本文将介绍使用docker的方式部署 ONLYOFFICE Workspace服务。onlyoffice的各项服务内部使用docker network网络,对外暴露 8100和8101端口分别对应容器的80、443端口,主机使用 Nginx 根据域名进行映射。
安装 Workspace
准备工作
建立相关文件夹
# For MySQL server
sudo mkdir -p "/app/onlyoffice/mysql/conf.d";
sudo mkdir -p "/app/onlyoffice/mysql/data";
sudo mkdir -p "/app/onlyoffice/mysql/initdb";
# For Community Server data and logs
sudo mkdir -p "/app/onlyoffice/CommunityServer/data";
sudo mkdir -p "/app/onlyoffice/CommunityServer/logs";
sudo mkdir -p "/app/onlyoffice/CommunityServer/letsencrypt";
# For Document server data and logs
sudo mkdir -p "/app/onlyoffice/DocumentServer/data";
sudo mkdir -p "/app/onlyoffice/DocumentServer/logs";
# For Control Panel
sudo mkdir -p "/app/onlyoffice/ControlPanel/data";
sudo mkdir -p "/app/onlyoffice/ControlPanel/logs";
建立 onlyoffice 网络
sudo docker network create --driver bridge onlyoffice
安装数据库
创建数据库配置文件
echo "[mysqld]
sql_mode = 'NO_ENGINE_SUBSTITUTION'
max_connections = 1000
max_allowed_packet = 1048576000
group_concat_max_len = 2048" > /app/onlyoffice/mysql/conf.d/onlyoffice.cnf
建立 SQL 脚本
echo "ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY 'my-secret-pw';
CREATE USER IF NOT EXISTS 'onlyoffice_user'@'%' IDENTIFIED WITH mysql_native_password BY 'onlyoffice_pass';
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%';
GRANT ALL PRIVILEGES ON *.* TO 'onlyoffice_user'@'%';
FLUSH PRIVILEGES;" > /app/onlyoffice/mysql/initdb/setup.sql
建立 MySQL 容器
sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-mysql-server \
-v /app/onlyoffice/mysql/conf.d:/etc/mysql/conf.d \
-v /app/onlyoffice/mysql/data:/var/lib/mysql \
-v /app/onlyoffice/mysql/initdb:/docker-entrypoint-initdb.d \
-e MYSQL_ROOT_PASSWORD=my-secret-pw \
-e MYSQL_DATABASE=onlyoffice \
mysql:8.0.29
生成 JWT 密钥
JWT_SECRET=$(cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 32);
安装 ONLYOFFICE Document Server
sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-document-server \
-e JWT_ENABLED=true \
-e JWT_SECRET=${JWT_SECRET} \
-e JWT_HEADER=AuthorizationJwt \
-v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/DocumentServer/fonts:/usr/share/fonts/truetype/custom \
-v /app/onlyoffice/DocumentServer/forgotten:/var/lib/onlyoffice/documentserver/App_Data/cache/files/forgotten \
onlyoffice/documentserver
安装 ONLYOFFICE Control Panel
sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-control-panel \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /app/onlyoffice/CommunityServer/data:/app/onlyoffice/CommunityServer/data \
-v /app/onlyoffice/ControlPanel/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/ControlPanel/logs:/var/log/onlyoffice onlyoffice/controlpanel
安装 ONLYOFFICE Community Server
这里将 Community 服务映射到主机的 8100 端口,防止与其他服务冲突。同时因为计划 SSL 认证在主机中完成,所有没有映射容器的 43 号端口。
sudo docker run --net onlyoffice -i -t -d --privileged --restart=always --name onlyoffice-community-server -p 8100:80 -p 5222:5222 --cgroupns=host \
-e MYSQL_SERVER_ROOT_PASSWORD=my-secret-pw \
-e MYSQL_SERVER_DB_NAME=onlyoffice \
-e MYSQL_SERVER_HOST=onlyoffice-mysql-server \
-e MYSQL_SERVER_USER=onlyoffice_user \
-e MYSQL_SERVER_PASS=onlyoffice_pass \
-e DOCUMENT_SERVER_PORT_80_TCP_ADDR=onlyoffice-document-server \
-e DOCUMENT_SERVER_JWT_ENABLED=true \
-e DOCUMENT_SERVER_JWT_SECRET=${JWT_SECRET} \
-e DOCUMENT_SERVER_JWT_HEADER=AuthorizationJwt \
-e CONTROL_PANEL_PORT_80_TCP=80 \
-e CONTROL_PANEL_PORT_80_TCP_ADDR=onlyoffice-control-panel \
-v /app/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/CommunityServer/logs:/var/log/onlyoffice \
-v /app/onlyoffice/CommunityServer/letsencrypt:/etc/letsencrypt \
-v /sys/fs/cgroup:/sys/fs/cgroup:rw \
onlyoffice/communityserver
配置 Nginx 反向代理
http 访问
创建配置文件 /etc/nginx/sites-available/onlyoffice
填入下面内容
server {
listen 80;
server_name onlyoffice.beekc.top;
location / {
proxy_pass http://localhost:8100/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
将其中的 onlyoffice.beekc.top 修改为指向服务器的域名。
https 访问
使用下面配置,建立 Community Server 容器
sudo docker run --net onlyoffice -i -t -d --privileged --restart=always --name onlyoffice-community-server -p 8100:80 -p 8101:443 -p 5222:5222 --cgroupns=host \
-e MYSQL_SERVER_ROOT_PASSWORD=my-secret-pw \
-e MYSQL_SERVER_DB_NAME=onlyoffice \
-e MYSQL_SERVER_HOST=onlyoffice-mysql-server \
-e MYSQL_SERVER_USER=onlyoffice_user \
-e MYSQL_SERVER_PASS=onlyoffice_pass \
-e DOCUMENT_SERVER_PORT_80_TCP_ADDR=onlyoffice-document-server \
-e DOCUMENT_SERVER_JWT_ENABLED=true \
