Traefik >=2.0 and onlyoffice not work, work correctly in V<2

Traefik Traefik v2
#1

I'm migrating my nextcloud installation from traefik 1.0 to 2.0
Using Onlyoffice with any version of traefik >= 2.0
seem to work but when i open document nextcloud hung in "loading document"

With version < 2.0 , all work correctly

This in my docker-compose for onlyoffice

  - traefik.http.routers.onlyoffice_xxx_it-https.rule=Host(`test.test.it`)
  - traefik.http.routers.onlyoffice_xxx_it-https.EntryPoints=https
  - traefik.http.routers.onlyoffice_xxx_it-https.tls.certresolver=letsencrypt-http
  - traefik.http.routers.onlyoffice_xxx_it-https.tls.options=

And

traefik.yml

entryPoints:
http:
address: ":80"

https:
address: ":443"

certificatesResolvers:
letsencrypt-http:
acme:
email: [postmaster@test.it](mailto:postmaster@test.it)
storage: acme.json
httpChallenge:
entryPoint: http

I not see any relevant logs
Any ideas?
Thanks

1 Like
#2

i have the exact same problem. Glad if someone know a solution

#3

I have been struggling over the past weeks with the same issue, but I'm happy to say that I resolved it! The trickiest parts were the specific header definitions on both the Nextcloud and Only-office side. Here is my working :yum: docker-compose.yml for both Nextcloud (+ database for Nextcloud) and Only-office:

nextcloud:
  image: linuxserver/nextcloud
  container_name: "nextcloud-service"
  restart: always
  volumes:
    - /srv/nextcloud/data:/data
    - /srv/nextcloud/config:/config
    - /srv/nextcloud/apps:/apps2
    - /srv/nextcloud/themes:/nextcloud/themes
  environment:
    - ADMIN_USER=root
    - ADMIN_PASSWORD=admin-password
    - UID=1000
    - GID=1000
    - UPLOAD_MAX_SIZE=10G
    - APC_SHM_SIZE=128M
    - OPCACHE_MEM_SIZE=128
    - CRON_PERIOD=15m
    - TZ=Europe/Brussels
    - DOMAIN=domain.tld
    - DB_TYPE=mysql
    - DB_NAME=nextcloud
    - DB_USER=nextcloud
    - DB_PASSWORD=admin-password
    - DB_HOST=db-nextcloud
  ports:
    - "8888:8888"
  links:
    - db-nextcloud:db-nextcloud
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.nextcloud.entrypoints=web"
    - "traefik.http.routers.nextcloud.rule=Host(`cloud.domain.tld`)"
    - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
    - "traefik.http.routers.nextcloud.middlewares=https-redirect"
    - "traefik.http.routers.nextcloud-secure.entrypoints=web-secure"
    - "traefik.http.routers.nextcloud-secure.rule=Host(`cloud.domain.tld`)"
    - "traefik.http.middlewares.nc-rep.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
    - "traefik.http.middlewares.nc-rep.redirectregex.replacement=https://$$1/remote.php/dav/"
    - "traefik.http.middlewares.nc-rep.redirectregex.permanent=true"
    - "traefik.http.middlewares.nc-header.headers.referrerPolicy=no-referrer"
    - "traefik.http.middlewares.nc-header.headers.stsSeconds=31536000"
    - "traefik.http.middlewares.nc-header.headers.forceSTSHeader=true"
    - "traefik.http.middlewares.nc-header.headers.stsPreload=true"
    - "traefik.http.middlewares.nc-header.headers.stsIncludeSubdomains=true"
    - "traefik.http.middlewares.nc-header.headers.browserXssFilter=true"
    - "traefik.http.middlewares.nc-header.headers.customRequestHeaders.X-Forwarded-Proto=https"
    - "traefik.http.routers.nextcloud-secure.middlewares=nc-rep,nc-header"
    - "traefik.http.routers.nextcloud-secure.tls=true"
    - "traefik.http.routers.nextcloud-secure.tls.certresolver=dirktls"
    - "traefik.http.routers.nextcloud-secure.service=nextcloud"
    - "traefik.http.services.nextcloud.loadbalancer.server.port=8888"
    - "traefik.docker.network=nextcloud"
  logging:
    options:
      max-size: '12m'
      max-file: '5'
    driver: json-file
  dns: 172.17.0.1

