One of the most basic tasks that we will be forced to perform, will be to secure access to Nextcloud and ONLYOFFICE, especially if we plan to work through the Internet. So, In this document, we'll look at how to replace unencrypted HTTP traffic with secure HTTPS traffic, we will initially see the configuration for Nextcloud and finally on ONLYOFFICE.

Enabling secure access to Nextcloud,

If we want users to access Nextcloud securely, we will have to install a certificate on the Apache server of our Nextcloud. I suppose we will already have some FQDN in mind for this service, so the certificate must be valid for that domain name, or use a Wildcard certificate and that's it! In my scenario I will use the name data.openservices.eus to refer to the Nextcloud server and obviously I will create the corresponding DNS entry in the public and private zone.

Before you begin, What do we need? The certificates! We must present them in the right format, we have to have the certificate, your private key and the CA certificate chain. We'll make it easy, assuming that I have a PFX file that I generated on another server (IIS on Windows for example), we will copy it with SCP to the server, and in addition to that we have to search or make a file with the chain of certificates of the issuing entities, that our certificate provider will have usually sent it to us at the time 😉

To detach from a PFX file and obtain the public certificate on the one hand and the private key on the other, We can do that with this example:

[SourceCode]openSSL PKCS12 -in Wildcard_Open_Services.pfx -clcerts -nokeys -out wildcard_open_services.cer
openSSL PKCS12 -in Wildcard_Open_Services.pfx -nocerts -nodes -out wildcard_open_services.key[/SourceCode]

We start by enabling the SSL module and edit the Nextcloud site configuration file.

[SourceCode]sudo a2enmod ssl[/SourceCode]

We copy the certificates we just generated to the Apache certificate directory as well as the file with the entire chain of intermediate CAs:

[SourceCode]sudo cp wildcard_open_services.* /etc/apache2/ssl
sudo mv openservices_eus.ca-bundle /etc/apache2/ssl/cadena.crt[/SourceCode]

We edit the /etc/apache2/sites-enabled/default-ssl.conf file for the Apache secure site configuration and modify the entries that reference the certificate, to the private key and certificate chain:

[SourceCode]SSLCertificateFile /etc/apache2/ssl/wildcard_open_services.cer
SSLCertificateKeyFile /etc/apache2/ssl/wildcard_open_services.key
SSLCertificateChainFile /etc/apache2/ssl/cadena.crt[/SourceCode]

Recording and restarting Apache & we validate that we will now be able to access the Nextcloud site through secure https:

[SourceCode]Sudo Service Apache2 Restart[/SourceCode]

Putting Nextcloud's default site in Apache,

By the way, if you want to avoid your users having to type /nextcloud and therefore make that site as the default one in Apache, We will edit the /etc/apache2/sites-enabled/000-default.conf and /etc/apache2/sites-enabled/default-ssl.conf configuration files of the sites, Modifying the route:

[SourceCode]DocumentRoot /var/www/nextcloud[/SourceCode]

And we restarted Apache!

[SourceCode]Sudo Service Apache2 Restart[/SourceCode]

Enabling secure access to ONLYOFFICE,

If we want to secure traffic and access to Document Server, we will need to install an SSL certificate in Nginx, which is the web server we are using and thus encrypt your connections using HTTPS, in addition, at the end we will see how to change the port in case we are interested in opening this scenario to the Internet later.

Same as before, ONLYOFFICE also needs to have the certificates in the Nginx-specific format, We have to leave the public certificate in the certificate folder, the private key and a certificate with the chain of all intermediate or root CAs.

We remember the steps followed to separate from a PFX file and obtain the public certificate on the one hand and the private key:

[SourceCode]openSSL PKCS12 -in Wildcard_Open_Services.pfx -clcerts -nokeys -out wildcard_open_services.cer
openSSL PKCS12 -in Wildcard_Open_Services.pfx -nocerts -nodes -out wildcard_open_services.key[/SourceCode]

In addition, if we don't want to have problems with the trust of the certificate, it is recommended to generate the certificate file with the chain of all CAs, something like this can help us to obtain it the following command, that will create 1 File with all certificates:

[SourceCode]cat /etc/ssl/certs/wildcard_open_services.cer openservices_eus.ca-bundle > wildcard_open_services_y_cadena.cer[/SourceCode]

We copy the generated files to the certificate directory, We stop Nginx, and create a configuration file for secure ONLYOFFICE access:

[SourceCode]sudo cp wildcard_open_services.* /etc/ssl/certs/
sudo service nginx stop
sudo cp -f /etc/onlyoffice/documentserver/nginx/onlyoffice-documentserver-ssl.conf.template /etc/nginx/conf.d/onlyoffice-documentserver.conf[/SourceCode]

We edit the configuration file and add the path to the certificate and its private key:

[SourceCode]sudo vim /etc/nginx/conf.d/onlyoffice-documentserver.conf
ssl_certificate /etc/ssl/certs/wildcard_open_services_y_cadena.cer;
ssl_certificate_key /etc/ssl/certs/wildcard_open_services.key;[/SourceCode]

By the way, It's time if we want to change the port, the configuration file, We will modify the section where you listen and select the port that interests you:

[SourceCode]Listen 0.0.0.0:4443 SSL;
Listen [::]:4443 SSL default_server;[/SourceCode]

It will be enough to start Nginx again and verify that we can access it through the new URL, with HTTPS:// and to the port we have specified:

[SourceCode]Sudo service nginx start[/SourceCode]