[GH-ISSUE #350] How to secure my Document Server?

kerem commented

2026-02-26 10:30:37 +03:00

Owner

Originally created by @PrzemekSkw on GitHub (Apr 1, 2021).
Original GitHub issue: https://github.com/ONLYOFFICE/Docker-DocumentServer/issues/350

Host Operating System:
Debian 10 VPS.
I install Decument Server on my Debian 10 VPS and it works with Nextcloud server I have on my Home PC (external IP). It works on https://mydomain.ddns.net:444 and I want to know do I have to secure it? I can access it from web so I think it's not secure. If someone know my domain name and port could make any harm?
I read article about secure Onlyoffice and put password in default.json file. I cat that file with: docker exec b8f278d4a031 cat /etc/onlyoffice/documentserver/default.json command but when I try to edit with nano I have error:
Error opening terminal: unknown.
There's also some different syntax in that file:

                        "ipfilter": {
                                "rules": [{"address": "*", "allowed": true}],
                                "useforrequest": false,
                                "errorcode": 403
                        },
                        "secret": {
                                "browser": {"string": "secret", "file": "", "tenants": {}},
                                "inbox": {"string": "secret", "file": "", "tenants": {}},
                                "outbox": {"string": "secret", "file": ""},
                                "session": {"string": "secret", "file": ""}
                        },
                        "token": {
                                "enable": {
                                        "browser": false,
                                        "request": {
                                                "inbox": false,
                                                "outbox": false

Do I need to secure? What is the best method and how to do it?

Regards,
Przemek

Originally created by @PrzemekSkw on GitHub (Apr 1, 2021). Original GitHub issue: https://github.com/ONLYOFFICE/Docker-DocumentServer/issues/350 **Host Operating System:** Debian 10 VPS. I install Decument Server on my Debian 10 VPS and it works with Nextcloud server I have on my Home PC (external IP). It works on https://mydomain.ddns.net:444 and I want to know do I have to secure it? I can access it from web so I think it's not secure. If someone know my domain name and port could make any harm? I read [article](https://www.howtoforge.com/tutorial/how-to-restrict-access-to-the-onlyoffice-editors-to-the-users-of-your-nextcloud-instance/) about secure Onlyoffice and put password in default.json file. I `cat` that file with: `docker exec b8f278d4a031 cat /etc/onlyoffice/documentserver/default.json` command but when I try to edit with nano I have error: `Error opening terminal: unknown.` There's also some different syntax in that file: ``` "ipfilter": { "rules": [{"address": "*", "allowed": true}], "useforrequest": false, "errorcode": 403 }, "secret": { "browser": {"string": "secret", "file": "", "tenants": {}}, "inbox": {"string": "secret", "file": "", "tenants": {}}, "outbox": {"string": "secret", "file": ""}, "session": {"string": "secret", "file": ""} }, "token": { "enable": { "browser": false, "request": { "inbox": false, "outbox": false ``` Do I need to secure? What is the best method and how to do it? Regards, Przemek

kerem closed this issue

2026-02-26 10:30:37 +03:00

kerem commented

2026-02-26 10:30:38 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 1, 2021):

Since you're using docker it's simple to setup JWT using JWT env var like describe in here

So run DocumentServer container something like this:

docker run -i -t -d -p 80:80 -p 443:443 --name DocumentServer \
 --restart=always \
 -e JWT_ENABLED=true \
 -e JWT_SECRET=my_key \
 -e JWT_HEADER=AuthorizationJwt \
 onlyoffice/documentserver

@ShockwaveNN commented on GitHub (Apr 1, 2021): Since you're using docker it's simple to setup JWT using JWT env var like describe in [here](https://github.com/ONLYOFFICE/Docker-DocumentServer#available-configuration-parameters) So run DocumentServer container something like this: ``` docker run -i -t -d -p 80:80 -p 443:443 --name DocumentServer \ --restart=always \ -e JWT_ENABLED=true \ -e JWT_SECRET=my_key \ -e JWT_HEADER=AuthorizationJwt \ onlyoffice/documentserver ```

kerem commented

2026-02-26 10:30:38 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 1, 2021):

Hi @ShockwaveNN thanks for answer. I don't know docker so sorry for my question but do I have to install new docker instance? I have configured my docker with port 444 and SSL certificates from let'sencrypt.
Regards.

