DOCKER容器部署的ONLYOFFICE 启用HTTPS
-
-
- [1. 准备工作(备份与判断部署方式)](#1. 准备工作(备份与判断部署方式))
- [2. 停止 Nginx 服务(可选)](#2. 停止 Nginx 服务(可选))
- [3. 复制 HTTPS 模板覆盖原配置](#3. 复制 HTTPS 模板覆盖原配置)
- [4. 修改 `ds.conf` 中的参数](#4. 修改
ds.conf中的参数) - [5. 重启 ONLYOFFICE 容器](#5. 重启 ONLYOFFICE 容器)
- [✅ 验证配置](#✅ 验证配置)
-
背景:已准备好私钥文件onlyoffice.key和证书文件onlyoffice.pem,onlyoffice通过docker容器部署
1. 准备工作(备份与判断部署方式)
在进行任何配置更改前,强烈建议先备份原有配置文件。
-
进入正在运行的 ONLYOFFICE 容器:
bashsudo docker exec -it <容器名称或ID> /bin/bash提示:可使用
sudo docker ps查看容器信息。 -
在容器内备份原始
ds.conf:bashcp /etc/onlyoffice/documentserver/nginx/ds.conf /etc/onlyoffice/documentserver/nginx/ds.conf.backup
2. 停止 Nginx 服务(可选)
可以不停止服务,后续直接重启,但为避免配置加载冲突,建议先停止:
bash
sudo systemctl stop nginx3. 复制 HTTPS 模板覆盖原配置
仅适用于 v5.3 及以上版本,使用 SSL 模板:
bash
sudo cp -f /etc/onlyoffice/documentserver/nginx/ds-ssl.conf.tmpl /etc/onlyoffice/documentserver/nginx/ds.conf其他版本请参考官方文档:Switching ONLYOFFICE Docs to HTTPS protocol
4. 修改 ds.conf 中的参数
使用编辑器打开配置文件:
bash
sudo vim /etc/onlyoffice/documentserver/nginx/ds.conf将以下 {``{...}} 占位符替换为实际值:
| 参数 | 说明 |
|---|---|
{``{SSL_CERTIFICATE_PATH}} |
SSL 证书路径(如 /etc/ssl/onlyoffice.crt) |
{``{SSL_KEY_PATH}} |
证书私钥路径(如 /etc/ssl/onlyoffice.key) |
{``{SSL_VERIFY_CLIENT}} |
是否启用客户端证书验证,可选:on、off、optional、optional_no_ca |
{``{CA_CERTIFICATES_PATH}} |
客户端 CA 证书路径(如需双向认证) |
{``{ONLYOFFICE_HTTPS_HSTS_MAXAGE}} |
HSTS 最大有效期(默认 31536000,单位:秒) |
{``{SSL_DHPARAM_PATH}} |
Diffie-Hellman 参数文件路径(增强密钥交换安全) |
更多 Nginx SSL 参数配置可参考:Module ngx_http_ssl_module
例如:
bash
include /etc/nginx/includes/http-common.conf;
## Normal HTTP host
server {
listen 0.0.0.0:80;
listen [::]:80 default_server;
server_name _;
server_tokens off;
set $secure_link_secret verysecretstring;
## Redirects all traffic to the HTTPS host
root /nowhere; ## root doesn't have to be a valid path since we are redirecting
rewrite ^ https://$host$request_uri? permanent;
}
#HTTP host for internal services
server {
listen 127.0.0.1:80;
listen [::1]:80;
server_name localhost;
server_tokens off;
set $secure_link_secret verysecretstring;
include /etc/nginx/includes/ds-common.conf;
include /etc/nginx/includes/ds-docservice.conf;
}
## HTTPS host
server {
listen 0.0.0.0:443 ssl http2;
listen [::]:443 ssl default_server http2;
server_tokens off;
set $secure_link_secret verysecretstring;
root /usr/share/nginx/html;
## Strong SSL Security
## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_certificate /var/www/onlyoffice/Data/certs/onlyoffice.pem;
ssl_certificate_key /var/www/onlyoffice/Data/certs/onlyoffice.key;
# Uncomment string below and specify the path to the file with the password if you use encrypted certificate key
# ssl_password_file {{SSL_PASSWORD_PATH}};
ssl_verify_client off;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1.2;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=31536000;
add_header X-Content-Type-Options nosniff;
include /etc/nginx/includes/ds-*.conf;
}5. 重启 ONLYOFFICE 容器
-
停止ONLYOFFICE 容器:
bashsudo docker stop <容器名称或ID> -
删除ONLYOFFICE 容器:
bashsudo docker rm <容器名称或ID> -
启动ONLYOFFICE 容器:
这条命令有很多参数可视情况自行选择,不要照搬
bashsudo docker run -itd -p 8081:80 -p 7443:443 -v /home/wst/docx_deploy/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data -v /home/wst/docx_deploy/onlyoffice/DocumentServer/data/nginx/ds.conf:/etc/onlyoffice/documentserver/nginx/ds.conf --name onlyoffice-document-server-9.0.4.1 --privileged -e JWT_SECRET=my_jwt_secret --restart=always onlyoffice/documentserver:9.0.4.1
✅ 验证配置
-
在容器内检查 Nginx 配置语法:
bashsudo nginx -t -
访问您的 ONLYOFFICE Docs 地址,确认已通过
https://ip:7443正常访问,并且 HTTP 请求被重定向。