Error message when opening/creating a document from update

monk79 · 22 March 2023 13:50

Good morning,

First sorry for my English, I go through a translator, which is easier to explain myself. I hope it will be understandable for you.

I’m using Nextcloud with Docker, I’m using a SWAG reverse proxy.
To bypass Nextcloud’s security alerts, I edited swag’s nginx/ssl.conf file and uncommented the lines to enable them:

add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options "SAMEORIGIN" always;

To deploy OnlyOffice with docker I used as options:

    environment:
      JWT_ENABLED: 'true'
      JWT_SECRET: 'SuperSecretPasskeyThatNoOneKnows'
      JWT_HEADER: 'AuthorizationJwt'
      JWT_IN_BODY: 'true'

But in this configuration I could not create or open documents via Nextcloud, I had to modify the file www/nextcloud/config/config.php of nextcloud and add:

'onlyoffice' =>
  array (
   'jwt_header' => 'AuthorizationJwt',
  ),

Unfortunately since the recent update, my setup no longer works with headers enabled. OnlyOffice does not load when opening/creating a document and I have a message:
mydomain.com does not allow login.

I saw the jwt_leeway to add, but it changes nothing for this case

'jwt_leeway' => 10
)

If anyone has any idea what is stuck. Thank you so much

Constantine · 22 March 2023 14:47

Hello @monk79

Please provide some more information:

version of Document Server;
version of Nextcloud;
version of the connector app;
screenshots of the Console and Network tabs of the browser console while trying to open/create a new document.

To make these screenshots please follow this scenario:

Open/create a new document and wait until page is loaded;
Open browser console (F12) and reload the page with opened console;
Make screenshots of any error entries from Console and Network tabs.

monk79 · 22 March 2023 17:15

Hello @Constantine

Nextcloud Hub 3 25.0.4
Connecteur ONLYOFFICE 7.8.0
I don’t know how to find the version, but I re-pulled the image last night version latest

Thanks

monk79 · 22 March 2023 19:50

And the second one, I can only put one image per post

thanks

Constantine · 23 March 2023 07:45

Hello @monk79

Thanks.
Issue appeared because you set X-Frame-Options header to SAMEORIGIN in proxy configs and it is clearly stated in the error entry of the browser console. More about this parameter you can read here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
As you can see there are only two values for this parameter both of which restrict access from other domains. You will need to remove/comment the header to allow rendering of the editors.

monk79 · 23 March 2023 08:54

Hello @Constantine ,

I had noticed that by lowering the security level of the headers it worked again. What bothers me is that I have security alerts in Nextcloud.

This configuration was working fine before I updated the connector and maybe the Document Server, I don’t remember very well.

I had to add :

onlyoffice' =>
  array (
   jwt_header' => 'AuthorizationJwt',
  ),

in the php.config file of nextcloud which is www/nextcloud/config and I have the impression that it is not taken into account any more because I had the same problems before the addition of these lines.

I don’t really understand what the code I had to add means, but I think it’s to allow a part of the onlyoffice header? There was no change on this side?

Thanks

Constantine · 23 March 2023 09:32

Hello @monk79

onlyoffice' =>
  array (
   jwt_header' => 'AuthorizationJwt',
  ),

This part defines the custom JWT Token header on the Nextcloud side that allows you to avoid issues with integration of Document Server with your Nextcloud portal in case custom JWT header is used. You have declared this custom JWT header upon starting the container as environment variable JWT_HEADER:

monk79:

To deploy OnlyOffice with docker I used as options:

    environment:
      JWT_ENABLED: 'true'
      JWT_SECRET: 'SuperSecretPasskeyThatNoOneKnows'
      JWT_HEADER: 'AuthorizationJwt'
      JWT_IN_BODY: 'true'

Basically, if you didn’t declare JWT_HEADER, you wouldn’t have had to add this section to Nextcloud config.php at all.
So considering that, please do not mix JWT Token header and HTTP headers.

Regarding the usage of old parameters - no. We only have added new parameter that you’ve mentioned:

'jwt_leeway' => 10
)

This parameter allows you to set a permitted difference in time for JWT Token to be authorized if the general clock time between your Document Server and Nextcloud server differs. More about it you can read in this thread:
https://forum.onlyoffice.com/t/new-in-nextcloud-plugins-and-protection-access-control-jwt-leeway-setting-danish-interface-and-more/4374

Could you please share with us examples of the alerts that you receive?

monk79 · 23 March 2023 10:09

Thanks for the explanations Thank you for the explanations and clarification!

Here is what I get when I create or open a document

Constantine · 23 March 2023 10:18

Does it happen with disabled X-Frame-Options? Please reproduce the issue one more time and check browser console for any error entries.
Additionally, please check if the issue reproduces in any other browser.

monk79 · 23 March 2023 11:16

With the current configuration:

Firefox → KO it offers me to open it in a new tab, but there is loading onlyoffice indefinitely.

Edge (which is blank I never use it) → KO same message as with Vivaldi onlyoffice.*****.duckdns.org refused the connection.

By deactivating header X-Frame-Options everything works again! I tested in private browsing to avoid any cache problem.

Constantine · 23 March 2023 12:03

In general, when X-Frame-Options is used, it is blocking all resources that are not related to the parent frame (in this case parent frame is Nextcloud), hence resulting in prohibition to render editors.

Do I understand correctly that it solves your issue?

monk79 · 23 March 2023 12:31

Yes we can say that it solves the problem, even if I am not entirely satisfied with the solution because of lowering the security level.

It is not possible to authorize the headers that come from Onlyoffice as it is done for the JWT_HEADER in the configuration files of Nextcloud?

Constantine · 23 March 2023 15:35

The issue lies not in the headers that come from ONLYOFFICE, but in the header that is set up in your webserver that prevents resources with origin other than your Nextcloud domain from being embedded in the Nextcloud frame. There is nothing to be configured on the Document Server side to bypass this. If you want to keep using the X-Frame-Options header in your environment, you have to make the Document Server available at the same domain name as your Nextcloud.

user-of-file · 1 February 2024 22:44

I’m experiencing a similar issue here. Should I continue with this thread, or start a new one?

Constantine · 2 February 2024 08:36

Hello @user-of-file

You can always start a new one if you are not sure that you are experiencing exactly the same issue.