Setting up OwnCloud Infinite Scale (OCIS)¶
We're going to generally follow the instructions for the "full" deployment found here https://doc.owncloud.com/ocis/next/depl-examples/ubuntu-compose/ubuntu-compose-prod.html. The main difference is that because we're already using Nginx as our reverse proxy, we can get rid of all references to Traefik which has been configured in this example project.
Downloading the Example¶
Scroll down to the Download and Transfer the Example section, and click the link to download the project.
If you're looking at thw owncloud ocis github, this is the ocis_full project, https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_full.
Configuring Nginx¶
Let's go ahead and take care of your nginx configuration. You need 3 proxy hosts, for
- owncloud
- wopiserver
- collabora
I'm using my tail subdomain that is only available on my tailnet. That config looks something like this:
Nginx server blocks
# Owncloud
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name owncloud.tail.wildebeastmedia.com;
# Let's Encrypt Certs generated by certbot container
ssl_certificate /etc/letsencrypt/live/local.wildebeastmedia.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/local.wildebeastmedia.com/privkey.pem;
# Enable HTTP Strict Transport Security (HSTS) for one year, including subdomains.
include /etc/nginx/conf.d/hsts.conf;
# Enable Web Sockets
include /etc/nginx/conf.d/websocket.conf;
# Proxy settings for different subdomains
location / {
proxy_pass https://127.0.0.1:9200;
proxy_set_header Host $host;
proxy_set_header Origin https://owncloud.tail.wildebeastmedia.com;
}
}
# wopiserver
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name wopiserver.tail.wildebeastmedia.com;
# Let's Encrypt Certs generated by certbot container
ssl_certificate /etc/letsencrypt/live/local.wildebeastmedia.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/local.wildebeastmedia.com/privkey.pem;
# Enable HTTP Strict Transport Security (HSTS) for one year, including subdomains.
include /etc/nginx/conf.d/hsts.conf;
# Enable Web Sockets
include /etc/nginx/conf.d/websocket.conf;
# Proxy settings for different subdomains
location / {
proxy_pass http://127.0.0.1:9300;
proxy_set_header Host $host;
# proxy_set_header Origin https://wopiserver.tail.wildebeastmedia.com;
}
}
# Collabora
server {
listen 443 ssl;
listen [::]:443 ssl;
# http2 on;
server_name collabora.tail.wildebeastmedia.com;
# Let's Encrypt Certs generated by certbot container
ssl_certificate /etc/letsencrypt/live/local.wildebeastmedia.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/local.wildebeastmedia.com/privkey.pem;
# Enable HTTP Strict Transport Security (HSTS) for one year, including subdomains.
# include /etc/nginx/conf.d/hsts.conf;
# Proxy settings for different subdomains
location / {
proxy_pass http://127.0.0.1:9980; # Use HTTP since SSL is terminated at Nginx
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 36000s;
}
}
Configuring the OCIS Full project¶
Remove references to Traefik¶
Go ahead and delete all the references to Traefik.
Configure .env¶
Let's now set the .env variables.
Here are some of the important ones we need to set
OCIS_DOMAIN=owncloud.tail.wildebeastmedia.com
OCIS_CONFIG_DIR=/mnt/md0/apps/owncloud/config
OCIS_DATA_DIR=/mnt/md0/apps/owncloud/data
COLLABORA_DOMAIN=collabora.tail.wildebeastmedia.com
WOPISERVER_DOMAIN=wopiserver.tail.wildebeastmedia.com
# We can set SSL enable to false because nginx is already handling SSL
COLLABORA_SSL_ENABLE=false
COLLABORA_SSL_VERIFICATION=true
Modify csp.yaml¶
In the config/ocis/csp.yaml you need to make sure you've added all three domains to the connect-src and frame-src location.
csp.yaml
directives:
child-src:
- '''self'''
connect-src:
- '''self'''
- 'blob:'
- 'https://${OCIS_DOMAIN}'
- 'https://${COLLABORA_DOMAIN}'
- 'https://${WOPISERVER_DOMAIN}'
- 'https://raw.githubusercontent.com/owncloud/awesome-ocis/'
default-src:
- '''none'''
font-src:
- '''self'''
frame-ancestors:
- '''self'''
frame-src:
- '''self'''
- 'blob:'
- 'https://embed.diagrams.net/'
# In contrary to bash and docker the default is given after the | character
- 'https://${OCIS_DOMAIN}'
- 'https://${COLLABORA_DOMAIN}'
- 'https://${WOPISERVER_DOMAIN}'
# This is needed for the external-sites web extension when embedding sites
- 'https://owncloud.dev'
Configure ocis.yml¶
The docker compose file is split into different yml files for each plugin that is being added to the stack. ocis.yml is our primary config for ocis.