@PrzemekSkw commented on GitHub (Apr 1, 2021): Hi @ShockwaveNN thanks for answer. I don't know docker so sorry for my question but do I have to install new docker instance? I have configured my docker with port 444 and SSL certificates from let'sencrypt. Regards.

kerem commented

2026-02-26 10:30:38 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 2, 2021):

I think it's better to stop your current docker container and recreate new one

@ShockwaveNN commented on GitHub (Apr 2, 2021): I think it's better to stop your current docker container and recreate new one

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 14, 2021):

I think it's better to stop your current docker container and recreate new one

Hi, sorry for my late response. Can You tell me can I do it like this?

stop current docker container and remove it.
Then:

sudo docker run -i -t -d -p 444:443 --restart=always \
> -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data onlyoffice/documentserver
 -e JWT_ENABLED=true \
 -e JWT_SECRET=my_key \
 -e JWT_HEADER=AuthorizationJwt \
 onlyoffice/documentserver

I have SSL certificates in /app/onlyoffice/DocumentServer/data/certs folder. Do I have to copy them again after new docker run?
Regards.

@PrzemekSkw commented on GitHub (Apr 14, 2021): > I think it's better to stop your current docker container and recreate new one Hi, sorry for my late response. Can You tell me can I do it like this? stop current docker container and remove it. Then: ``` sudo docker run -i -t -d -p 444:443 --restart=always \ > -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data onlyoffice/documentserver -e JWT_ENABLED=true \ -e JWT_SECRET=my_key \ -e JWT_HEADER=AuthorizationJwt \ onlyoffice/documentserver ``` I have SSL certificates in `/app/onlyoffice/DocumentServer/data/certs` folder. Do I have to copy them again after new docker run? Regards.

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 14, 2021):

Do I have to copy them again after new docker run?

No, they mounted by -v option

@ShockwaveNN commented on GitHub (Apr 14, 2021): > Do I have to copy them again after new docker run? No, they mounted by `-v` option

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 14, 2021):

Thanks, can You tell me also do I have to put my password here: my_key and something here: AuthorizationJwt?
regards.

@PrzemekSkw commented on GitHub (Apr 14, 2021): Thanks, can You tell me also do I have to put my password here: `my_key ` and something here: `AuthorizationJwt`? regards.

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 14, 2021):

You may not change header if you don't need it, and yes my_key you should change, but it's not password like you said, it's JWT secret - I think you better to read about JWT works in general (not related to DocumentServer) to fully understand why you should enable it

@ShockwaveNN commented on GitHub (Apr 14, 2021): You may not change header if you don't need it, and yes `my_key` you should change, but it's not password like you said, it's JWT secret - I think you better to read about JWT works in general (not related to DocumentServer) to fully understand why you should enable it

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 15, 2021):

@ShockwaveNN I totally noob and read many articles from google about JWT and completly don't understant this. I don't know if I have to generate that my_key or invent by myself.
Regards.

@PrzemekSkw commented on GitHub (Apr 15, 2021): @ShockwaveNN I totally noob and read many articles from google about JWT and completly don't understant this. I don't know if I have to generate that `my_key` or invent by myself. Regards.

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 15, 2021):

my_key shouold be generated by yourself, this may be just word secret and this will be bad, since this is easy word, but something more complicated do good

@ShockwaveNN commented on GitHub (Apr 15, 2021): my_key shouold be generated by yourself, this may be just word `secret` and this will be bad, since this is easy word, but something more complicated do good

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 15, 2021):

I try that way and I don't think it's working:

sudo docker run -i -t -d -p 444:443 --restart=always \
> -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data onlyoffice/documentserver \
> -e JWT_ENABLED=true \
> -e JWT_SECRET=my_secret_token \
> -e JWT_HEADER=AuthorizationJwt \
> onlyoffice/documentserver

783cf80786c98eadf03bcae83f6b119178d79b936cd747f5685b7ef

I see onlyoffice server website in browser like before but it don't ask for any password.

Regards.

@PrzemekSkw commented on GitHub (Apr 15, 2021): I try that way and I don't think it's working: ``` sudo docker run -i -t -d -p 444:443 --restart=always \ > -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data onlyoffice/documentserver \ > -e JWT_ENABLED=true \ > -e JWT_SECRET=my_secret_token \ > -e JWT_HEADER=AuthorizationJwt \ > onlyoffice/documentserver 783cf80786c98eadf03bcae83f6b119178d79b936cd747f5685b7ef ``` I see onlyoffice server website in browser like before but it don't ask for any password. Regards.

