Compare commits
20 commits
master
...
feature/ru
Author | SHA1 | Date | |
---|---|---|---|
2e805effb2 | |||
014d5f75d8 | |||
39dc4078ad | |||
2192612519 | |||
fe55daee6c | |||
4103346331 | |||
36b6addbff | |||
bbbb17fb42 | |||
062b192ee0 | |||
31b14c6303 | |||
4789d388cb | |||
c9d807deae | |||
8fbf228a8e | |||
c5b01dc5e5 | |||
dfa4075e9c | |||
6bbd1c764f | |||
f361f25024 | |||
87a1ea2663 | |||
9388fcbbc0 | |||
48332f0ff9 |
60
README.md
60
README.md
|
@ -10,6 +10,7 @@
|
||||||
+ [Strengthening the Server Security](#strengthening-the-server-security)
|
+ [Strengthening the Server Security](#strengthening-the-server-security)
|
||||||
+ [Installation of the SSL Certificates](#installation-of-the-ssl-certificates)
|
+ [Installation of the SSL Certificates](#installation-of-the-ssl-certificates)
|
||||||
+ [Available Configuration Parameters](#available-configuration-parameters)
|
+ [Available Configuration Parameters](#available-configuration-parameters)
|
||||||
|
- [Running ONLYOFFICE Document Server using docker secrets](#running-onlyoffice-document-server-using-docker-secrets)
|
||||||
* [Installing ONLYOFFICE Document Server integrated with Community and Mail Servers](#installing-onlyoffice-document-server-integrated-with-community-and-mail-servers)
|
* [Installing ONLYOFFICE Document Server integrated with Community and Mail Servers](#installing-onlyoffice-document-server-integrated-with-community-and-mail-servers)
|
||||||
* [Issues](#issues)
|
* [Issues](#issues)
|
||||||
- [Docker Issues](#docker-issues)
|
- [Docker Issues](#docker-issues)
|
||||||
|
@ -163,6 +164,58 @@ chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
|
||||||
|
|
||||||
You are now just one step away from having our application secured.
|
You are now just one step away from having our application secured.
|
||||||
|
|
||||||
|
### Running ONLYOFFICE Document Server using docker secrets
|
||||||
|
|
||||||
|
For manage sensitive data like database password/username you can use Docker secrets. If you want use secrets, you must start the Document Server like service with docker compose or docker swarm. According to [official docker documentation](https://docs.docker.com/engine/swarm/secrets/) secrets did not avalivable to standalone containers. To start using the secrets you need to go through a few simple steps:
|
||||||
|
|
||||||
|
**STEP 1**:
|
||||||
|
At first you need to iniciate docker swarm with command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo docker swarm init
|
||||||
|
```
|
||||||
|
|
||||||
|
**STEP 2**:
|
||||||
|
On the next step you need to make the secrets. DocumentServer support username/password for postgresql access and jwt header/secret.
|
||||||
|
|
||||||
|
If you want to use secrets for database access create secrets with command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo printf "your_pass" | docker secret create dbPass -
|
||||||
|
sudo printf "your_user" | docker secret create dbUser -
|
||||||
|
```
|
||||||
|
NOTE: After secrets dbPass and dbUser was created, DocumentServer will be configured automaticly for use the same secrets for postgres access.
|
||||||
|
|
||||||
|
If you want to use JSON Web Token values from secrets create secrets with command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo printf "secret_value" | docker secret create jwtSecret -
|
||||||
|
sudo printf "header_value" | docker secret create jwtHeader -
|
||||||
|
```
|
||||||
|
|
||||||
|
**STEP 3**:
|
||||||
|
After secrets was created you need to build the DocumentServer with command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo docker compose build
|
||||||
|
```
|
||||||
|
|
||||||
|
**STEP 4**:
|
||||||
|
After all when images was builded and secrets was created very important uncomment in docker-compose.yml file strings with secrets thats you want to use. For more information refer to the comments in docker-compose.yml
|
||||||
|
|
||||||
|
**STEP 5**:
|
||||||
|
Now Document Server is ready to deploy with secrets. For that run:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo docker stack deploy --compose-file=docker-compose.yml documentserver-secrets
|
||||||
|
```
|
||||||
|
|
||||||
|
Also you can run Document Server in docker-compose mode with the same config
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo docker compose up -d
|
||||||
|
```
|
||||||
|
|
||||||
#### Available Configuration Parameters
|
#### Available Configuration Parameters
|
||||||
|
|
||||||
*Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command.*
|
*Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command.*
|
||||||
|
@ -203,6 +256,13 @@ Below is the complete list of parameters that can be set using environment varia
|
||||||
- **LETS_ENCRYPT_DOMAIN**: Defines the domain for Let's Encrypt certificate.
|
- **LETS_ENCRYPT_DOMAIN**: Defines the domain for Let's Encrypt certificate.
|
||||||
- **LETS_ENCRYPT_MAIL**: Defines the domain administator mail address for Let's Encrypt certificate.
|
- **LETS_ENCRYPT_MAIL**: Defines the domain administator mail address for Let's Encrypt certificate.
