Skip to content

Setting up OwnCloud Infinite Scale (OCIS)

We're going to generally follow the instructions for the "full" deployment found here https://doc.owncloud.com/ocis/next/depl-examples/ubuntu-compose/ubuntu-compose-prod.html. The main difference is that because we're already using Nginx as our reverse proxy, we can get rid of all references to Traefik which has been configured in this example project.

Downloading the Example

Scroll down to the Download and Transfer the Example section, and click the link to download the project.

If you're looking at thw owncloud ocis github, this is the ocis_full project, https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_full.

Configuring Nginx

Let's go ahead and take care of your nginx configuration. You need 3 proxy hosts, for

  • owncloud
  • wopiserver
  • collabora

I'm using my tail subdomain that is only available on my tailnet. That config looks something like this:

Nginx server blocks
# Owncloud
    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name owncloud.tail.wildebeastmedia.com;

        # Let's Encrypt Certs generated by certbot container
        ssl_certificate        /etc/letsencrypt/live/local.wildebeastmedia.com/fullchain.pem;
        ssl_certificate_key    /etc/letsencrypt/live/local.wildebeastmedia.com/privkey.pem;

        # Enable HTTP Strict Transport Security (HSTS) for one year, including subdomains.
        include /etc/nginx/conf.d/hsts.conf;

        # Enable Web Sockets
        include /etc/nginx/conf.d/websocket.conf;

        # Proxy settings for different subdomains
        location / {
            proxy_pass https://127.0.0.1:9200;
            proxy_set_header Host $host;
            proxy_set_header Origin https://owncloud.tail.wildebeastmedia.com;
        }
    }

    # wopiserver
    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name wopiserver.tail.wildebeastmedia.com;

        # Let's Encrypt Certs generated by certbot container
        ssl_certificate        /etc/letsencrypt/live/local.wildebeastmedia.com/fullchain.pem;
        ssl_certificate_key    /etc/letsencrypt/live/local.wildebeastmedia.com/privkey.pem;

        # Enable HTTP Strict Transport Security (HSTS) for one year, including subdomains.
        include /etc/nginx/conf.d/hsts.conf;

        # Enable Web Sockets
        include /etc/nginx/conf.d/websocket.conf;

        # Proxy settings for different subdomains
        location / {
            proxy_pass http://127.0.0.1:9300;
            proxy_set_header Host $host;
            # proxy_set_header Origin https://wopiserver.tail.wildebeastmedia.com;
        }
    }

    # Collabora
    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        # http2 on;
        server_name collabora.tail.wildebeastmedia.com;

        # Let's Encrypt Certs generated by certbot container
        ssl_certificate        /etc/letsencrypt/live/local.wildebeastmedia.com/fullchain.pem;
        ssl_certificate_key    /etc/letsencrypt/live/local.wildebeastmedia.com/privkey.pem;

        # Enable HTTP Strict Transport Security (HSTS) for one year, including subdomains.
        # include /etc/nginx/conf.d/hsts.conf;



        # Proxy settings for different subdomains
        location / {
            proxy_pass http://127.0.0.1:9980; # Use HTTP since SSL is terminated at Nginx
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # WebSocket support
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_read_timeout 36000s;
        }
    }

Configuring the OCIS Full project

Remove references to Traefik

Go ahead and delete all the references to Traefik.

Configure .env

Let's now set the .env variables.

Here are some of the important ones we need to set

OCIS_DOMAIN=owncloud.tail.wildebeastmedia.com

OCIS_CONFIG_DIR=/mnt/md0/apps/owncloud/config
OCIS_DATA_DIR=/mnt/md0/apps/owncloud/data

COLLABORA_DOMAIN=collabora.tail.wildebeastmedia.com
WOPISERVER_DOMAIN=wopiserver.tail.wildebeastmedia.com

# We can set SSL enable to false because nginx is already handling SSL
COLLABORA_SSL_ENABLE=false
COLLABORA_SSL_VERIFICATION=true

Modify csp.yaml

In the config/ocis/csp.yaml you need to make sure you've added all three domains to the connect-src and frame-src location.

