Collabora CODE : Différence entre versions

De Linux Server Wiki
Sauter à la navigation Sauter à la recherche
Ligne 46 : Ligne 46 :
  
 
=Sur le serveur nextcloud=
 
=Sur le serveur nextcloud=
 +
 +
==Exemple de proxy apache==
 +
<pre>
 +
<VirtualHost *:443>
 +
  ServerName collabora.example.com:443
 +
  Options -Indexes
 +
 +
  # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
 +
  SSLEngine on
 +
  SSLCertificateFile /path/to/signed_certificate
 +
  SSLCertificateChainFile /path/to/intermediate_certificate
 +
  SSLCertificateKeyFile /path/to/private/key
 +
  SSLProtocol            all -SSLv2 -SSLv3
 +
  SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 +
  SSLHonorCipherOrder    on
 +
 +
  # Encoded slashes need to be allowed
 +
  AllowEncodedSlashes NoDecode
 +
 +
  # Container uses a unique non-signed certificate
 +
  SSLProxyEngine On
 +
  SSLProxyVerify None
 +
  SSLProxyCheckPeerCN Off
 +
  SSLProxyCheckPeerName Off
 +
 +
  # keep the host
 +
  ProxyPreserveHost On
 +
 +
  # static html, js, images, etc. served from loolwsd
 +
  # loleaflet is the client part of Collabora Online
 +
  ProxyPass          /loleaflet https://127.0.0.1:9980/loleaflet retry=0
 +
  ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet
 +
 +
  # WOPI discovery URL
 +
  ProxyPass          /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
 +
  ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery
 +
 +
  # Capabilities
 +
  ProxyPass          /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
 +
  ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
 +
 +
  # Main websocket
 +
  ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
 +
 +
  # Admin Console websocket
 +
  ProxyPass  /lool/adminws wss://127.0.0.1:9980/lool/adminws
 +
 +
  # Download as, Fullscreen presentation and Image upload operations
 +
  ProxyPass          /lool https://127.0.0.1:9980/lool
 +
  ProxyPassReverse    /lool https://127.0.0.1:9980/lool
 +
</VirtualHost>
 +
</pre>

Version du 23 janvier 2020 à 15:47

Exemple d'installation de Collabora CODE sur un serveur/vm dédié, accessible derrière un serveur proxy situé sur votre instance nextcloud.
Nextcloud est donc installé sur un autre serveur/vm.
L'accès à l'instance Collabora se fera via un serveur proxy situé sur le serveur/vm hébergeant nextcloud.

1 Installation et configuration de Collabora CODE sur la VM dédié à Collabora

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0C54D189F4BA284D
echo 'deb https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-debian9 ./' >> /etc/apt/sources.list
aptitude update 
aptitude install loolwsd code-brand

Génération du certificat (basé sur https://github.com/CollaboraOnline/Docker-CODE/blob/master/scripts/start-libreoffice.sh)

openssl genrsa -out /etc/loolwsd/root.key.pem 2048
openssl req -x509 -new -nodes -key /etc/loolwsd/root.key.pem -days 9131 -out /etc/loolwsd/ca-chain.cert.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=Dummy Authority"
openssl genrsa -out /etc/loolwsd/key.pem 2048 -key /etc/loolwsd/key.pem
openssl req -key /etc/loolwsd/key.pem -new -sha256 -out /etc/loolwsd/localhost.csr.pem -subj "/C=DE/ST=BW/L=Stuttgart/O=Dummy Authority/CN=localhost"
openssl x509 -req -in /etc/loolwsd/localhost.csr.pem -CA /etc/loolwsd/ca-chain.cert.pem -CAkey /etc/loolwsd/root.key.pem -CAcreateserial -out /etc/loolwsd/cert.pem -days 9131

Sécurisation du certificat

chgrp lool /etc/loolwsd/key.pem
chmod g+r /etc/loolwsd/key.pem

Modification de la configuration :

domain="nextcloud\\\.domain\\\.tld"
perl -pi -e "s/localhost<\/host>/${domain}<\/host>/g" /etc/loolwsd/loolwsd.xml
loolconfig set-admin-password

Note sur loolwsd.xml :

  • Les IP/hosts dans storage/wopi peuvent toutes êtres supprimées sauf nextcloud\.domain\.tld
  • Les IPs dans net/post_allow peuvent toutes êtres supprimées au profit de l'adresse IP du proxy

Relancez le service :

systemctl restart loolwsd

2 Sur le serveur nextcloud

2.1 Exemple de proxy apache

<VirtualHost *:443>
  ServerName collabora.example.com:443
  Options -Indexes

  # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
  SSLEngine on
  SSLCertificateFile /path/to/signed_certificate
  SSLCertificateChainFile /path/to/intermediate_certificate
  SSLCertificateKeyFile /path/to/private/key
  SSLProtocol             all -SSLv2 -SSLv3
  SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  SSLHonorCipherOrder     on

  # Encoded slashes need to be allowed
  AllowEncodedSlashes NoDecode

  # Container uses a unique non-signed certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

  # keep the host
  ProxyPreserveHost On

  # static html, js, images, etc. served from loolwsd
  # loleaflet is the client part of Collabora Online
  ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
  ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

  # WOPI discovery URL
  ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
  ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

  # Capabilities
  ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
  ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities

  # Main websocket
  ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

  # Admin Console websocket
  ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

  # Download as, Fullscreen presentation and Image upload operations
  ProxyPass           /lool https://127.0.0.1:9980/lool
  ProxyPassReverse    /lool https://127.0.0.1:9980/lool
</VirtualHost>