Permission denied nginx and unknown error on nextcloud
julyusito opened this issue · comments
Hi,
I've installed nextcloud and onlyoffice latest version within docker with this setup:
version: '3'
services:
db:
image: mariadb
hostname: nc_db
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
env_file: /PATH_TO_DOCKER_VOLUMES/nextcloud-db.env
networks:
- internal
deploy:
resources:
limits:
cpus: '2.0'
memory: 2048M
restart_policy:
condition: on-failure
volumes:
- /PATH_TO_DOCKER_VOLUMES/nextcloud-db/var/lib/mysql:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
db_backup:
image: mariadb
hostname: nc_db_backup
env_file: /PATH_TO_DOCKER_VOLUMES/nextcloud-db-backup.env
deploy:
resources:
limits:
cpus: '0.5'
memory: 256M
restart_policy:
condition: on-failure
depends_on:
- db
volumes:
- /PATH_TO_DOCKER_VOLUMES/nextcloud-db/database-dump:/dump
- /etc/localtime:/etc/localtime:ro
entrypoint: |
bash -c 'bash -s <<EOF
trap "break;exit" SIGHUP SIGINT SIGTERM
sleep 2m
while /bin/true; do
mysqldump -h db --all-databases | gzip -c > /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.sql.gz
(ls -t /dump/dump*.sql.gz|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.sql.gz)|sort|uniq -u|xargs rm -- {}
sleep $$BACKUP_FREQUENCY
done
EOF'
networks:
- internal
redis:
image: redis:alpine
hostname: nc_redis
deploy:
resources:
limits:
cpus: '2'
memory: 4096M
restart_policy:
condition: on-failure
networks:
- internal
volumes:
- /PATH_TO_DOCKER_VOLUMES/nextcloud-db/data:/data
- /etc/localtime:/etc/localtime:ro
apps:
image: nextcloud:latest
hostname: nextcloud
env_file: /PATH_TO_DOCKER_VOLUMES/nextcloud-apps.env
networks:
- internal
- container_external
deploy:
resources:
limits:
cpus: '4.0'
memory: 8192M
update_config:
delay: 10s
restart_policy:
condition: on-failure
labels:
- haproxy.frontend.rule=Host:cloud.XXXX.com.co
- haproxy.docker.network=container_external
- haproxy.port=80
ports:
- IP_HOST_DOCKER:10105:80
depends_on:
- db
- db_backup
- redis
volumes:
- /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/var/www/html:/var/www/html
- /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/var/www/html/config:/var/www/html/config
- /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/var/www/html/custom_apps:/var/www/html/custom_apps
- /PATH_TO_DOCKER_VOLUMES/NCData/cloud:/var/www/html/data
- /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/var/www/html/themes:/var/www/html/themes
- /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/www/onlyoffice/Data/certs/WildcardCPP.all.pem:/etc/ssl/certs/ssl-cert-snakeoil.pem
- /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/www/onlyoffice/Data/certs/WildcardCPP.key:/etc/ssl/private/ssl-cert-snakeoil.key
- /etc/localtime:/etc/localtime:ro
- /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/etc/apache2/mods-enabled/mpm_prefork.conf:/etc/apache2/mods-enabled/mpm_prefork.conf
restart: unless-stopped
cron:
image: nextcloud:latest
hostname: nc_cron
deploy:
resources:
limits:
cpus: '1'
memory: 256M
update_config:
delay: 15s
restart_policy:
condition: on-failure
depends_on:
- apps
volumes:
- /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/var/www/html:/var/www/html
- /PATH_TO_DOCKER_VOLUMES/NCData/cloud:/var/www/html/data
user: www-data
networks:
- internal
entrypoint: |
bash -c 'bash -s <<EOF
trap "break;exit" SIGHUP SIGINT SIGTERM
while [ ! -f /var/www/html/config/config.php ]; do
sleep 1
done
while true; do
php -f /var/www/html/cron.php
sleep 5m
done
EOF'
documentserver:
image: onlyoffice/documentserver:latest
hostname: nc_onlyoffice
env_file: /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice.env
networks:
- container_external
deploy:
resources:
limits:
cpus: '4.0'
memory: 4096M
update_config:
delay: 15s
restart_policy:
condition: on-failure
ports:
- IP_HOST_DOCKER:10106:80
- IP_HOST_DOCKER:10107:443
depends_on:
- apps
volumes:
- /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/lib/onlyoffice:/var/lib/onlyoffice
- /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/www/onlyoffice/Data:/var/www/onlyoffice/Data
- /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/log/onlyoffice:/var/log/onlyoffice
- /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/lib/redis:/var/lib/redis
- /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/lib/postgresql:/var/lib/postgresql
- /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/www/onlyoffice/Data/certs/WildcardCPP.crt:/var/www/onlyoffice/Data/certs/tls.crt:rw
- /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/www/onlyoffice/Data/certs/WildcardCPP.key:/var/www/onlyoffice/Data/certs/tls.key:rw
- /etc/localtime:/etc/localtime:ro
restart: unless-stopped
networks:
container_external :
external: true
internal :
driver: bridge
I'm not running any other script, just the docker setup, because it's on a NAS system
This is my setup on nextcloud:
