmq old variables
- config: rabbitmq-old.yml
AMQP_SERVER_TYPE: rabbitmq
AMQP_SERVER_URL: amqp://guest:guest@onlyoffice-rabbitmq
# redis
- config: redis.yml
REDIS_SERVER_HOST: onlyoffice-redis
REDIS_SERVER_PORT: 6379
services:
- docker

View file

@ -96,8 +96,8 @@ To secure the application via SSL basically two things are needed:
So you need to create and install the following files:
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
/app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
/app/onlyoffice/DocumentServer/data/certs/tls.key
/app/onlyoffice/DocumentServer/data/certs/tls.crt
When using CA certified certificates, these files are provided to you by the CA. When using self-signed certificates you need to generate these files yourself. Skip the following section if you are have CA certified SSL certificates.
@ -108,19 +108,19 @@ Generation of self-signed SSL certificates involves a simple 3 step procedure.
**STEP 1**: Create the server private key
```bash
openssl genrsa -out onlyoffice.key 2048
openssl genrsa -out tls.key 2048
```
**STEP 2**: Create the certificate signing request (CSR)
```bash
openssl req -new -key onlyoffice.key -out onlyoffice.csr
openssl req -new -key tls.key -out tls.csr
```
**STEP 3**: Sign the certificate using the private key and CSR
```bash
openssl x509 -req -days 365 -in onlyoffice.csr -signkey onlyoffice.key -out onlyoffice.crt
openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt
```
You have now generated an SSL certificate that's valid for 365 days.
@ -136,18 +136,18 @@ openssl dhparam -out dhparam.pem 2048
#### Installation of the SSL Certificates
Out of the four files generated above, you need to install the `onlyoffice.key`, `onlyoffice.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
Out of the four files generated above, you need to install the `tls.key`, `tls.crt` and `dhparam.pem` files at the onlyoffice server. The CSR file is not needed, but do make sure you safely backup the file (in case you ever need it again).
The default path that the onlyoffice application is configured to look for the SSL certificates is at `/var/www/onlyoffice/Data/certs`, this can however be changed using the `SSL_KEY_PATH`, `SSL_CERTIFICATE_PATH` and `SSL_DHPARAM_PATH` configuration options.
The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `onlyoffice.key` file to only be readable by the owner.
The `/var/www/onlyoffice/Data/` path is the path of the data store, which means that you have to create a folder named certs inside `/app/onlyoffice/DocumentServer/data/` and copy the files into it and as a measure of security you will update the permission on the `tls.key` file to only be readable by the owner.
```bash
mkdir -p /app/onlyoffice/DocumentServer/data/certs
cp onlyoffice.key /app/onlyoffice/DocumentServer/data/certs/
cp onlyoffice.crt /app/onlyoffice/DocumentServer/data/certs/
cp tls.key /app/onlyoffice/DocumentServer/data/certs/
cp tls.crt /app/onlyoffice/DocumentServer/data/certs/
cp dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
```
You are now just one step away from having our application secured.
@ -160,8 +160,8 @@ Below is the complete list of parameters that can be set using environment varia
- **ONLYOFFICE_HTTPS_HSTS_ENABLED**: Advanced configuration option for turning off the HSTS configuration. Applicable only when SSL is in use. Defaults to `true`.
- **ONLYOFFICE_HTTPS_HSTS_MAXAGE**: Advanced configuration option for setting the HSTS max-age in the onlyoffice nginx vHost configuration. Applicable only when SSL is in use. Defaults to `31536000`.
- **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.crt`.
- **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/onlyoffice.key`.
- **SSL_CERTIFICATE_PATH**: The path to the SSL certificate to use. Defaults to `/var/www/onlyoffice/Data/certs/tls.crt`.
- **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/tls.key`.
- **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`.
- **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false`
- **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb` or `mysql`. Defaults to `postgres`.