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 15, 2021):

I see onlyoffice server website in browser like before but it don't ask for any password.

This will not hide onlyoffice server website from web, this disallow integration your editor in someone's DMS

onlyoffice server website

Do you mean /welcome page? or /example page (if you're enabled it)?

@ShockwaveNN commented on GitHub (Apr 15, 2021): > I see onlyoffice server website in browser like before but it don't ask for any password. This will not hide onlyoffice server website from web, this disallow integration your editor in someone's DMS > onlyoffice server website Do you mean /welcome page? or /example page (if you're enabled it)?

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 15, 2021):

This will not hide onlyoffice server website from web, this disallow integration your editor in someone's DMS

But when I open nextcloud now I can edit my documments with that server. I don't have to enter my password there. So anyone who know my servers name https://myserver.ddns.net:444 can use it I think.
What is DMS?

Do you mean /welcome page? or /example page (if you're enabled it)?

Yes, I mean welcome page.

Can You tell me do I have to edit that file local.json like in that documentation

Regards.

@PrzemekSkw commented on GitHub (Apr 15, 2021): > This will not hide onlyoffice server website from web, this disallow integration your editor in someone's DMS But when I open nextcloud now I can edit my documments with that server. I don't have to enter my password there. So anyone who know my servers name `https://myserver.ddns.net:444` can use it I think. What is DMS? > Do you mean /welcome page? or /example page (if you're enabled it)? Yes, I mean welcome page. Can You tell me do I have to edit that file `local.json` like in that [documentation](https://api.onlyoffice.com/editors/signature/?fbclid=IwAR3kpeZYfY9PmRIgGNIqZuYUvhRPshWrZ7O0OYQIURIwkBJZAbpxiFl1LJs) Regards.

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 15, 2021):

But when I open nextcloud now I can edit my documents with that server.

Are you saying that you enabled JWT on DocumentServer side, didn't enable JWT on Nextcloud and still able to edit documents?

What is DMS?

Document Management System, nextcloud in your case

Yes, I mean welcome page.

Welcome page will be still available, if you want to hide it you should configure nginx somehow, never tried to do it. But I'm not sure how public welcome page is dangerous

@ShockwaveNN commented on GitHub (Apr 15, 2021): > But when I open nextcloud now I can edit my documents with that server. Are you saying that you enabled JWT on DocumentServer side, didn't enable JWT on Nextcloud and still able to edit documents? > What is DMS? Document Management System, nextcloud in your case > Yes, I mean welcome page. Welcome page will be still available, if you want to hide it you should configure nginx somehow, never tried to do it. But I'm not sure how public welcome page is dangerous

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 15, 2021):

Yes, I can edit office documents in nextcloud. O don't change anything in Nextcloud settings. Secret field is empty in Nextcloud>Onlyoffice Settings.

Regards.

@PrzemekSkw commented on GitHub (Apr 15, 2021): Yes, I can edit office documents in nextcloud. O don't change anything in Nextcloud settings. Secret field is empty in Nextcloud>Onlyoffice Settings. Regards.

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 15, 2021):

Are you sure that's only one documentserver container is running and you're enabled JWT for it?
That you got your secret keys in /etc/onlyoffice/documentserver/local.json in container

@ShockwaveNN commented on GitHub (Apr 15, 2021): Are you sure that's only one documentserver container is running and you're enabled JWT for it? That you got your secret keys in `/etc/onlyoffice/documentserver/local.json` in container

kerem commented

2026-02-26 10:30:39 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 15, 2021):

I stop and remove old Documentserver container and run only one like I mention above. I have everything the same in local.json file. I think it's not enabled.
Regards

@PrzemekSkw commented on GitHub (Apr 15, 2021): I stop and remove old Documentserver container and run only one like I mention above. I have everything the same in local.json file. I think it's not enabled. Regards

kerem commented

2026-02-26 10:30:40 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 16, 2021):

I have everything the same in local.json file

Could you be more detailed in your statements

"the same" means you didn't get your secrets in /etc/onlyoffice/documentserver/local.json file?

