ONLYOFFICE DocSpace released: improve document collaboration with offices, customers, and partners. Use it for free!
ONLYOFFICE DocSpace released

"Download failed" with example app behind reverse proxy

Hello, I’m using the node js example app to get started - I just want to get it running and verify all my configuration, then I plan to write my own integration from there.

I don’t have Ubuntu installed on any of my machines, so I have everything running within a Docker container in Arch. Aside from that (and a little trick to get the systemctl command working, as the installer requires it), I’ve performed a normal installation on an Ubuntu system.

First I tried without HTTPS, but with JWT enabled. This works great, but the example node.js app actually has tokens disabled by default which was little tricky to find. I have the example app and document server both running inside my Ubuntu container, and I can create a new document and open it.

Now HTTPS. I am attempting to integrate with an app that requires HTTPS, therefore I need HTTPS enabled even when testing locally. I am using minica to accomplish this, as that’s what’s recommend by Let’s Encrypt for this purpose. (i.e. I cannot use certbot here because it’s inappropriate for local IPs and my cert may be revoked)

I also require the example app to run under HTTPS in order to test this. To do this, I’ve added a reverse proxy configuration to nginx for the example app. It is using a different local domain and certificate, is running on the same machine, and is covered by the same root CA.

After adding my root CA to Ubuntu’s certificate store, adding my local domains to /etc/hosts, setting rejectUnknown to false in default.json, adding NODE_OPTIONS=--use-openssl-ca to the document server’s .service file - I get this helpful error: “Download failed”

Here’s the reverse proxy config I have set for the example app. The document server itself is following the nginx configuration from the template as described by OnlyOffice’s documentation, and it’s running under the domain ooserver.local and respective pem files.

server {
  listen 443;
  server_name ooapp.local;
  ssl_certificate /credentials/ooapp.local/cert.pem;
  ssl_certificate_key /credentials/ooapp.local/key.pem;
  location / {
    proxy_pass http://localhost:3001;
    proxy_http_version 1.1;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port  $server_port;
    proxy_read_timeout 90;
    proxy_redirect http://localhost:3001 https://ooapp.local;

I am at a loss on what to try next. I was very much set on testing locally rather than uploading all my files to a staging server every time I want to test. Any help on this matter is greatly appreciated.

Addition: There are no helpful log messages. In fact, there don’t seem to be any log messages related to this issue at all.

Addition: The /track url on the example app is getting requested, but I’m not sure yet what it responds with.

Hello @KernelDeimos

Unfortunately, text examples are not supposed to be used behind the proxy, since they are basic storage apps used for testing purposes only. With that said, we do not have ready-to-go examples of such configuration suitable for them.

Ok, it makes sense to me that the test examples aren’t designed to be used behind a proxy. It makes sense to me… but it makes sense to me because it is not the concern of the test example whether or not it’s behind a proxy, or behind HTTPS. Separation of concerns would dictate this.

However, if it doesn’t care, then it should work just the same as any other node.js integration behind a proxy providing the secure layer.

I’ve solved my problem by making it so when the document server requests the callback the callback URL is HTTP instead of HTTPS. This works okay for me because the storage integration and the document server happen to be running on the same machine.

Okay, so what if it wasn’t? Regardless of whether it’s the example integration or my own code, how do I secure that if the document server can’t access the storage service over HTTPS? Is that currently not possible?

Hello @KernelDeimos

I’m glad to hear that you solved the issue with test example.

Note that on the page of language specific examples it is stated that:

The integration examples are used to demonstrate document editors functions and the ways to connect Document Server to your own application. DO NOT USE these examples on your own server without PROPER CODE MODIFICATIONS! If you enabled any of the test examples, disable it before going for production.

If the proxy configuration is set up correctly and your storage is accessible by Document Server via indicated URL, then there shouldn’t be any problems with connection.
In case you face any issues or errors in editors interface please share Document Server log files with us for analysis so we can assist in troubleshooting the issue.