-e DOCUMENT_SERVER_JWT_SECRET=${JWT_SECRET} \
-e DOCUMENT_SERVER_JWT_HEADER=AuthorizationJwt \
-e CONTROL_PANEL_PORT_80_TCP=80 \
-e CONTROL_PANEL_PORT_80_TCP_ADDR=onlyoffice-control-panel \
-v /app/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/CommunityServer/logs:/var/log/onlyoffice \
-v /app/onlyoffice/CommunityServer/letsencrypt:/etc/letsencrypt \
-v /sys/fs/cgroup:/sys/fs/cgroup:rw \
onlyoffice/communityserver
修改 DNS 服务器将将要使用的域名指向服务器
使用 Certbot 获取证书,参照:Certbot使用DNS方式获取证书 – BEEKC
访问 http://onlyoffice.example.com:8100,配置 控制面板 – HTTPS 选项,上传证书,完成 HTTPS 认证
建立 nginx 配置文件 /etc/nginx/sites-available/onlyoffice
server {
server_name office.beekc.top;
listen 80;
location / {
proxy_pass http://localhost:8100;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
server_name office.beekc.top;
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/beekc.top/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/beekc.top/privkey.pem;
location / {
proxy_pass https://localhost:8101;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /socketio/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://localhost:8101;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /ds-vpath/ {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://localhost:8101;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /skins/ {
proxy_pass https://localhost:8101;
}
}
将其链接到 sites-enabled
中,并重启 Nginx 服务
sudo ln -s /etc/nginx/sites-available/onlyoffice /etc/nginx/sites-enabled/onlyoffice
sudo service nginx restart
解决上传文件大小限制
默认 Nginx 限制最大上传文件 1M,通过修改配置文件 /etc/nginx/nginx.conf
在 http
节中添加 client_max_body_size 200M
,将限制就改为 200M
暴露 Document Server
为了在 Nextcloud 中集成 Onlyoffice 的编辑功能,修改 Document Server 配置,将容器80端口映射到host的8102端口上
sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-document-server -p 8102:80\
-p
-e JWT_ENABLED=true \
-e JWT_SECRET=${JWT_SECRET} \
-e JWT_HEADER=AuthorizationJwt \
-v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
-v /app/onlyoffice/DocumentServer/fonts:/usr/share/fonts/truetype/custom \
-v /app/onlyoffice/DocumentServer/forgotten:/var/lib/onlyoffice/documentserver/App_Data/cache/files/forgotten \
onlyoffice/documentserver
建立 nginx 配置文件 /etc/nginx/sites-available/onlyoffice-doc
upstream docservice {
server localhost;
}
map $http_host $this_host {
"" $host;
default $http_host;
}
map $http_x_forwarded_proto $the_scheme {
default $http_x_forwarded_proto;
"" $scheme;
}
map $http_x_forwarded_host $the_host {
default $http_x_forwarded_host;
"" $this_host;
}
map $http_upgrade $proxy_connection {
default upgrade;
"" close;
}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $the_host;
proxy_set_header X-Forwarded-Proto $the_scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## Normal HTTP host
server {
listen 0.0.0.0:80;
listen [::]:80;
server_name doc.beekc.top;
server_tokens off;
## Redirects all traffic to the HTTPS host
return 301 https://$server_name:443$request_uri;
}
server {
listen 0.0.0.0:443 ssl;
listen [::]:443 ssl default_server;
server_name doc.beekc.top
server_tokens off;
root /usr/share/nginx/html;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl on;
ssl_certificate /etc/letsencrypt/live/beekc.top/fullchain.pem; # managed by certbot on host machine
ssl_certificate_key /etc/letsencrypt/live/beekc.top/privkey.pem; # managed by certbot on host machine
ssl_verify_client off;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_prefer_server_ciphers on;
## [Optional] Before enabling Strict-Transport-Security headers, ensure your server is properly configured for SSL.
## This directive informs the browser to always use HTTPS. For more info see:
## - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
## Replace with your ssl_trusted_certificate. For more info see:
## - https://medium.com/devops-programming/4445f4862461
## - https://www.ruby-forum.com/topic/4419319
## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
# resolver 208.67.222.222 208.67.222.220 valid=300s; # Can change to your DNS resolver if desired
# resolver_timeout 10s;
## [Optional] Generate a stronger DHE parameter:
## cd /etc/ssl/certs
## sudo openssl dhparam -out dhparam.pem 4096
##
# ssl_dhparam /etc/ssl/certs/dhparam.pem;
location / {
proxy_pass http://localhost:8102;
proxy_http_version 1.1;
}
}
将其链接到 sites-enabled
中,并重启 Nginx 服务
sudo ln -s /etc/nginx/sites-available/onlyoffice-doc /etc/nginx/sites-enabled/onlyoffice-doc
sudo service nginx restart