Integrating ONLYOFFICE Community Edition with NextCloud using Docker

NextCloud is unquestionably the leading open-source file sync & share app on the marketplace, but despite the introduction of NextCloud Text, a simple, collaborative note-taking app, the suite doesn’t officially ship with a comprehensive Office 365 or Google Docs replacement.

It is becoming more common nowadays to use Chromebooks or other thin clients (such as iPad Pro tablets) in workplaces & schools without a local copy of Microsoft Office installed. If your organization plans to use NextCloud as an alternative to Google Drive, then integrating a web-based office suite with NextCloud should be strongly considered, to provide a similar experience with feature parity to Google’s offerings.

Especially in light of the GDPR regulations, many organizations are concerned about the privacy implications of entrusting their most sensitive internal documents to Google and Microsoft’s servers, most of which are based in the US. Yet the modern, mobile workforce demands the convenience of being able to collaborate from anywhere, anytime.

Self-hosting an alternative to Google Drive and Docs, Sheets, Slides, or OneDrive and Office 365 is the capstone to an IT strategy that can assist with the following business objectives:

  • Compliance with GDPR and data sovereignty regulations
  • Reducing per-user licensing costs for G Suite or Office 365
  • Avoiding “Shadow IT” – unofficial use of personal Google or Microsoft accounts

If you’ve already made the wise decision to adopt NextCloud and move away from proprietary alternatives such as Dropbox, Google Drive, or OneDrive, it only makes sense to eliminate privacy-invading collaboration tools such as Google Docs and Office 365 as well.

German and Dutch governments have already kiboshed some contracts with Microsoft for the use of Office 365 in some departments and program offices. The German state of Hesse has gone as far as declaring that its public schools may not use Office 365 due to privacy concerns. For the Dutch government’s legacy IT systems that rely on Office on the desktop, they demanded that the software maker provide an offline edition of Microsoft Office Professional Plus (ProPlus) which does not send telemetry data back to Microsoft’s servers.

Collabora Office and ONLYOFFICE are the two most popular web-based office suites ready for use with NextCloud. In this article, we walk through a routine integration of ONLYOFFICE Community Edition with an existing NextCloud instance. This free edition of ONLYOFFICE is licensed under the AGPL and the main limitation is that you can only have 20 simultaneous connections (which is suitable for testing, or small organizations).

The main benefits of ONLYOFFICE over Collabora Office is interoperability with Microsoft Office 2007 and later OpenXML file formats such as .docx (Word), .xlsx (Excel), and .pptx (PowerPoint). In contrast, Collabora Office uses the OpenDocument format (.odt) by default, making it less convenient to use in an mixed environment where some clients are using Microsoft Office locally.

Also, in our experience, the UX performance of ONLYOFFICE is superior to Collabora. ONLYOFFICE was written from the ground up and optimized for the web, while Collabora is a web-based adaptation of LibreOffice, an open-source office suite popular on Linux desktops (formerly OpenOffice.org).

The user interface of ONLYOFFICE is also much more similar to that of Microsoft Word, Excel, and PowerPoint, with a ribbon-like toolbar, customizable styles, and collaboration tools that are similar to Track Changes – significantly reducing the learning curve of your users.

ONLYOFFICE is typically installed on a separate VPS from your NextCloud instance, given that it has recommended hardware requirements of 4 GB RAM and 2 Xeon cores (or equivalent). It should also be assigned its own subdomain (e.g. office.example.com), as that will be the URL which you use to integrate ONLYOFFICE with NextCloud.

The ONLYOFFICE Document Server has a significant number of dependencies, including RabbitMQ, PostgreSQL, and Redis services. Fortunately there is an official Docker image that packages all of the services into a single Docker container – for ease of deployment. Normally, building this many services into one container is an “anti-pattern” for microservices architecture, but since the Community Edition of ONLYOFFICE is limited to 20 concurrent connections, scaling is not a concern. There is a Cluster Edition of ONLYOFFICE for scale-out deployment, with multiple ONLYOFFICE nodes, separate RabbitMQ, PostgreSQL, and Redis services, and a networked storage backend such as NFS.

This guide assumes you are using CloudFlare DNS for your domain (e.g. example.com) but as long as Certbot has a supported plugin for your DNS provider, you can substitute the appropriate plugin (and command) to obtain a Let’s Encrypt SSL certificate.

If using DigitalOcean, provision a virtual machine with the Docker One-Click App from the Marketplace using the 4GB droplet. For other cloud providers, follow the instructions for your OS distribution to install Docker.

SSH into the machine and begin by installing Certbot.

sudo apt update && sudo apt upgrade -y
sudo apt install python3-pip
pip3 install certbot
pip3 install certbot-dns-cloudflare

Obtain your CloudFlare API key by signing into your account and scrolling down to the API section on the right sidebar and clicking “Get your API key.” Then, switch to the API Tokens tab and click the “View” button besides the Global API Key.

A pop-up window will appear asking you to confirm your account password before displaying the API key. Protect this API key as you would your CloudFlare password.