This is for the maria-db for Nextcloud:

db-nextcloud:
  image: mariadb:10
  container_name: "db-service"
  command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
  restart: always
  volumes:
    - /srv/nextcloud/db:/var/lib/mysql
  environment:
    - MYSQL_ROOT_PASSWORD=admin-password
    - MYSQL_DATABASE=nextcloud
    - MYSQL_USER=nextcloud
    - MYSQL_PASSWORD=admin_password
  logging:
    options:
      max-size: '12m'
      max-file: '5'
    driver: json-file

Note: you must have created the database with name "nextcloud" in the running db-nextcloud container using the appropriate mysql-commands. Info on how to do this can be found elsewhere.
Note 2: I used the same password for the root- and the nextcloud-user in the database.

This is the part (to be included in the docker-compose.yml) for only-office:

only-office:
  image: onlyoffice/documentserver
  container_name: "onlyoffice-service"
  stdin_open: true
  tty: true
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.only-office.service=only-office"
    - "traefik.http.routers.only-office.entrypoints=web"
    - 'traefik.http.routers.only-office.rule=Host("office.domain.tld")'
    - "traefik.http.middlewares.https-office-redirect.redirectscheme.scheme=https"
    - "traefik.http.routers.only-office.middlewares=https-office-redirect"
    - "traefik.http.routers.only-office-secure.middlewares=oo-header"
    - "traefik.http.routers.only-office-secure.entrypoints=web-secure"
    - 'traefik.http.routers.only-office-secure.rule=Host("office.domain.tld")'
    - "traefik.http.middlewares.onlyoffice-redirectregex.redirectregex.regex=^http://(.*)"
    - "traefik.http.middlewares.onlyoffice-redirectregex.redirectregex.replacement=https://$$1"
    - "traefik.http.routers.only-office-secure.tls.certresolver=dirktls"
    - "traefik.http.services.only-office.loadbalancer.server.port=80"
    - "traefik.http.middlewares.oo-header.headers.referrerPolicy=no-referrer"
    - "traefik.http.middlewares.oo-header.headers.stsSeconds=31536000"
    - "traefik.http.middlewares.oo-header.headers.forceSTSHeader=true"
    - "traefik.http.middlewares.oo-header.headers.stsPreload=true"
    - "traefik.http.middlewares.oo-header.headers.stsIncludeSubdomains=true"
    - "traefik.http.middlewares.oo-header.headers.browserXssFilter=true"
    - "traefik.http.middlewares.oo-header.headers.customRequestHeaders.X-Forwarded-Proto=https"
    - "traefik.docker.network=nextcloud"
  ports:
    - "8889:80"
  volumes:
    - /srv/onlyoffice:/var/www/onlyoffice/Data
  dns: 172.17.0.1
  environment:
    JWT_ENABLED: "true"
    JWT_SECRET: **secret key**  # --> to enter into Nextcloud settings for Only-office

The "dirktls"-certresolver (which you can find in the statements above) is my certificate resolver that is started with traefik. You need to supply the following commands in the docker-compose.yml for starting traefik:

command:
  - "--certificatesresolvers.dirktls.acme.tlschallenge=true"
  - "--certificatesresolvers.dirktls.acme.email=email@domain.tld"
  - "--certificatesresolvers.dirktls.acme.storage=/etc/traefik/letsencrypt/acme.json"
  - "--certificatesResolvers.dirktls.acme.httpChallenge.entryPoint=web"

Hope this helps!
-Dirk

3 Likes
HTTP Strict Transport Security
#4

I've been fighting this issue for the past 2 days, and I finally have the solution. Not an explanation, a solution.

The important like in @DirkieP's configuration is:

- "traefik.http.middlewares.oo-header.headers.customRequestHeaders.X-Forwarded-Proto=https"

(and it's accompanying middleware attachment)

For the life of me, I can't work out why this is needed,, as according to https://github.com/containous/whoami/, my traefik is already sending X-Forwarded-Proto: https, but hey, it's working.

I hope this prevents someone else from banging their head against their desk for 2 days!

1 Like
#5

@DirkieP, many thanks from me too! I spent days on that problem.

#6

@DirkieP, also thank you so much!
In addition, if you guys want an A+ rating on https://scan.nextcloud.com.
You shoul add
'overwriteprotocol' => 'https', to your config.php to fix the __Host-Prefix issue.
Also make sure to add your proxies ip to the config via 'trusted_proxies' => ['<hostname/ip>'],

#7

@DirkieP
Why did you use a different name for these 2 rules?