View file

@ -16,8 +16,16 @@ ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
ONLYOFFICE_DATA_CONTAINER_PORT=80
SSL_CERTIFICATES_DIR="${DATA_DIR}/certs"
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.crt}
SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/onlyoffice.key}
if [[ -z $SSL_CERTIFICATE_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/onlyoffice.crt ]]; then
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATES_DIR}/onlyoffice.crt
else
SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-${SSL_CERTIFICATES_DIR}/tls.crt}
fi
if [[ -z $SSL_KEY_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/onlyoffice.key ]]; then
SSL_KEY_PATH=${SSL_CERTIFICATES_DIR}/onlyoffice.key
else
SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/tls.key}
fi
CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem}
SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem}
SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}

View file

@ -1,11 +1,12 @@
version: '2'
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
image: onlyoffice/4testing-documentserver-ie:latest
build:
context: ../.
environment:
- AMQP_TYPE
- AMQP_URI
- AMQP_TYPE=${AMQP_TYPE:-activemq}
- AMQP_URI=${AMQP_URI:-amqp://guest:guest@onlyoffice-activemq}
stdin_open: true
restart: always
ports:
@ -18,8 +19,8 @@ services:
container_name: onlyoffice-activemq
image: webcenter/activemq:5.14.3
environment:
- ACTIVEMQ_USERS_guest
- ACTIVEMQ_GROUPS_owners
- ACTIVEMQ_USERS_guest=${ACTIVEMQ_USERS_guest:-guest}
- ACTIVEMQ_GROUPS_owners=${ACTIVEMQ_GROUPS_owners:-guest}
restart: always
networks:
- onlyoffice

View file

@ -0,0 +1,18 @@
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
build:
context: ../.
environment:
- SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH:-/var/www/onlyoffice/Data/certs/tls.crt}
- SSL_KEY_PATH=${SSL_KEY_PATH:-/var/www/onlyoffice/Data/certs/tls.key}
- CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-/var/www/onlyoffice/Data/certs/ca-certificates.pem}
- SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-/var/www/onlyoffice/Data/certs/dhparam.pem}
stdin_open: true
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./data:/var/www/onlyoffice/Data

13
tests/certs.yml Normal file
View file

@ -0,0 +1,13 @@
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
build:
context: ../.
stdin_open: true
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./data:/var/www/onlyoffice/Data

View file

@ -1,41 +0,0 @@
# DocumentServer Container
ONLYOFFICE_DATA_CONTAINER=true
DB_TYPE=postgres
DB_HOST=onlyoffice-postgresql
DB_PORT=5432
DB_NAME=onlyoffice
DB_USER=onlyoffice
DB_PWD=onlyoffice
AMQP_TYPE=rabbitmq
AMQP_URI=amqp://guest:guest@onlyoffice-rabbitmq
REDIS_SERVER_HOST=onlyoffice-redis
REDIS_SERVER_PORT=6379
JWT_ENABLED=true
JWT_SECRET=secret
JWT_HEADER=Authorization
ONLYOFFICE_DATA_CONTAINER_HOST=onlyoffice-documentserver-data
BALANCE=uri depth 3
EXCLUDE_PORTS=443
HTTP_CHECK=GET /healthcheck
EXTRA_SETTINGS=http-check expect string true
FORCE_SSL=true
# HAProxy Container
MODE=http
CERT_FOLDER=/certs/
# ActiveMQ Container
ACTIVEMQ_USERS_guest=guest
ACTIVEMQ_GROUPS_owners=guest
# Postgres Container
POSTGRES_DB=onlyoffice
POSTGRES_USER=onlyoffice
POSTGRES_HOST_AUTH_METHOD=trust
# MySQL Container
MYSQL_DATABASE=onlyoffice
MYSQL_USER=onlyoffice
MYSQL_PASSWORD=onlyoffice
MYSQL_ALLOW_EMPTY_PASSWORD=yes