Create an A record in the DNS zone pointing to the public IP address of your virtual server. If using CloudFlare, this DNS entry can be “orange clouded” meaning that any traffic is proxied through CloudFlare’s CDN and DDoS protection.

If using the DigitalOcean Docker 1-Click App which runs Ubuntu, disable the ufw firewall as it is not recommended to run it alongside Docker.

sudo systemctl stop ufw
sudo systemctl disable ufw

Return to the SSH terminal and create a text file containing this API key, and secure it.

sudo mkdir -p ~/.secrets/certbot/

sudo nano ~/.secrets/certbot/cloudflare.ini

# Cloudflare API credentials used by Certbot
dns_cloudflare_email = cloudflare_email
dns_cloudflare_api_key = cloudflare_api_key

sudo chmod 600 ~/.secrets/certbot/cloudflare.ini

Then run the following command to request the Let’s Encrypt SSL certificate.

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d office.example.com

Copy the generated certificates from the Let’s Encrypt folder to the directory /app/onlyoffice/DocumentServer/data/certs/ (on the host) that will be bind-mounted into the onlyoffice container. The permissions for the private key, onlyoffice.key must be set to 400 (only the owner can read).

mkdir -p /app/onlyoffice/DocumentServer/data/certs
cd /app/onlyoffice/DocumentServer/data/certs
cp /etc/letsencrypt/live/office.example.com/fullchain.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
cp /etc/letsencrypt/live/office.example.com/privkey.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key

While in the same working directory, generate the Diffie-Helman (DH) parameters with a key-size of 2048 bits to make key exchange for the TLS handshake more secure between the ONLYOFFICE server and the client.

openssl dhparam -out dhparam.pem 2048

Finally, run the Docker container with the following environment variables.

The bind mounts, indicated by the -v flag mount a directory on the host filesystem into the onlyoffice/documentserver container so that persistent data is saved on the host. This overcomes the ephemeral nature of containers, so the ONLYOFFICE can simply be redeployed (docker pull, docker stop, docker rm, and docker run) to update to a new version (while preserving any user data). It also allows the SSL certificate files created earlier to be used within the container.

Generate a random alphanumeric string to use as JWT_SECRET, which will serve as a token that will allow your (and exclusively your) NextCloud server to use your ONLYOFFICE instance. You will need this value when integrating ONLYOFFICE with NextCloud in the final step.

sudo docker run -i -t -d --name onlyoffice --restart always -p 443:443
-v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice
-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data
-v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice
-v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql
-e JWT_ENABLED=true
-e JWT_SECRET=secret
-e SSL_CERTIFICATE_PATH=/var/www/onlyoffice/Data/certs/onlyoffice.crt
-e SSL_KEY_PATH=/var/www/onlyoffice/Data/certs/onlyoffice.key
-e SSL_DHPARAM_PATH=/var/www/onlyoffice/Data/certs/dhparam.pem
onlyoffice/documentserver

Create the following deploy hook script in /etc/letsencrypt/renewal-hooks/deploy/deploy.sh that will be triggered automatically upon each renewal of the SSL certificate.

sudo nano /etc/letsencrypt/renewal-hooks/deploy/deploy.sh

#!/bin/bash
cp /etc/letsencrypt/live/office.example.com/fullchain.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.crt
cp /etc/letsencrypt/live/office.example.com/privkey.pem /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
chmod 400 /app/onlyoffice/DocumentServer/data/certs/onlyoffice.key
sudo docker container restart onlyoffice

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/deploy.sh

Then add the following cron job to the system-wide cron tab so Let’s Encrypt automatically checks (daily) whether the certificate is close to expiration, and renews it if necessary.

sudo nano /etc/crontab

0 2 * * * root certbot renew --deploy-hook "/etc/letsencrypt/renewal-hooks/deploy/deploy.sh"

If you did all the previous steps correctly, visiting the URL of your ONLYOFFICE server at https://office.example.com should redirect you to a welcome page which looks similar to this.

To integrate OnlyOffice with NextCloud, login to NextCloud with an admin account and select the drop down in the top-right corner > Apps. Then select the Office & text app category from the left sidebar. Install the ONLYOFFICE – ONLYOFFICE connector app and enable it.

Next, select the drop-down in the top-right corner > Settings. Then select ONLYOFFICE under Administration from the left sidebar. Enter the URL of your ONLYOFFICE server in “Document Editing Service address” and click “Save.” Enter the JWT_SECRET token specified when spinning up the ONLYOFFICE container in “Secret key” textbox so NextCloud can prove to the ONLYOFFICE server it’s authorized to connect.

When opening files in NextCloud with the supported file extensions, the ONLYOFFICE word processor, spreadsheet, or presentation applications will automatically launch in-line (in the browser window).

Any NextCloud user can also launch ONLYOFFICE to create new documents, spreadsheets, and presentations by selecting the drop down above the directory listing in their NextCloud dashboard.