 - "traefik.http.middlewares.onlyoffice-redirectregex.redirectregex.regex=^http://(.*)"
 - "traefik.http.middlewares.onlyoffice-redirectregex.redirectregex.replacement=https://$$1"

For all others you have used only-office, for these two onlyoffice.

Also, in your OnlyOffice example, should this not be port 8889?

    - "traefik.http.services.only-office.loadbalancer.server.port=80"

I am using v2, and FileRun (a light, slimmed down and faster version of Nextcloud) works with these labels:

    labels:
      - traefik.enable=true
      - traefik.http.middlewares.filerun-redirect.redirectscheme.scheme=https
      - traefik.http.routers.filerun-redirect.entrypoints=web
      - traefik.http.routers.filerun-redirect.middlewares=filerun-redirect
      - traefik.http.routers.filerun-redirect.rule=Host(`files.$DOMAIN`)
      - traefik.http.routers.filerun.entrypoints=websecure
      - traefik.http.routers.filerun.rule=Host(`files.$DOMAIN`)
      - traefik.http.routers.filerun.tls.certresolver=letsencrypt
      - traefik.http.services.filerun.loadbalancer.server.port=80

But OnlyOffice doesn't work with similar labels. Going to try your method.

EDIT: doesn't work. After the containers are up, Traefik complains about nc-rep and nc-header. They do not exist. No entry points. My other containers that use my traefik labels do work.

So the issue must be this:

  - "traefik.http.routers.filerun-secure.middlewares=nc-rep,nc-header"

It also complains (in Traefik > Routers > filerun-secure and office-secure:) entryPoint "web-secure" doesn't exist no valid entryPoint for this router.

#8

I use FileRun (free, max 10 users, not opensource) instead of NextCloud, but I had the same issue with OnlyOffice.

For future reference. See here:
-Unknown error without any info/log to troubleshoot · Issue #151 · ONLYOFFICE/onlyoffice-nextcloud · GitHub

So ignore everything above and just use this:

  onlyoffice:
    image: onlyoffice/documentserver
    container_name: onlyoffice
    depends_on:
      - onlyoffice-rabbitmq
    stdin_open: true
    restart: always
    tty: true
    ports:
      - "8889:80"
    volumes:
      - $USERDIR/docker/onlyoffice/data:/var/www/onlyoffice/Data
      - $USERDIR/docker/onlyoffice/log:/var/log/onlyoffice
      - $USERDIR/docker/onlyoffice/cache:/var/lib/onlyoffice/documentserver/App_Data/cache/files
      - $USERDIR/docker/onlyoffice/example:/var/www/onlyoffice/documentserver-example/public/files
      - $USERDIR/docker/onlyoffice/fonts:/usr/share/fonts
    dns: 1.1.1.1
    environment:
      - JWT_ENABLED="true"
      - JWT_SECRET=$ONLYOFFICEJWT
      - AMQP_URI=amqp://guest:guest@onlyoffice-rabbitmq
    labels:
      - traefik.enable=true
      - traefik.http.routers.office-redirect.entrypoints=web
      - traefik.http.routers.office-redirect.rule=Host(`office.$DOMAIN`)
      - traefik.http.middlewares.office-redirect.redirectscheme.scheme=https
      - traefik.http.routers.office.middlewares=office-redirect
      - traefik.http.routers.office-secure.entrypoints=websecure
      - traefik.http.routers.office-secure.rule=Host(`office.$DOMAIN`)
      - traefik.http.routers.office.tls.certresolver=letsencrypt
      - traefik.http.services.office.loadbalancer.server.port=80
      ## Extra headers for onlyoffice
      - traefik.http.routers.office-secure.tls=true
      - traefik.http.routers.office-secure.middlewares=secure-headers
      - traefik.http.middlewares.secure-headers.headers.customrequestheaders.X-Forwarded-Proto=https
      - traefik.http.middlewares.cors-headers.headers.accessControlAllowOrigin=*
      - traefik.http.routers.office.middlewares=secure-headers,cors-headers

with rabbitmq, no need for a postgresql container:

##____________________ Onlyoffice rabbitmq [CLOUD/Office]
  onlyoffice-rabbitmq:
    container_name: onlyoffice-rabbitmq
    image: rabbitmq
    restart: always
    expose:
      - '5672'
2 Likes