You need to add the port mapping. I commented out a number of unneeded settings.
---
services:
ocis:
image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest}
container_name: ocis
ports:
- "9200:9200"
# changelog: https://github.com/owncloud/ocis/tree/master/changelog
# release notes: https://doc.owncloud.com/ocis_release_notes.html
networks:
ocis-net:
entrypoint:
- /bin/sh
# run ocis init to initialize a configuration file with random secrets
# it will fail on subsequent runs, because the config file already exists
# therefore we ignore the error and then start the ocis server
command: ["-c", "ocis init || true; ocis server"]
environment:
OCIS_URL: https://${OCIS_DOMAIN}
PROXY_HTTP_ADDR: 0.0.0.0:9200
OCIS_INSECURE: true
ADMIN_PASSWORD: admin
DEMO_USERS: true
# # enable services that are not started automatically
# OCIS_ADD_RUN_SERVICES: ${START_ADDITIONAL_SERVICES}
# OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
# PROXY_HTTP_ADDR: 0.0.0.0:9200
# # OCIS_LOG_LEVEL: ${LOG_LEVEL:-info}
# # OCIS_LOG_COLOR: "${LOG_PRETTY:-false}"
# # OCIS_LOG_PRETTY: "${LOG_PRETTY:-false}"
# # do not use SSL between Traefik and oCIS
# PROXY_TLS: "false"
# # make the REVA gateway accessible to the app drivers
GATEWAY_GRPC_ADDR: 0.0.0.0:9142
# # INSECURE: needed if oCIS / Traefik is using self generated certificates
# OCIS_INSECURE: "${INSECURE:-false}"
# # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
# # PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
# # admin user password
# IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
# # demo users
# IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
# # email server (if configured)
# # NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
# # NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
# # NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-oCIS notifications <notifications@${OCIS_DOMAIN:-ocis.owncloud.test}>}"
# # NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
# # NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
# # make the registry available to the app provider containers
MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
NATS_NATS_HOST: 0.0.0.0
NATS_NATS_PORT: 9233
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
# # # these three vars are needed to the csp config file to include the web office apps and the importer
COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.owncloud.test}
# # ONLYOFFICE_DOMAIN: ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
# # COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.owncloud.test}
# # enable to allow using the banned passwords list
# OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
volumes:
# - ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
- ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
# - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
# configure the .env file to use own paths instead of docker internal volumes
- ${OCIS_CONFIG_DIR:-ocis-config}:/etc/ocis
- ${OCIS_DATA_DIR:-ocis-data}:/var/lib/ocis
logging:
driver: ${LOG_DRIVER:-local}
restart: always
# volumes:
# ocis-config:
# ocis-data:
Now in the Collabora block, I did manually set the aliasgroup1 to a domain with escaped periods. I'll need to test if that was really necessary.
environment:
aliasgroup1: https://wopiserver\.tail\.wildebeastmedia\.com
DONT_GEN_SSL_CERT: "YES"
extra_params: |
--o:ssl.enable=${COLLABORA_SSL_ENABLE:-true} \
--o:ssl.ssl_verification=${COLLABORA_SSL_VERIFICATION:-true} \
--o:ssl.termination=true \
--o:welcome.enable=false \
--o:net.frame_ancestors=${OCIS_DOMAIN:-ocis.owncloud.test}
username: ${COLLABORA_ADMIN_USER:-admin}
password: ${COLLABORA_ADMIN_PASSWORD:-admin}
That's basically it. I commented out the only .yml files for now just to get the basic setup up and running.