NextCloud插件配置注意点:
授权标头Nextcloud默认为AuthorizationJwt,但是OnlyOffice默认的授权标头可能为Authorization,要切换成OnlyOffice内一样的,不然Healthcheck会报403
检查OnlyOffice的授权标头:
进入容器内执行
documentserver-jwt-status.sh
顺带可以检查下安全链接
bash documentserver-update-securelink.sh
OnlyOffice反向代理配置
注意一定要进行反向代理配置,不然打开文件预览会下载失败
# Use this example for proxy HTTPS traffic to the document server running at 'backendserver-address'.
# Replace {{SSL_CERTIFICATE_PATH}} with the path to the ssl certificate file
# Replace {{SSL_KEY_PATH}} with the path to the ssl private key file
map $http_host $this_host {
"" $host;
default $http_host;
}
map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
"" $scheme;
}
map $http_x_forwarded_host $the_host {
default $http_x_forwarded_host;
"" $this_host;
}
map $http_upgrade $proxy_connection {
default upgrade;
"" close;
}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## Normal HTTP host
server {
listen 0.0.0.0:80;
listen [::]:80;
server_name <改成你的公网域名>;
server_tokens off;
## Redirects all traffic to the HTTPS host
return 301 https://$server_name$request_uri;
}
server {
listen 0.0.0.0:443 ssl;
listen [::]:443 ssl;
server_name <改成你的公网域名>;
server_tokens off;
root /usr/share/nginx/html;
## SSL 需要改成你的域名证书
## Strong SSL Security
## SSL、https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
# Let's Encrypt SSL
include conf.d/include/letsencrypt-acme-challenge.conf;
include conf.d/include/ssl-ciphers.conf;
ssl_certificate /etc/letsencrypt/live/npm-17/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/npm-17/privkey.pem;
ssl_verify_client off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
## [Optional] Before enabling Strict-Transport-Security headers, ensure your server is properly configured for SSL.
## This directive informs the browser to always use HTTPS. For more info see:
## - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
## Replace with your ssl_trusted_certificate. For more info see:
## - https://medium.com/devops-programming/4445f4862461
## - https://www.ruby-forum.com/topic/4419319
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
# resolver_timeout 10s;
## [Optional] Generate a stronger DHE parameter:
## cd /etc/ssl/certs
## sudo openssl dhparam -out dhparam.pem 4096
##
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
location / {
# Example proxy_pass http://192.168.31.100:8085/;
proxy_pass http://<改成你的本地服务器地址>/;
proxy_http_version 1.1;
}
}