View file

@ -1,30 +1,31 @@
version: '2'
version: '2.1'
services:
ds:
container_name: ds
image: onlyoffice/4testing-documentserver-ie:latest
build:
context: ../.
depends_on:
- db
- onlyoffice-mariadb
environment:
- DB_TYPE
- DB_HOST
- DB_PORT
- DB_NAME
- DB_USER
- DB_PWD
- DB_TYPE=${DB_TYPE:-mysql}
- DB_HOST=${DB_HOST:-onlyoffice-mariadb}
- DB_PORT=${DB_PORT:-3306}
- DB_NAME=${DB_NAME:-onlyoffice}
- DB_USER=${DB_USER:-onlyoffice}
- DB_PWD=${DB_PWD:-onlyoffice}
stdin_open: true
restart: always
ports:
- '80:80'
db:
container_name: db
onlyoffice-mariadb:
container_name: onlyoffice-mariadb
image: mariadb:10.5
environment:
- MYSQL_DATABASE
- MYSQL_USER
- MYSQL_PASSWORD
- MYSQL_ALLOW_EMPTY_PASSWORD
- MYSQL_DATABASE=${MYSQL_DATABASE:-onlyoffice}
- MYSQL_USER=${MYSQL_USER:-onlyoffice}
- MYSQL_PASSWORD=${MYSQL_PASSWORD:-onlyoffice}
- MYSQL_ALLOW_EMPTY_PASSWORD=${MYSQL_ALLOW_EMPTY_PASSWORD:-yes}
restart: always
volumes:
- mysql_data:/var/lib/mysql

View file

@ -1,17 +1,18 @@
version: '2'
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
image: onlyoffice/4testing-documentserver-ie:latest
build:
context: ../.
depends_on:
- onlyoffice-mysql
environment:
- DB_TYPE
- DB_HOST
- DB_PORT
- DB_NAME
- DB_USER
- DB_PWD
- DB_TYPE=${DB_TYPE:-mysql}
- DB_HOST=${DB_HOST:-onlyoffice-mysql}
- DB_PORT=${DB_PORT:-3306}
- DB_NAME=${DB_NAME:-onlyoffice}
- DB_USER=${DB_USER:-onlyoffice}
- DB_PWD=${DB_PWD:-onlyoffice}
stdin_open: true
restart: always
ports:
@ -21,10 +22,10 @@ services:
container_name: onlyoffice-mysql
image: mysql:5.7
environment:
- MYSQL_DATABASE
- MYSQL_USER
- MYSQL_PASSWORD
- MYSQL_ALLOW_EMPTY_PASSWORD
- MYSQL_DATABASE=${MYSQL_DATABASE:-onlyoffice}
- MYSQL_USER=${MYSQL_USER:-onlyoffice}
- MYSQL_PASSWORD=${MYSQL_PASSWORD:-onlyoffice}
- MYSQL_ALLOW_EMPTY_PASSWORD=${MYSQL_ALLOW_EMPTY_PASSWORD:-yes}
restart: always
volumes:
- mysql_data:/var/lib/mysql

View file

@ -1,16 +1,17 @@
version: '2'
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
image: onlyoffice/4testing-documentserver-ie:latest
build:
context: ../.
depends_on:
- onlyoffice-postgresql
environment:
- POSTGRESQL_SERVER_HOST
- POSTGRESQL_SERVER_PORT
- POSTGRESQL_SERVER_DB_NAME
- POSTGRESQL_SERVER_USER
- POSTGRESQL_SERVER_PASS
- POSTGRESQL_SERVER_HOST=${DB_HOST:-onlyoffice-postgresql}
- POSTGRESQL_SERVER_PORT=${DB_PORT:-5432}
- POSTGRESQL_SERVER_DB_NAME=${DB_NAME:-onlyoffice}
- POSTGRESQL_SERVER_USER=${DB_USER:-onlyoffice}
- POSTGRESQL_SERVER_PASS=${DB_PWD:-onlyoffice}
stdin_open: true
restart: always
ports:
@ -20,9 +21,9 @@ services:
container_name: onlyoffice-postgresql
image: postgres:9.5
environment:
- POSTGRES_DB
- POSTGRES_USER
- POSTGRES_HOST_AUTH_METHOD
- POSTGRES_DB=${POSTGRES_DB:-onlyoffice}
- POSTGRES_USER=${POSTGRES_USER:-onlyoffice}
- POSTGRES_HOST_AUTH_METHOD=${POSTGRES_HOST_AUTH_METHOD:-trust}
restart: always
expose:
- '5432'

