« Collabora CODE » : différence entre les versions
Aller à la navigation
Aller à la recherche
Ligne 46 : | Ligne 46 : | ||
=Sur le serveur nextcloud= | =Sur le serveur nextcloud= | ||
==Exemple de proxy apache== | |||
<pre> | |||
<VirtualHost *:443> | |||
ServerName collabora.example.com:443 | |||
Options -Indexes | |||
# SSL configuration, you may want to take the easy route instead and use Lets Encrypt! | |||
SSLEngine on | |||
SSLCertificateFile /path/to/signed_certificate | |||
SSLCertificateChainFile /path/to/intermediate_certificate | |||
SSLCertificateKeyFile /path/to/private/key | |||
SSLProtocol all -SSLv2 -SSLv3 | |||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS | |||
SSLHonorCipherOrder on | |||
# Encoded slashes need to be allowed | |||
AllowEncodedSlashes NoDecode | |||
# Container uses a unique non-signed certificate | |||
SSLProxyEngine On | |||
SSLProxyVerify None | |||
SSLProxyCheckPeerCN Off | |||
SSLProxyCheckPeerName Off | |||
# keep the host | |||
ProxyPreserveHost On | |||
# static html, js, images, etc. served from loolwsd | |||
# loleaflet is the client part of Collabora Online | |||
ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0 | |||
ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet | |||
# WOPI discovery URL | |||
ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0 | |||
ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery | |||
# Capabilities | |||
ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0 | |||
ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities | |||
# Main websocket | |||
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon | |||
# Admin Console websocket | |||
ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws | |||
# Download as, Fullscreen presentation and Image upload operations | |||
ProxyPass /lool https://127.0.0.1:9980/lool | |||
ProxyPassReverse /lool https://127.0.0.1:9980/lool | |||
</VirtualHost> | |||
</pre> |
Version du 23 janvier 2020 à 15:47
Exemple d'installation de Collabora CODE sur un serveur/vm dédié, accessible derrière un serveur proxy situé sur votre instance nextcloud.
Nextcloud est donc installé sur un autre serveur/vm.
L'accès à l'instance Collabora se fera via un serveur proxy situé sur le serveur/vm hébergeant nextcloud.
Installation et configuration de Collabora CODE sur la VM dédié à Collabora
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0C54D189F4BA284D echo 'deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian9 ./' >> /etc/apt/sources.list aptitude update aptitude install loolwsd code-brand
Génération du certificat (basé sur https://github.com/CollaboraOnline/Docker-CODE/blob/master/scripts/start-libreoffice.sh)
openssl genrsa -out /etc/loolwsd/root.key.pem 2048 openssl req -x509 -new -nodes -key /etc/loolwsd/root.key.pem -days 9131 -out /etc/loolwsd/ca-chain.cert.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=Dummy Authority" openssl genrsa -out /etc/loolwsd/key.pem 2048 -key /etc/loolwsd/key.pem openssl req -key /etc/loolwsd/key.pem -new -sha256 -out /etc/loolwsd/localhost.csr.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost" openssl x509 -req -in /etc/loolwsd/localhost.csr.pem -CA /etc/loolwsd/ca-chain.cert.pem -CAkey /etc/loolwsd/root.key.pem -CAcreateserial -out /etc/loolwsd/cert.pem -days 9131
Sécurisation du certificat
chgrp lool /etc/loolwsd/key.pem chmod g+r /etc/loolwsd/key.pem
Modification de la configuration :
domain="nextcloud\\\.domain\\\.tld" perl -pi -e "s/localhost<\/host>/${domain}<\/host>/g" /etc/loolwsd/loolwsd.xml
loolconfig set-admin-password
Note sur loolwsd.xml :
- Les IP/hosts dans storage/wopi peuvent toutes êtres supprimées sauf nextcloud\.domain\.tld
- Les IPs dans net/post_allow peuvent toutes êtres supprimées au profit de l'adresse IP du proxy
Relancez le service :
systemctl restart loolwsd
Sur le serveur nextcloud
Exemple de proxy apache
<VirtualHost *:443> ServerName collabora.example.com:443 Options -Indexes # SSL configuration, you may want to take the easy route instead and use Lets Encrypt! SSLEngine on SSLCertificateFile /path/to/signed_certificate SSLCertificateChainFile /path/to/intermediate_certificate SSLCertificateKeyFile /path/to/private/key SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on # Encoded slashes need to be allowed AllowEncodedSlashes NoDecode # Container uses a unique non-signed certificate SSLProxyEngine On SSLProxyVerify None SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off # keep the host ProxyPreserveHost On # static html, js, images, etc. served from loolwsd # loleaflet is the client part of Collabora Online ProxyPass /loleaflet https://127.0.0.1:9980/loleaflet retry=0 ProxyPassReverse /loleaflet https://127.0.0.1:9980/loleaflet # WOPI discovery URL ProxyPass /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0 ProxyPassReverse /hosting/discovery https://127.0.0.1:9980/hosting/discovery # Capabilities ProxyPass /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0 ProxyPassReverse /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities # Main websocket ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon # Admin Console websocket ProxyPass /lool/adminws wss://127.0.0.1:9980/lool/adminws # Download as, Fullscreen presentation and Image upload operations ProxyPass /lool https://127.0.0.1:9980/lool ProxyPassReverse /lool https://127.0.0.1:9980/lool </VirtualHost>