|
||||||
|
|
||||||
|
Below list values avalivable only for compose/swarm mode.
|
||||||
|
|
||||||
|
- **JWT_SECRET_FILE**: Specifies the path to the mounted file, the value from which will be used like JWT_Secret value. Default path that docker mounted secrets: `/run/secrets/jwtSecret`
|
||||||
|
- **JWT_HEADER_FILE**: Specifies the path to the mounted file, the value from which will be used like JWT_Header value. Default path that docker mounted secrets: `/run/secrets/jwtHeader`
|
||||||
|
- **POSTGRES_USER_FILE**: Default postgresql container value. Tells the database where to get the username value by set to db access. Default path: `run/secrets/dbUser`
|
||||||
|
- **POSTGRES_PASSWORD_FILE**: Default postgresql container value. Tells the database where to get the password value by set to db access. Default path: `run/secrets/dbPass`
|
||||||
|
|
||||||
## Installing ONLYOFFICE Document Server integrated with Community and Mail Servers
|
## Installing ONLYOFFICE Document Server integrated with Community and Mail Servers
|
||||||
|
|
||||||
ONLYOFFICE Document Server is a part of ONLYOFFICE Community Edition that comprises also Community Server and Mail Server. To install them, follow these easy steps:
|
ONLYOFFICE Document Server is a part of ONLYOFFICE Community Edition that comprises also Community Server and Mail Server. To install them, follow these easy steps:
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
version: '2'
|
version: "3.9"
|
||||||
services:
|
services:
|
||||||
onlyoffice-documentserver:
|
onlyoffice-documentserver:
|
||||||
build:
|
build:
|
||||||
|
@ -8,6 +8,7 @@ services:
|
||||||
- onlyoffice-postgresql
|
- onlyoffice-postgresql
|
||||||
- onlyoffice-rabbitmq
|
- onlyoffice-rabbitmq
|
||||||
environment:
|
environment:
|
||||||
|
- USE_SECRETS=false # ← Set on "true" if you plan use secrets.
|
||||||
- DB_TYPE=postgres
|
- DB_TYPE=postgres
|
||||||
- DB_HOST=onlyoffice-postgresql
|
- DB_HOST=onlyoffice-postgresql
|
||||||
- DB_PORT=5432
|
- DB_PORT=5432
|
||||||
|
@ -16,9 +17,13 @@ services:
|
||||||
- AMQP_URI=amqp://guest:guest@onlyoffice-rabbitmq
|
- AMQP_URI=amqp://guest:guest@onlyoffice-rabbitmq
|
||||||
# Uncomment strings below to enable the JSON Web Token validation.
|
# Uncomment strings below to enable the JSON Web Token validation.
|
||||||
#- JWT_ENABLED=true
|
#- JWT_ENABLED=true
|
||||||
|
#- JWT_IN_BODY=true
|
||||||
#- JWT_SECRET=secret
|
#- JWT_SECRET=secret
|
||||||
#- JWT_HEADER=Authorization
|
#- JWT_HEADER=Authorization
|
||||||
#- JWT_IN_BODY=true
|
# ↑ Uncomment two upper strings to use jwt_secret and jwt_header values by default without docker secrets.
|
||||||
|
# ↓ Or uncomment two strings below to use jwt_secret and jwt_header values from docker secrets that you create.
|
||||||
|
#- JWT_SECTER_FILE=/run/secrets/jwtSecret
|
||||||
|
#- JWT_HEADER_FILE=/run/secrets/jwtHeader
|
||||||
ports:
|
ports:
|
||||||
- '80:80'
|
- '80:80'
|
||||||
- '443:443'
|
- '443:443'
|
||||||
|
@ -31,6 +36,12 @@ services:
|
||||||
- /var/lib/onlyoffice/documentserver/App_Data/cache/files
|
- /var/lib/onlyoffice/documentserver/App_Data/cache/files
|
||||||
- /var/www/onlyoffice/documentserver-example/public/files
|
- /var/www/onlyoffice/documentserver-example/public/files
|
||||||
- /usr/share/fonts
|
- /usr/share/fonts
|
||||||
|
# ↓ If you use docker secrets, uncomment srtings below only with secrets that you will use in your installtion
|
||||||
|
#secrets:
|
||||||
|
# - dbUser
|
||||||
|
# - dbPass
|
||||||
|
# - jwtSecret
|
||||||
|
# - jwtHeader
|
||||||
|
|
||||||
onlyoffice-rabbitmq:
|
onlyoffice-rabbitmq:
|
||||||
container_name: onlyoffice-rabbitmq
|
container_name: onlyoffice-rabbitmq
|
||||||
|
@ -46,11 +57,30 @@ services:
