diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..fa4e142
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+certs
+
diff --git a/README.md b/README.md
index 09fe73d..b4a167e 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,13 @@ Document Server (distributed as ONLYOFFICE Docs starting from v.6.0) and Nextclo
docker-compose up -d
```
+ To enable SSL encryption, create `certs` folder and copy the private key named as `privkey.pem` and the certificate named as `fullchain.pem` to it.
+ Run this command:
+
+ ```
+ docker-compose -f docker-compose.yml -f ssl.yml up -d
+ ```
+
**Please note**: you might need to wait a couple of minutes when all the containers are up and running after the above command.
3. Now launch the browser and enter the webserver address. The Nextcloud wizard webpage will be opened. Enter all the necessary data to complete the wizard.
diff --git a/docker-compose.yml b/docker-compose.yml
index d7cad92..f3e67f3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,7 +27,8 @@ services:
- 80:80
- 443:443
volumes:
- - ./nginx.conf:/etc/nginx/nginx.conf
+ - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+ - ./nginx/common.conf:/etc/nginx/common.conf:ro
- app_data:/var/www/html
volumes:
document_data:
diff --git a/nginx.conf b/nginx.conf
deleted file mode 100644
index 0de695f..0000000
--- a/nginx.conf
+++ /dev/null
@@ -1,142 +0,0 @@
-user www-data;
-worker_processes 1;
-
-error_log /var/log/nginx/error.log warn;
-pid /var/run/nginx.pid;
-
-events {
- worker_connections 1024;
-}
-
-http {
-
- upstream backend {
- server app-server:9000;
- }
-
-
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
-
- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
-
- access_log /var/log/nginx/access.log main;
-
- sendfile on;
- #tcp_nopush on;
-
- keepalive_timeout 65;
-
- map $http_host $this_host {
- "" $host;
- default $http_host;
- }
-
- map $http_x_forwarded_proto $the_scheme {
- default $http_x_forwarded_proto;
- "" $scheme;
- }
-
- map $http_x_forwarded_host $the_host {
- default $http_x_forwarded_host;
- "" $this_host;
- }
-
- server {
- listen 80;
-
- # Add headers to serve security related headers
- add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- add_header X-Download-Options noopen;
- add_header X-Permitted-Cross-Domain-Policies none;
-
- root /var/www/html;
- client_max_body_size 10G; # 0=unlimited - set max upload size
- fastcgi_buffers 64 4K;
-
- gzip off;
-
- index index.php;
- error_page 403 /core/templates/403.php;
- error_page 404 /core/templates/404.php;
-
- rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
- rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
-
- location = /robots.txt {
- allow all;
- log_not_found off;
- access_log off;
- }
-
- location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
- deny all;
- }
-
- location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
- deny all;
- }
-
- location / {
- rewrite ^/remote/(.*) /remote.php last;
- rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
- try_files $uri $uri/ =404;
- }
-
- location ~* ^/ds-vpath/ {
- rewrite /ds-vpath/(.*) /$1 break;
- proxy_pass http://onlyoffice-document-server;
- proxy_redirect off;
-
- client_max_body_size 100m;
-
- proxy_http_version 1.1;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
-
- proxy_set_header Host $http_host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
- proxy_set_header X-Forwarded-Proto $the_scheme;
- }
-
- location ~ \.php(?:$|/) {
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_param HTTPS off;
- fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
- fastcgi_pass backend;
- fastcgi_intercept_errors on;
- }
-
- # Adding the cache control header for js and css files
- # Make sure it is BELOW the location ~ \.php(?:$|/) { block
- location ~* \.(?:css|js)$ {
- add_header Cache-Control "public, max-age=7200";
- # Add headers to serve security related headers
- add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options "SAMEORIGIN";
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- add_header X-Download-Options noopen;
- add_header X-Permitted-Cross-Domain-Policies none;
- # Optional: Don't log access to assets
- access_log off;
- }
-
- # Optional: Don't log access to other assets
- location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
- access_log off;
- }
-
- }
-}
diff --git a/nginx/common.conf b/nginx/common.conf
