Traefik >=2.0 and onlyoffice not work, work correctly in V<2

I have been struggling over the past weeks with the same issue, but I'm happy to say that I resolved it! The trickiest parts were the specific header definitions on both the Nextcloud and Only-office side. Here is my working :yum: docker-compose.yml for both Nextcloud (+ database for Nextcloud) and Only-office:

nextcloud:
  image: linuxserver/nextcloud
  container_name: "nextcloud-service"
  restart: always
  volumes:
    - /srv/nextcloud/data:/data
    - /srv/nextcloud/config:/config
    - /srv/nextcloud/apps:/apps2
    - /srv/nextcloud/themes:/nextcloud/themes
  environment:
    - ADMIN_USER=root
    - ADMIN_PASSWORD=admin-password
    - UID=1000
    - GID=1000
    - UPLOAD_MAX_SIZE=10G
    - APC_SHM_SIZE=128M
    - OPCACHE_MEM_SIZE=128
    - CRON_PERIOD=15m
    - TZ=Europe/Brussels
    - DOMAIN=domain.tld
    - DB_TYPE=mysql
    - DB_NAME=nextcloud
    - DB_USER=nextcloud
    - DB_PASSWORD=admin-password
    - DB_HOST=db-nextcloud
  ports:
    - "8888:8888"
  links:
    - db-nextcloud:db-nextcloud
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.nextcloud.entrypoints=web"
    - "traefik.http.routers.nextcloud.rule=Host(`cloud.domain.tld`)"
    - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
    - "traefik.http.routers.nextcloud.middlewares=https-redirect"
    - "traefik.http.routers.nextcloud-secure.entrypoints=web-secure"
    - "traefik.http.routers.nextcloud-secure.rule=Host(`cloud.domain.tld`)"
    - "traefik.http.middlewares.nc-rep.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
    - "traefik.http.middlewares.nc-rep.redirectregex.replacement=https://$$1/remote.php/dav/"
    - "traefik.http.middlewares.nc-rep.redirectregex.permanent=true"
    - "traefik.http.middlewares.nc-header.headers.referrerPolicy=no-referrer"
    - "traefik.http.middlewares.nc-header.headers.stsSeconds=31536000"
    - "traefik.http.middlewares.nc-header.headers.forceSTSHeader=true"
    - "traefik.http.middlewares.nc-header.headers.stsPreload=true"
    - "traefik.http.middlewares.nc-header.headers.stsIncludeSubdomains=true"
    - "traefik.http.middlewares.nc-header.headers.browserXssFilter=true"
    - "traefik.http.middlewares.nc-header.headers.customRequestHeaders.X-Forwarded-Proto=https"
    - "traefik.http.routers.nextcloud-secure.middlewares=nc-rep,nc-header"
    - "traefik.http.routers.nextcloud-secure.tls=true"
    - "traefik.http.routers.nextcloud-secure.tls.certresolver=dirktls"
    - "traefik.http.routers.nextcloud-secure.service=nextcloud"
    - "traefik.http.services.nextcloud.loadbalancer.server.port=8888"
    - "traefik.docker.network=nextcloud"
  logging:
    options:
      max-size: '12m'
      max-file: '5'
    driver: json-file
  dns: 172.17.0.1

This is for the maria-db for Nextcloud:

db-nextcloud:
  image: mariadb:10
  container_name: "db-service"
  command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
  restart: always
  volumes:
    - /srv/nextcloud/db:/var/lib/mysql
  environment:
    - MYSQL_ROOT_PASSWORD=admin-password
    - MYSQL_DATABASE=nextcloud
    - MYSQL_USER=nextcloud
    - MYSQL_PASSWORD=admin_password
  logging:
    options:
      max-size: '12m'
      max-file: '5'
    driver: json-file

Note: you must have created the database with name "nextcloud" in the running db-nextcloud container using the appropriate mysql-commands. Info on how to do this can be found elsewhere.
Note 2: I used the same password for the root- and the nextcloud-user in the database.

This is the part (to be included in the docker-compose.yml) for only-office:

only-office:
  image: onlyoffice/documentserver
  container_name: "onlyoffice-service"
  stdin_open: true
  tty: true
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.only-office.service=only-office"
    - "traefik.http.routers.only-office.entrypoints=web"
    - 'traefik.http.routers.only-office.rule=Host("office.domain.tld")'
    - "traefik.http.middlewares.https-office-redirect.redirectscheme.scheme=https"
    - "traefik.http.routers.only-office.middlewares=https-office-redirect"
    - "traefik.http.routers.only-office-secure.middlewares=oo-header"
    - "traefik.http.routers.only-office-secure.entrypoints=web-secure"
    - 'traefik.http.routers.only-office-secure.rule=Host("office.domain.tld")'
    - "traefik.http.middlewares.onlyoffice-redirectregex.redirectregex.regex=^http://(.*)"
    - "traefik.http.middlewares.onlyoffice-redirectregex.redirectregex.replacement=https://$$1"
    - "traefik.http.routers.only-office-secure.tls.certresolver=dirktls"
    - "traefik.http.services.only-office.loadbalancer.server.port=80"
    - "traefik.http.middlewares.oo-header.headers.referrerPolicy=no-referrer"
    - "traefik.http.middlewares.oo-header.headers.stsSeconds=31536000"
    - "traefik.http.middlewares.oo-header.headers.forceSTSHeader=true"
    - "traefik.http.middlewares.oo-header.headers.stsPreload=true"
    - "traefik.http.middlewares.oo-header.headers.stsIncludeSubdomains=true"
    - "traefik.http.middlewares.oo-header.headers.browserXssFilter=true"
    - "traefik.http.middlewares.oo-header.headers.customRequestHeaders.X-Forwarded-Proto=https"
    - "traefik.docker.network=nextcloud"
  ports:
    - "8889:80"
  volumes:
    - /srv/onlyoffice:/var/www/onlyoffice/Data
  dns: 172.17.0.1
  environment:
    JWT_ENABLED: "true"
    JWT_SECRET: **secret key**  # --> to enter into Nextcloud settings for Only-office

The "dirktls"-certresolver (which you can find in the statements above) is my certificate resolver that is started with traefik. You need to supply the following commands in the docker-compose.yml for starting traefik:

command:
  - "--certificatesresolvers.dirktls.acme.tlschallenge=true"
  - "--certificatesresolvers.dirktls.acme.email=email@domain.tld"
  - "--certificatesresolvers.dirktls.acme.storage=/etc/traefik/letsencrypt/acme.json"
  - "--certificatesResolvers.dirktls.acme.httpChallenge.entryPoint=web"

Hope this helps!
-Dirk

4 Likes