All of this is behind a proxy (HAProxy):
backend documentserver.XXXX.com.co_ipvANY
mode http
id 113
log global
timeout connect 30000
timeout server 7200000
retries 3
source ipv4@ usesrc clientip
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server documentserver IP_HOST_DOCKER:10107 id 101 ssl verify none
All saves perfect on nextcloud and there is no error on logs, but when I open a file from nextcloud, throws the "Unknown error"
All healtcheck pass with "true" result
In the /var/log/onlyoffice/documentserver/nginx.error.log of onlyoffice show this: Permission denied
2021/05/19 05:37:19 [error] 13024#13024: *21 open() "/var/lib/onlyoffice/documentserver/App_Data/cache/files/409621677/Editor.bin" failed (13: Permission denied), client: 192.168.16.1, server: , request: "GET /cache/files/409621677/Editor.bin/Editor.bin?md5=OMlXJtxJY4iPP0pXiy64sQ&expires=1624012640&disposition=attachment&filename=Editor.bin HTTP/1.1", host: "documentserver.XXXX.com.co", referrer: "https://documentserver.XXXX.com.co/6.2.2-21/web-apps/apps/documenteditor/main/index_loader.html?_dc=6.2.2-21&lang=es&customer=ONLYOFFICE&frameEditorId=iframeEditor&compact=true&parentOrigin=https://XXXX.XXXX.com.co"
If I use this setup on nextcloud:
There is an error on Nextcloud: Forbidden
Please help!
hi @julyusito, try adding all rights for files in /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/lib/onlyoffice directory. It looks like Nginx process don't have enough permission for files in /var/lib/onlyoffice/documentserver/App_Data/cache/files.
In the second case, the root of the problem is JWT mismatch.
Hi @agolybev,
Thanks for the answer.
I set all rights for the /var/lib/onlyoffice directory into the container:
chmod 777 /var/lib/onlyoffice/* -R
Same results
In the second case I check the JWT and post here the json config and nextcloud config:
"token": {
"enable": {
"request": {
"inbox": true,
"outbox": true
},
"browser": true
},
"inbox": {
"header": "AuthorizationJwt",
"prefix": "Bearer ",
"inBody": false
},
"outbox": {
"header": "AuthorizationJwt",
"prefix": "Bearer ",
"inBody": false
}
},
"secret": {
"inbox": {
"string": "secret"
},
"outbox": {
"string": "secret"
},
"session": {
"string": "secret"
}
}
and the nextcloud conf:
'onlyoffice' => array(
'verify_peer_off' => true,
'jwt_header' => "AuthorizationJwt",
'jwt_secret' => "secret",
),
Hello @agolybev,
I disabled the JWT on onlyoffice config:
"token": {
"enable": {
"request": {
"inbox": false,
"outbox": false
},
"browser": false
},
"inbox": {
"header": "AuthorizationJwt",
"prefix": "Bearer ",
"inBody": false
},
"outbox": {
"header": "AuthorizationJwt",
"prefix": "Bearer ",
"inBody": false
}
},
"secret": {
"inbox": {
"string": "secret"
},
"outbox": {
"string": "secret"
},
"session": {
"string": "secret"
}
}
And nextcloud config:
'onlyoffice' => array(
'verify_peer_off' => true,
),
even I change the default.json like this:
"ipfilter": {
"rules": [{"address": "*", "allowed": true}],
"useforrequest": true,
"errorcode": 403
},
The forbidden persist
Hello @agolybev
I've install from zero and disabled everything in JWT access
This is my setup:
Internet - HAProxy (https) --> nextcloud (http)
Internet - HAProxy (https) --> onlyoffice (http)
nextcloud and onlyoffice are in the same network and can talk between them
nextcloud(container_external) <---> onlyoffice(conatiner_external)
nextcloud config.php:
'trusted_domains' =>
array (
0 => 'cloud.XXXX.com.co',
1 => 'documentserver.XXXX.com.co',
2 => 'documentserver',
3 => 'nextcloud.XXXX.com.co',
)
'overwrite.cli.url' => 'https://cloud.XXXX.com.co',
'overwritehost' => 'cloud.XXXX.com.co',
'overwriteprotocol' => 'https',
Same error:
Hi everyone,
I set the debug mode in nginx and I see the path for cache files does not match with any regex expresion set in the /etc/nginx/includes/ds-docservice.conf file:
docker logs office_onlyoffice_1 | grep -e error -e notice
2021/05/26 12:37:06 [notice] 5963#5963: *1 "^/$" does not match "/healthcheck", client: 192.168.16.1, server: , request: "GET /healthcheck HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *1 "^\/OfficeWeb(\/apps\/.*)$" does not match "/healthcheck", client: 192.168.16.1, server: , request: "GET /healthcheck HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *1 "^(\/web-apps\/apps\/(?!api\/).*)$" does not match "/healthcheck", client: 192.168.16.1, server: , request: "GET /healthcheck HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [debug] 5963#5963: *1 uploadprogress error-tracker error: 0
