Problem:
We installed OnlyOffice via Debian package and ran the official instructions for terminating SSL. We almost have everything running, but if we try configuring SSO in control panel we get gateway error.
Checking the logs we see that port 9083 is having communication issues.
So we checked netstat and it looks like the port is unavailable. Below is the nginx configuration
upstream fastcgi_backend_apisystem {
server unix:/var/run/onlyoffice/onlyofficeApiSystem.socket;
keepalive 32;
}
upstream fastcgi_backend {
server unix:/var/run/onlyoffice/onlyoffice.socket;
keepalive 16;
}
fastcgi_cache_path /var/cache/nginx/onlyoffice
levels=1:2
keys_zone=onlyoffice:256m
max_size=1024m
inactive=1d;
geo $ip_external {
default 1;
## {{DOCKER_APP_SUBNET}} 0;
127.0.0.1 0;
}
map $http_host $this_host {
"" $host;
default $http_host;
}
map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
"" $scheme;
}
map $http_x_forwarded_host $the_host {
default $http_x_forwarded_host;
"" $this_host;
}
map $request_uri $header_access_control_allow_origin {
~*^/(api\/2.0|products\/crm\/httphandlers\/webtoleadfromhandler.ashx|products\/files\/httphandlers\/filehandler.ashx|products\/files\/chunkeduploader.ashx|thirdparty\/plugin) "*";
default "";
}
map $request_uri $header_x_frame_options {
~*^/(favicon\.ico|products\/files\/share\.aspx|products\/files\/saveas\.aspx|products\/files\/filechoice\.aspx|products\/files\/doceditor\.aspx|thirdparty\/plugin) "";
~*^/ds-vpath "SAMEORIGIN";
default "SAMEORIGIN";
}
server {
listen 0.0.0.0:80 default_server;
listen [::]:80;
server_name _;
server_tokens off;
root /nowhere; ## root doesn't have to be a valid path since we are redirecting
location / {
if ($ip_external) {
## Redirects all traffic to the HTTPS host
rewrite ^ https://$host$request_uri? permanent;
}
client_max_body_size 100m;
proxy_pass https://127.0.0.1;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_verify off;
}
}
server {
listen 0.0.0.0:443 ssl http2;
listen [::]:443 ssl http2 default_server;
charset utf-8;
server_tokens off;
## Increase this if you want to upload large attachments
client_max_body_size 100m;
ssl_certificate /etc/nginx/certs/onlyoffice.xxx.pem;
ssl_certificate_key /etc/nginx/certs/onlyoffice.xxx.key;
## ssl_verify_client {{SSL_VERIFY_CLIENT}};
## ssl_client_certificate {{CA_CERTIFICATES_PATH}};
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options $header_x_frame_options;
add_header X-Content-Type-Options nosniff;
add_header Access-Control-Allow-Origin $header_access_control_allow_origin;
## ssl_stapling on;
## ssl_stapling_verify on;
## ssl_trusted_certificate {{SSL_OCSP_CERTIFICATE_PATH}};
resolver 8.8.8.8 8.8.4.4 127.0.0.11 valid=300s; # Can change to your DNS resolver if desired
resolver_timeout 10s;
## ssl_dhparam {{SSL_DHPARAM_PATH}};
large_client_header_buffers 4 16k;
set $X_REWRITER_URL $the_scheme://$the_host;
if ($http_x_rewriter_url != '') {
set $X_REWRITER_URL $http_x_rewriter_url ;
}
include /etc/nginx/includes/onlyoffice-communityserver-*.conf;
}
In the nginx configuration we notice that it calls on /etc/nginx/includes/onlyoffice-communityserver-services.conf where the configuration for talking with SSO (port 9834) is located.
We did the following command to see if there are any other missing ports.
for P in `grep local /etc/nginx/includes/onlyoffice-communityserver-services.conf |awk -F: '{print $3}'|cut -c 1-4`; do echo "Port: $P"; netstat -tulpn |grep $P; done
Port: 5280
tcp 0 0 0.0.0.0:5280 0.0.0.0:* LISTEN 1842/mono
Port: 9899
tcp6 0 0 :::9899 :::* LISTEN 2314/node
Port: 9999
Port: 5232
tcp 0 0 127.0.0.1:5232 0.0.0.0:* LISTEN 1903/python3
tcp6 0 0 ::1:5232 :::* LISTEN 1903/python3
Port: 5232
tcp 0 0 127.0.0.1:5232 0.0.0.0:* LISTEN 1903/python3
tcp6 0 0 ::1:5232 :::* LISTEN 1903/python3
Port: 9889
Port: 9834
Any help here would be greatly appreciated.