new file mode 100644
index 0000000..6fa4bac
--- /dev/null
+++ b/nginx/common.conf
@@ -0,0 +1,90 @@
+# Add headers to serve security related headers
+add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Robots-Tag none;
+add_header X-Download-Options noopen;
+add_header X-Permitted-Cross-Domain-Policies none;
+
+root /var/www/html;
+client_max_body_size 10G; # 0=unlimited - set max upload size
+fastcgi_buffers 64 4K;
+
+gzip off;
+
+index index.php;
+error_page 403 /core/templates/403.php;
+error_page 404 /core/templates/404.php;
+
+rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
+rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
+
+location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+}
+
+location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
+ deny all;
+}
+
+location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+ deny all;
+}
+
+location / {
+ rewrite ^/remote/(.*) /remote.php last;
+ rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+ try_files $uri $uri/ =404;
+}
+
+location ~* ^/ds-vpath/ {
+ rewrite /ds-vpath/(.*) /$1 break;
+ proxy_pass http://onlyoffice-document-server;
+ proxy_redirect off;
+
+ client_max_body_size 100m;
+
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+
+ proxy_set_header Host $http_host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $the_host/ds-vpath;
+ proxy_set_header X-Forwarded-Proto $the_scheme;
+}
+
+location ~ \.php(?:$|/) {
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_param HTTPS off;
+ fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+ fastcgi_pass backend;
+ fastcgi_intercept_errors on;
+}
+
+# Adding the cache control header for js and css files
+# Make sure it is BELOW the location ~ \.php(?:$|/) { block
+location ~* \.(?:css|js)$ {
+ add_header Cache-Control "public, max-age=7200";
+ # Add headers to serve security related headers
+ add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-Frame-Options "SAMEORIGIN";
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+ add_header X-Download-Options noopen;
+ add_header X-Permitted-Cross-Domain-Policies none;
+ # Optional: Don't log access to assets
+ access_log off;
+}
+
+# Optional: Don't log access to other assets
+location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
+ access_log off;
+}
diff --git a/nginx/nginx-ssl.conf b/nginx/nginx-ssl.conf
new file mode 100644
index 0000000..7c08aab
--- /dev/null
+++ b/nginx/nginx-ssl.conf
@@ -0,0 +1,72 @@
+user www-data;
+worker_processes 1;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+
+ upstream backend {
+ server app-server:9000;
+ }
+
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ map $http_host $this_host {
+ "" $host;
+ default $http_host;
+ }
+
+ map $http_x_forwarded_proto $the_scheme {
+ default $http_x_forwarded_proto;
+ "" $scheme;
+ }
+
+ map $http_x_forwarded_host $the_host {
+ default $http_x_forwarded_host;
+ "" $this_host;
+ }
+
+ server {
+ listen 80;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+ }
+
+ server {
+ listen 80;
+ server_name nginx-server;
+
+ include /etc/nginx/common.conf;
+ }
+
+ server {
+ listen 443 ssl;
+
+ ssl_certificate /etc/nginx/certs/fullchain.pem;
+ ssl_certificate_key /etc/nginx/certs/privkey.pem;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers HIGH:!aNULL:!MD5;
+
+ include /etc/nginx/common.conf;
+ }
+}
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
new file mode 100644
index 0000000..160b057
--- /dev/null
+++ b/nginx/nginx.conf
@@ -0,0 +1,52 @@
+user www-data;
+worker_processes 1;
+
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+
+ upstream backend {
+ server app-server:9000;
+ }
+
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ map $http_host $this_host {
+ "" $host;
+ default $http_host;
+ }
+
+ map $http_x_forwarded_proto $the_scheme {
+ default $http_x_forwarded_proto;
+ "" $scheme;
+ }
+
+ map $http_x_forwarded_host $the_host {
+ default $http_x_forwarded_host;
+ "" $this_host;
+ }
+
+ server {
+ listen 80;
+
+ include /etc/nginx/common.conf;
+ }
+}
diff --git a/ssl.yml b/ssl.yml
new file mode 100644
index 0000000..2f270bb
--- /dev/null
+++ b/ssl.yml
@@ -0,0 +1,9 @@
+version: '3'
+services:
+ onlyoffice-document-server:
+ environment:
+ - USE_UNAUTHORIZED_STORAGE=true
+ nginx:
+ volumes:
+ - ./certs:/etc/nginx/certs:ro
+ - ./nginx/nginx-ssl.conf:/etc/nginx/nginx.conf:ro