View file

@ -1,17 +1,18 @@
version: '2'
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
image: onlyoffice/4testing-documentserver-ie:latest
build:
context: ../.
depends_on:
- onlyoffice-postgresql
environment:
- DB_TYPE
- DB_HOST
- DB_PORT
- DB_NAME
- DB_USER
- DB_PWD
- DB_TYPE=${DB_TYPE:-postgres}
- DB_HOST=${DB_HOST:-onlyoffice-postgresql}
- DB_PORT=${DB_PORT:-5432}
- DB_NAME=${DB_NAME:-onlyoffice}
- DB_USER=${DB_USER:-onlyoffice}
- DB_PWD=${DB_PWD:-onlyoffice}
stdin_open: true
restart: always
ports:
@ -21,9 +22,9 @@ services:
container_name: onlyoffice-postgresql
image: postgres:9.5
environment:
- POSTGRES_DB
- POSTGRES_USER
- POSTGRES_HOST_AUTH_METHOD
- POSTGRES_DB=${POSTGRES_DB:-onlyoffice}
- POSTGRES_USER=${POSTGRES_USER:-onlyoffice}
- POSTGRES_HOST_AUTH_METHOD=${POSTGRES_HOST_AUTH_METHOD:-trust}
restart: always
expose:
- '5432'

View file

@ -1,11 +1,12 @@
version: '2'
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
image: onlyoffice/4testing-documentserver-ie:latest
build:
context: ../.
environment:
- AMQP_SERVER_TYPE
- AMQP_SERVER_URL
- AMQP_SERVER_TYPE=${AMQP_SERVER_TYPE:-rabbitmq}
- AMQP_SERVER_URL=${AMQP_SERVER_URL:-amqp://guest:guest@onlyoffice-rabbitmq}
stdin_open: true
restart: always
ports:

View file

@ -1,11 +1,12 @@
version: '2'
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
image: onlyoffice/4testing-documentserver-ie:latest
build:
context: ../.
environment:
- AMQP_TYPE
- AMQP_URI
- AMQP_TYPE=${AMQP_TYPE:-rabbitmq}
- AMQP_URI=${AMQP_URI:-amqp://guest:guest@onlyoffice-rabbitmq}
stdin_open: true
restart: always
ports:

View file

@ -1,11 +1,12 @@
version: '2'
version: '2.1'
services:
onlyoffice-documentserver:
container_name: onlyoffice-documentserver
image: onlyoffice/4testing-documentserver-ie:latest
build:
context: ../.
environment:
- REDIS_SERVER_HOST
- REDIS_SERVER_PORT
- REDIS_SERVER_HOST=${REDIS_SERVER_HOST:-onlyoffice-redis}
- REDIS_SERVER_PORT=${REDIS_SERVER_PORT:-6379}
stdin_open: true
restart: always
ports:

View file

@ -1,21 +1,38 @@
#!/bin/bash
ssl=${ssl:-false}
private_key=${private_key:-tls.key}
certificate_request=${certificate_request:-tls.csr}
certificate=${certificate:-tls.crt}
# Generate certificate
if [[ $ssl == "true" ]]; then
url=${url:-"https://localhost"}
mkdir -p data/certs
pushd data/certs
openssl genrsa -out ${private_key} 2048
openssl req \
-new \
-subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-key ${private_key} \
-out ${certificate_request}
openssl x509 -req -days 365 -in ${certificate_request} -signkey ${private_key} -out ${certificate}
openssl dhparam -out dhparam.pem 2048
chmod 400 ${private_key}
popd
else
url=${url:-"http://localhost"}
fi
# Check if the yml exists
if [[ ! -f $config ]]; then
echo "File $config doesn't exist!"
exit 1
fi
env_file=defaults.env
# Copy .env
if [[ -f $env_file ]]; then
cp $env_file .env
else
echo "File $env_file doesn't exist!"
exit 1
fi
# Run test environment
docker-compose -p ds -f $config up -d
@ -24,7 +41,7 @@ wakeup_timeout=30
# Get documentserver healthcheck status
echo "Wait for service wake up"
sleep $wakeup_timeout
healthcheck_res=$(wget --no-check-certificate -qO - localhost/healthcheck)
healthcheck_res=$(wget --no-check-certificate -qO - ${url}/healthcheck)
# Fail if it isn't true
if [[ $healthcheck_res == "true" ]]; then