How to secure OO when used with nextcloud so that not everyone can use it?

maeries · 9 June 2022 14:03

first of all, that’s my setup:
nextcloud and OO running in docker with a docker-compose.yml that looks something like this (removed the not important parts):

version: '3'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb
    [...]

  app:
    image: nextcloud
    links:
      - db
    volumes:
      - [...]
    networks:
      default:
      proxy_net:

  documentserver:
    image: onlyoffice/documentserver
    volumes:
      - [...]
    networks:
      default:
      proxy_net:

networks:
  proxy_net:
    external: true
  default:

both of them run behind an nginx proxy. NC is reachable as cloud.domain.com and OO as office.domain.com

Now to my question: If I’m not mistaken, everone can now use my documentserver with their Nextcloud, right? If so, how can i prevent this? Of course I could just block access to OO from the Internet, but that means, that I can’t use it from outside my network myself

Infos:

OO Version 7.1.1.23
Intergration App Version 7.3.4
Nextcloud Version 24.0.1

Carl · 10 June 2022 10:59

Hi, please enable jwt settings to prevent unwanted access to your Document Server.
Here’s instructions how to enable jwt in Document Server:
https://api.onlyoffice.com/editors/signature/
You need to take the value from

"inbox": {
  "string": "secret"
                },
"outbox": {
  "string": "secret"
                }

And insert it into the secret key field of the connector settings.

maeries · 14 June 2022 13:32

For anyone with the same problem, you can switch on jwt by setting the variables

    environment:
      - JWT_ENABLED=true
      - JWT_SECRET=<some_password>