csp.yaml
directives:
  child-src:
    - '''self'''
  connect-src:
    - '''self'''
    - 'blob:'
    - 'https://${OCIS_DOMAIN}'
    - 'https://${COLLABORA_DOMAIN}'
    - 'https://${WOPISERVER_DOMAIN}'
    - 'https://raw.githubusercontent.com/owncloud/awesome-ocis/'
  default-src:
    - '''none'''
  font-src:
    - '''self'''
  frame-ancestors:
    - '''self'''
  frame-src:
    - '''self'''
    - 'blob:'
    - 'https://embed.diagrams.net/'
    # In contrary to bash and docker the default is given after the | character
    - 'https://${OCIS_DOMAIN}'
    - 'https://${COLLABORA_DOMAIN}'
    - 'https://${WOPISERVER_DOMAIN}'
    # This is needed for the external-sites web extension when embedding sites
    - 'https://owncloud.dev'

Configure ocis.yml

The docker compose file is split into different yml files for each plugin that is being added to the stack. ocis.yml is our primary config for ocis.

You need to add the port mapping. I commented out a number of unneeded settings.

---
services:
  ocis:
    image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest}
    container_name: ocis
    ports:
      - "9200:9200"
    # changelog: https://github.com/owncloud/ocis/tree/master/changelog
    # release notes: https://doc.owncloud.com/ocis_release_notes.html
    networks:
      ocis-net:
    entrypoint:
      - /bin/sh
    # run ocis init to initialize a configuration file with random secrets
    # it will fail on subsequent runs, because the config file already exists
    # therefore we ignore the error and then start the ocis server
    command: ["-c", "ocis init || true; ocis server"]
    environment:
      OCIS_URL: https://${OCIS_DOMAIN}
      PROXY_HTTP_ADDR: 0.0.0.0:9200
      OCIS_INSECURE: true
      ADMIN_PASSWORD: admin
      DEMO_USERS: true
      # # enable services that are not started automatically
      # OCIS_ADD_RUN_SERVICES: ${START_ADDITIONAL_SERVICES}
      # OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
      # PROXY_HTTP_ADDR: 0.0.0.0:9200
      # # OCIS_LOG_LEVEL: ${LOG_LEVEL:-info}
      # # OCIS_LOG_COLOR: "${LOG_PRETTY:-false}"
      # # OCIS_LOG_PRETTY: "${LOG_PRETTY:-false}"
      # # do not use SSL between Traefik and oCIS
      # PROXY_TLS: "false"
      # # make the REVA gateway accessible to the app drivers
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142
      # # INSECURE: needed if oCIS / Traefik is using self generated certificates
      # OCIS_INSECURE: "${INSECURE:-false}"
      # # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      # # PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
      # # admin user password
      # IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
      # # demo users
      # IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
      # # email server (if configured)
      # # NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
      # # NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
      # # NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-oCIS notifications <notifications@${OCIS_DOMAIN:-ocis.owncloud.test}>}"
      # # NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
      # # NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
      # # make the registry available to the app provider containers
      MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
      NATS_NATS_HOST: 0.0.0.0
      NATS_NATS_PORT: 9233
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
      # # # these three vars are needed to the csp config file to include the web office apps and the importer
      COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.owncloud.test}
      # # ONLYOFFICE_DOMAIN: ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
      # # COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.owncloud.test}
      # # enable to allow using the banned passwords list
      # OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
    volumes:
      # - ./config/ocis/app-registry.yaml:/etc/ocis/app-registry.yaml
      - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml
      # - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
      # configure the .env file to use own paths instead of docker internal volumes
      - ${OCIS_CONFIG_DIR:-ocis-config}:/etc/ocis
      - ${OCIS_DATA_DIR:-ocis-data}:/var/lib/ocis
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always

# volumes:
#   ocis-config:
#   ocis-data:

Now in the Collabora block, I did manually set the aliasgroup1 to a domain with escaped periods. I'll need to test if that was really necessary.

environment:
      aliasgroup1: https://wopiserver\.tail\.wildebeastmedia\.com
      DONT_GEN_SSL_CERT: "YES"
      extra_params: |
        --o:ssl.enable=${COLLABORA_SSL_ENABLE:-true} \
        --o:ssl.ssl_verification=${COLLABORA_SSL_VERIFICATION:-true} \
        --o:ssl.termination=true \
        --o:welcome.enable=false \
        --o:net.frame_ancestors=${OCIS_DOMAIN:-ocis.owncloud.test}
      username: ${COLLABORA_ADMIN_USER:-admin}
      password: ${COLLABORA_ADMIN_PASSWORD:-admin}

That's basically it. I commented out the only .yml files for now just to get the basic setup up and running.

Comments