@ShockwaveNN commented on GitHub (Apr 16, 2021): > I have everything the same in local.json file Could you be more detailed in your statements "the same" means you didn't get your secrets in `/etc/onlyoffice/documentserver/local.json` file?

kerem commented

2026-02-26 10:30:40 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 16, 2021):

@ShockwaveNN Hi, sorry for that, I answer from smartphone.

$ docker exec 783cf80786c9 cat /etc/onlyoffice/documentserver/local.json

{
  "services": {
    "CoAuthoring": {
      "sql": {
        "type": "postgres",
        "dbHost": "localhost",
        "dbPort": "5432",
        "dbName": "onlyoffice",
        "dbUser": "onlyoffice",
        "dbPass": "onlyoffice"
      },
      "token": {
        "enable": {
          "request": {
            "inbox": false,
            "outbox": false
          },
          "browser": false
        },
        "inbox": {
          "header": "Authorization"
        },
        "outbox": {
          "header": "Authorization"
        }
      },
      "secret": {
        "inbox": {
          "string": "secret"
        },
        "outbox": {
          "string": "secret"
        },
        "session": {
          "string": "secret"
        }
      }
    }
  },
  "rabbitmq": {
    "url": "amqp://guest:guest@localhost"
  }
}

Regards.

@PrzemekSkw commented on GitHub (Apr 16, 2021): @ShockwaveNN Hi, sorry for that, I answer from smartphone. `$ docker exec 783cf80786c9 cat /etc/onlyoffice/documentserver/local.json` ``` { "services": { "CoAuthoring": { "sql": { "type": "postgres", "dbHost": "localhost", "dbPort": "5432", "dbName": "onlyoffice", "dbUser": "onlyoffice", "dbPass": "onlyoffice" }, "token": { "enable": { "request": { "inbox": false, "outbox": false }, "browser": false }, "inbox": { "header": "Authorization" }, "outbox": { "header": "Authorization" } }, "secret": { "inbox": { "string": "secret" }, "outbox": { "string": "secret" }, "session": { "string": "secret" } } } }, "rabbitmq": { "url": "amqp://guest:guest@localhost" } } ``` Regards.

kerem commented

2026-02-26 10:30:40 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 16, 2021):

This part 100% incorrect

"enable": {
          "request": {
            "inbox": false,
            "outbox": false
          },
          "browser": false
        },

I think I got it

You said you run

sudo docker run -i -t -d -p 444:443 --restart=always \
 -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data onlyoffice/documentserver \
 -e JWT_ENABLED=true \
 -e JWT_SECRET=my_secret_token \
 -e JWT_HEADER=AuthorizationJwt \
 onlyoffice/documentserver

This is incorrect, you got container name two times on second row and on last

Try this:

docker run -i -t -d -p 443:443 --name DocumentServer \
 --restart=always \
 -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
 -e JWT_ENABLED=true \
 -e JWT_SECRET=my_secret_token \
 -e JWT_HEADER=AuthorizationJwt \
 onlyoffice/documentserver

@ShockwaveNN commented on GitHub (Apr 16, 2021): This part 100% incorrect ``` "enable": { "request": { "inbox": false, "outbox": false }, "browser": false }, ``` I think I got it You said you run ``` sudo docker run -i -t -d -p 444:443 --restart=always \ -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data onlyoffice/documentserver \ -e JWT_ENABLED=true \ -e JWT_SECRET=my_secret_token \ -e JWT_HEADER=AuthorizationJwt \ onlyoffice/documentserver ``` This is incorrect, you got container name two times on second row and on last Try this: ``` docker run -i -t -d -p 443:443 --name DocumentServer \ --restart=always \ -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \ -e JWT_ENABLED=true \ -e JWT_SECRET=my_secret_token \ -e JWT_HEADER=AuthorizationJwt \ onlyoffice/documentserver ```

kerem commented

2026-02-26 10:30:40 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 16, 2021):

Thanks, it helps, I see my secret now in local.json but Nextcloud shows error: invalid token.

@PrzemekSkw commented on GitHub (Apr 16, 2021): Thanks, it helps, I see my secret now in local.json but Nextcloud shows error: invalid token.

kerem commented

2026-02-26 10:30:40 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 16, 2021):

Nextcloud shows error: invalid token.