2021/05/26 12:37:06 [notice] 5963#5963: *3 "^/$" does not match "/coauthoring/CommandService.ashx", client: 192.168.16.1, server: , request: "POST /coauthoring/CommandService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *3 "^\/OfficeWeb(\/apps\/.*)$" does not match "/coauthoring/CommandService.ashx", client: 192.168.16.1, server: , request: "POST /coauthoring/CommandService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *3 "^(\/web-apps\/apps\/(?!api\/).*)$" does not match "/coauthoring/CommandService.ashx", client: 192.168.16.1, server: , request: "POST /coauthoring/CommandService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [debug] 5963#5963: *3 uploadprogress error-tracker error: 0
2021/05/26 12:37:06 [notice] 5963#5963: *5 "^/$" does not match "/ConvertService.ashx", client: 192.168.16.1, server: , request: "POST /ConvertService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *5 "^\/OfficeWeb(\/apps\/.*)$" does not match "/ConvertService.ashx", client: 192.168.16.1, server: , request: "POST /ConvertService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *5 "^(\/web-apps\/apps\/(?!api\/).*)$" does not match "/ConvertService.ashx", client: 192.168.16.1, server: , request: "POST /ConvertService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:07 [debug] 5963#5963: *5 uploadprogress error-tracker error: 0
2021/05/26 12:37:07 [notice] 5963#5963: *7 "^/$" does not match "/cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx", client: 192.168.16.1, server: , request: "GET /cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx?md5=Qm2rHXrMD9bMmpZX_0BcFQ&expires=1622051528&disposition=attachment&filename=check_417210437.docx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:07 [notice] 5963#5963: *7 "^\/OfficeWeb(\/apps\/.*)$" does not match "/cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx", client: 192.168.16.1, server: , request: "GET /cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx?md5=Qm2rHXrMD9bMmpZX_0BcFQ&expires=1622051528&disposition=attachment&filename=check_417210437.docx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:07 [notice] 5963#5963: *7 "^(\/web-apps\/apps\/(?!api\/).*)$" does not match "/cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx", client: 192.168.16.1, server: , request: "GET /cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx?md5=Qm2rHXrMD9bMmpZX_0BcFQ&expires=1622051528&disposition=attachment&filename=check_417210437.docx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:07 [error] 5963#5963: *7 open() "/var/lib/onlyoffice/documentserver/App_Data/cache/files/conv_check_417210437_docx/output.docx" failed (13: Permission denied), client: 192.168.16.1, server: , request: "GET /cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx?md5=Qm2rHXrMD9bMmpZX_0BcFQ&expires=1622051528&disposition=attachment&filename=check_417210437.docx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:07 [debug] 5963#5963: *7 uploadprogress error-tracker error: 403
2021/05/26 12:37:07 [debug] 5963#5963: *7 uploadprogress error-tracker not tracking in this location
This is the content of /etc/nginx/includes/ds-docservice.conf file:
#welcome page
rewrite ^/$ $the_scheme://$the_host/welcome/ redirect;
#support old version
rewrite ^\/OfficeWeb(\/apps\/.*)$ $the_scheme://$the_host/6.2.2-21/web-apps$1 redirect;
#script caching protection
rewrite ^(\/web-apps\/apps\/(?!api\/).*)$ $the_scheme://$the_host/6.2.2-21$1 redirect;
#disable caching for api.js
location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps\/apps\/api\/documents\/api\.js)$ {
expires -1;
gzip_static on;
alias /var/www/onlyoffice/documentserver/$2;
}
#suppress logging the unsupported locale error in web-apps
location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps)(\/.*\.json)$ {
expires 365d;
error_log /dev/null crit;
gzip_static on;
alias /var/www/onlyoffice/documentserver/$2$3;
}
#suppress logging the unsupported locale error in plugins
location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(sdkjs-plugins)(\/.*\.json)$ {
expires 365d;
error_log /dev/null crit;
gzip_static on;
alias /var/www/onlyoffice/documentserver/$2$3;
}
location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps|sdkjs|sdkjs-plugins|fonts)(\/.*)$ {
expires 365d;
gzip_static on;
alias /var/www/onlyoffice/documentserver/$2$3;
}
location ~* ^(\/cache\/files.*)(\/.*) {
alias /var/lib/onlyoffice/documentserver/App_Data$1;
add_header Content-Disposition "$arg_disposition; filename*=UTF-8''$arg_filename";
set $secret_string verysecretstring;
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$secret_string";
if ($secure_link = "") {
return 403;
}
if ($secure_link = "0") {
return 410;
}
}
# Allow internal service only from 127.0.0.1
location ~* ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(info|internal)(\/.*)$ {
allow 127.0.0.1;
deny all;
proxy_pass http://docservice/$2$3;
}
location / {
proxy_pass http://docservice;
}
location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?(\/doc\/.*) {
proxy_pass http://docservice$2;
proxy_http_version 1.1;
}
location /6.2.2-21/ {
proxy_pass http://docservice/;
}
The full nginx error log output is here:
did you manage to fix this?