|
||||||
- POSTGRES_DB=onlyoffice
|
- POSTGRES_DB=onlyoffice
|
||||||
- POSTGRES_USER=onlyoffice
|
- POSTGRES_USER=onlyoffice
|
||||||
- POSTGRES_HOST_AUTH_METHOD=trust
|
- POSTGRES_HOST_AUTH_METHOD=trust
|
||||||
|
# ↑ Comment two lines upper: POSTGRES_HOST_AUTH_METHOD and POSTGRES_USER and
|
||||||
|
# ↓ Uncomment two strings below for use database access values from secrets that you create.
|
||||||
|
#- POSTGRES_USER_FILE=/run/secrets/dbUser
|
||||||
|
#- POSTGRES_PASSWORD_FILE=/run/secrets/dbPass
|
||||||
restart: always
|
restart: always
|
||||||
expose:
|
expose:
|
||||||
- '5432'
|
- '5432'
|
||||||
volumes:
|
volumes:
|
||||||
- postgresql_data:/var/lib/postgresql
|
- postgresql_data:/var/lib/postgresql
|
||||||
|
# ↓ If you use docker secrets, uncomment srtings below only with secrets that you will use in your installtion
|
||||||
|
#secrets:
|
||||||
|
# - dbUser
|
||||||
|
# - dbPass
|
||||||
|
|
||||||
|
# ↓ If you use docker secrets, uncomment srtings below only with secrets that you will use in your installtion
|
||||||
|
#secrets:
|
||||||
|
# dbUser:
|
||||||
|
# external: true
|
||||||
|
# dbPass:
|
||||||
|
# external: true
|
||||||
|
# jwtSecret:
|
||||||
|
# external: true
|
||||||
|
# jwtHeader:
|
||||||
|
# external: true
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
postgresql_data:
|
postgresql_data:
|
||||||
|
|
|
@ -19,6 +19,7 @@ LIB_DIR="/var/lib/${COMPANY_NAME}"
|
||||||
DS_LIB_DIR="${LIB_DIR}/documentserver"
|
DS_LIB_DIR="${LIB_DIR}/documentserver"
|
||||||
CONF_DIR="/etc/${COMPANY_NAME}/documentserver"
|
CONF_DIR="/etc/${COMPANY_NAME}/documentserver"
|
||||||
IS_UPGRADE="false"
|
IS_UPGRADE="false"
|
||||||
|
SECRETS_PATH="/run/secrets/"
|
||||||
|
|
||||||
ONLYOFFICE_DATA_CONTAINER=${ONLYOFFICE_DATA_CONTAINER:-false}
|
ONLYOFFICE_DATA_CONTAINER=${ONLYOFFICE_DATA_CONTAINER:-false}
|
||||||
ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
|
ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
|
||||||
|
@ -86,6 +87,14 @@ JWT_SECRET=${JWT_SECRET:-secret}
|
||||||
JWT_HEADER=${JWT_HEADER:-Authorization}
|
JWT_HEADER=${JWT_HEADER:-Authorization}
|
||||||
JWT_IN_BODY=${JWT_IN_BODY:-false}
|
JWT_IN_BODY=${JWT_IN_BODY:-false}
|
||||||
|
|
||||||
|
if [ ${USE_SECRETS} == "true" ] && [ -s ${SECRETS_PATH}/jwtSecret ]; then
|
||||||
|
JWT_SECRET=$( cat ${SECRETS_PATH}/jwtSecret )
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ${USE_SECRETS} == "true" ] && [ -s ${SECRETS_PATH}/jwtHeader ]; then
|
||||||
|
JWT_HEADER=$( cat ${SECRETS_PATH}/jwtHeader )
|
||||||
|
fi
|
||||||
|
|
||||||
WOPI_ENABLED=${WOPI_ENABLED:-false}
|
WOPI_ENABLED=${WOPI_ENABLED:-false}
|
||||||
|
|
||||||
GENERATE_FONTS=${GENERATE_FONTS:-true}
|
GENERATE_FONTS=${GENERATE_FONTS:-true}
|
||||||
|
@ -120,6 +129,17 @@ if [ "${LETS_ENCRYPT_DOMAIN}" != "" -a "${LETS_ENCRYPT_MAIL}" != "" ]; then
|
||||||
SSL_KEY_PATH=${LETSENCRYPT_ROOT_DIR}/${LETS_ENCRYPT_DOMAIN}/privkey.pem
|
SSL_KEY_PATH=${LETSENCRYPT_ROOT_DIR}/${LETS_ENCRYPT_DOMAIN}/privkey.pem
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# update db credentials if secrets was configure
|
||||||
|
if [ "${USE_SECRETS}" == "true" ]; then
|
||||||
|
if [ -s ${SECRETS_PATH}/dbUser ]; then
|
||||||
|
DB_USER=$( cat ${SECRETS_PATH}/dbUser )
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -s ${SECRETS_PATH}/dbPass ]; then
|
||||||
|
DB_PWD=$( cat ${SECRETS_PATH}/dbPass )
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
read_setting(){
|
read_setting(){
|
||||||
deprecated_var POSTGRESQL_SERVER_HOST DB_HOST
|
deprecated_var POSTGRESQL_SERVER_HOST DB_HOST
|
||||||
deprecated_var POSTGRESQL_SERVER_PORT DB_PORT
|
deprecated_var POSTGRESQL_SERVER_PORT DB_PORT
|
||||||
|
|
Loading…
Reference in a new issue