Yeah, this is correct since we enabled JWT and your server now cannot be used withot secret

You should configure it Nextcloud ONLYOFFICE extension settings, but I cannot help you here, I'm no good in Nextcloud, I think it's somethere in documentation (and maybe JWT_HEADER should be default, I usually use AuthorizationJwt in my configs, but not sure that Nextcloud supports it)

@ShockwaveNN commented on GitHub (Apr 16, 2021): > Nextcloud shows error: invalid token. Yeah, this is correct since we enabled JWT and your server now cannot be used withot secret You should configure it Nextcloud ONLYOFFICE extension settings, but I cannot help you here, I'm no good in Nextcloud, I think it's somethere in documentation (and maybe JWT_HEADER should be default, I usually use AuthorizationJwt in my configs, but not sure that Nextcloud supports it)

kerem commented

2026-02-26 10:30:40 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 16, 2021):

I find similar issue on nextcloud forum and they say to change also in default.json:

"secret": {
                                "browser": {"string": "secret", "file": "", "tenants": {}},
                                "inbox": {"string": "secret", "file": "", "tenants": {}},
                                "outbox": {"string": "secret", "file": ""},
                                "session": {"string": "secret", "file": ""}
                        },
                        "token": {
                                "enable": {
                                        "browser": false,
                                        "request": {
                                                "inbox": false,
                                                "outbox": false
                                        }
                                },
                                "browser": {
                                        "secretFromInbox": true
                                },
                                "inbox": {
                                        "header": "Authorization",
                                        "prefix": "Bearer ",
                                        "inBody": false
                                },
                                "outbox": {
                                        "header": "Authorization",
                                        "prefix": "Bearer ",
                                        "algorithm": "HS256",
                                        "expires": "5m",
                                        "inBody": false,
                                        "urlExclusionRegex": ""
                                },
                                "session": {
                                        "algorithm": "HS256",
                                        "expires": "30d"
                                },
                                "verifyOptions": {
                                        "clockTolerance": 60
                                }
                        },

those lines and enter my secret key there.
Can You tell me how can I edit that file?

Regards.

@PrzemekSkw commented on GitHub (Apr 16, 2021): I find similar issue on nextcloud forum and they say to change also in `default.json`: ``` "secret": { "browser": {"string": "secret", "file": "", "tenants": {}}, "inbox": {"string": "secret", "file": "", "tenants": {}}, "outbox": {"string": "secret", "file": ""}, "session": {"string": "secret", "file": ""} }, "token": { "enable": { "browser": false, "request": { "inbox": false, "outbox": false } }, "browser": { "secretFromInbox": true }, "inbox": { "header": "Authorization", "prefix": "Bearer ", "inBody": false }, "outbox": { "header": "Authorization", "prefix": "Bearer ", "algorithm": "HS256", "expires": "5m", "inBody": false, "urlExclusionRegex": "" }, "session": { "algorithm": "HS256", "expires": "30d" }, "verifyOptions": { "clockTolerance": 60 } }, ``` those lines and enter my secret key there. Can You tell me how can I edit that file? Regards.

kerem commented

2026-02-26 10:30:40 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 16, 2021):

I find similar issue on nextcloud forum and they say to change also in default.json:

As far as I'm aware to correctly enable JWT on DocumentServer side you no need to edit default.json

@ShockwaveNN commented on GitHub (Apr 16, 2021): > I find similar issue on nextcloud forum and they say to change also in default.json: As far as I'm aware to correctly enable JWT on DocumentServer side you no need to edit `default.json`

kerem commented

2026-02-26 10:30:41 +03:00

Author

Owner

@PrzemekSkw commented on GitHub (Apr 16, 2021):

OK, thank You very much for help. I will ask for help on Nextcloud forum.
Regards.

@PrzemekSkw commented on GitHub (Apr 16, 2021): OK, thank You very much for help. I will ask for help on Nextcloud forum. Regards.

kerem commented

2026-02-26 10:30:41 +03:00

Author

Owner

@ShockwaveNN commented on GitHub (Apr 16, 2021):

@PrzemekSkw I will close this issue, since actually there is no issue at all
But for general support better use forums or our support

@ShockwaveNN commented on GitHub (Apr 16, 2021): @PrzemekSkw I will close this issue, since actually there is no issue at all But for general support better use forums or our support

Rows
Columns

[GH-ISSUE #350] How to secure my Document Server? #179