I have been struggling over the past weeks with the same issue, but I'm happy to say that I resolved it! The trickiest parts were the specific header definitions on both the Nextcloud and Only-office side. Here is my working docker-compose.yml for both Nextcloud (+ database for Nextcloud) and Only-office:
nextcloud:
image: linuxserver/nextcloud
container_name: "nextcloud-service"
restart: always
volumes:
- /srv/nextcloud/data:/data
- /srv/nextcloud/config:/config
- /srv/nextcloud/apps:/apps2
- /srv/nextcloud/themes:/nextcloud/themes
environment:
- ADMIN_USER=root
- ADMIN_PASSWORD=admin-password
- UID=1000
- GID=1000
- UPLOAD_MAX_SIZE=10G
- APC_SHM_SIZE=128M
- OPCACHE_MEM_SIZE=128
- CRON_PERIOD=15m
- TZ=Europe/Brussels
- DOMAIN=domain.tld
- DB_TYPE=mysql
- DB_NAME=nextcloud
- DB_USER=nextcloud
- DB_PASSWORD=admin-password
- DB_HOST=db-nextcloud
ports:
- "8888:8888"
links:
- db-nextcloud:db-nextcloud
labels:
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.entrypoints=web"
- "traefik.http.routers.nextcloud.rule=Host(`cloud.domain.tld`)"
- "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.nextcloud.middlewares=https-redirect"
- "traefik.http.routers.nextcloud-secure.entrypoints=web-secure"
- "traefik.http.routers.nextcloud-secure.rule=Host(`cloud.domain.tld`)"
- "traefik.http.middlewares.nc-rep.redirectregex.regex=https://(.*)/.well-known/(card|cal)dav"
- "traefik.http.middlewares.nc-rep.redirectregex.replacement=https://$$1/remote.php/dav/"
- "traefik.http.middlewares.nc-rep.redirectregex.permanent=true"
- "traefik.http.middlewares.nc-header.headers.referrerPolicy=no-referrer"
- "traefik.http.middlewares.nc-header.headers.stsSeconds=31536000"
- "traefik.http.middlewares.nc-header.headers.forceSTSHeader=true"
- "traefik.http.middlewares.nc-header.headers.stsPreload=true"
- "traefik.http.middlewares.nc-header.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.nc-header.headers.browserXssFilter=true"
- "traefik.http.middlewares.nc-header.headers.customRequestHeaders.X-Forwarded-Proto=https"
- "traefik.http.routers.nextcloud-secure.middlewares=nc-rep,nc-header"
- "traefik.http.routers.nextcloud-secure.tls=true"
- "traefik.http.routers.nextcloud-secure.tls.certresolver=dirktls"
- "traefik.http.routers.nextcloud-secure.service=nextcloud"
- "traefik.http.services.nextcloud.loadbalancer.server.port=8888"
- "traefik.docker.network=nextcloud"
logging:
options:
max-size: '12m'
max-file: '5'
driver: json-file
dns: 172.17.0.1
This is for the maria-db for Nextcloud:
db-nextcloud:
image: mariadb:10
container_name: "db-service"
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
volumes:
- /srv/nextcloud/db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=admin-password
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_PASSWORD=admin_password
logging:
options:
max-size: '12m'
max-file: '5'
driver: json-file
Note: you must have created the database with name "nextcloud" in the running db-nextcloud container using the appropriate mysql-commands. Info on how to do this can be found elsewhere.
Note 2: I used the same password for the root- and the nextcloud-user in the database.
This is the part (to be included in the docker-compose.yml) for only-office:
only-office:
image: onlyoffice/documentserver
container_name: "onlyoffice-service"
stdin_open: true
tty: true
labels:
- "traefik.enable=true"
- "traefik.http.routers.only-office.service=only-office"
- "traefik.http.routers.only-office.entrypoints=web"
- 'traefik.http.routers.only-office.rule=Host("office.domain.tld")'
- "traefik.http.middlewares.https-office-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.only-office.middlewares=https-office-redirect"
- "traefik.http.routers.only-office-secure.middlewares=oo-header"
- "traefik.http.routers.only-office-secure.entrypoints=web-secure"
- 'traefik.http.routers.only-office-secure.rule=Host("office.domain.tld")'
- "traefik.http.middlewares.onlyoffice-redirectregex.redirectregex.regex=^http://(.*)"
- "traefik.http.middlewares.onlyoffice-redirectregex.redirectregex.replacement=https://$$1"
- "traefik.http.routers.only-office-secure.tls.certresolver=dirktls"
- "traefik.http.services.only-office.loadbalancer.server.port=80"
- "traefik.http.middlewares.oo-header.headers.referrerPolicy=no-referrer"
- "traefik.http.middlewares.oo-header.headers.stsSeconds=31536000"
- "traefik.http.middlewares.oo-header.headers.forceSTSHeader=true"
- "traefik.http.middlewares.oo-header.headers.stsPreload=true"
- "traefik.http.middlewares.oo-header.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.oo-header.headers.browserXssFilter=true"
- "traefik.http.middlewares.oo-header.headers.customRequestHeaders.X-Forwarded-Proto=https"
- "traefik.docker.network=nextcloud"
ports:
- "8889:80"
volumes:
- /srv/onlyoffice:/var/www/onlyoffice/Data
dns: 172.17.0.1
environment:
JWT_ENABLED: "true"
JWT_SECRET: **secret key** # --> to enter into Nextcloud settings for Only-office
The "dirktls"-certresolver (which you can find in the statements above) is my certificate resolver that is started with traefik. You need to supply the following commands in the docker-compose.yml for starting traefik:
command:
- "--certificatesresolvers.dirktls.acme.tlschallenge=true"
- "--certificatesresolvers.dirktls.acme.email=email@domain.tld"
- "--certificatesresolvers.dirktls.acme.storage=/etc/traefik/letsencrypt/acme.json"
- "--certificatesResolvers.dirktls.acme.httpChallenge.entryPoint=web"
Hope this helps!
-Dirk