Permission denied nginx and unknown error on nextcloud #58

julyusito · 2021-05-19T11:22:33Z

Hi,

I've installed nextcloud and onlyoffice latest version within docker with this setup:

version: '3' 

services:

  db:
    image: mariadb
    hostname: nc_db
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
    env_file: /PATH_TO_DOCKER_VOLUMES/nextcloud-db.env
    networks:
      - internal 
    deploy:
      resources:
        limits:
          cpus: '2.0'
          memory: 2048M
      restart_policy:
        condition: on-failure
    volumes:
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-db/var/lib/mysql:/var/lib/mysql
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
  

  db_backup:
    image: mariadb
    hostname: nc_db_backup
    env_file: /PATH_TO_DOCKER_VOLUMES/nextcloud-db-backup.env
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 256M
      restart_policy:
        condition: on-failure
    depends_on:
      - db
    volumes:
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-db/database-dump:/dump
      - /etc/localtime:/etc/localtime:ro
    entrypoint: |
      bash -c 'bash -s <<EOF
      trap "break;exit" SIGHUP SIGINT SIGTERM
      sleep 2m
      while /bin/true; do
        mysqldump -h db --all-databases | gzip -c > /dump/dump_\`date +%d-%m-%Y"_"%H_%M_%S\`.sql.gz
        (ls -t /dump/dump*.sql.gz|head -n $$BACKUP_NUM_KEEP;ls /dump/dump*.sql.gz)|sort|uniq -u|xargs rm -- {}
        sleep $$BACKUP_FREQUENCY
      done
      EOF'
    networks:
    - internal 

  redis:
    image: redis:alpine
    hostname: nc_redis
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 4096M
      restart_policy:
        condition: on-failure
    networks:
      - internal 
    volumes:
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-db/data:/data
      - /etc/localtime:/etc/localtime:ro

  apps:
    image: nextcloud:latest
    hostname: nextcloud
    env_file: /PATH_TO_DOCKER_VOLUMES/nextcloud-apps.env
    networks:
      - internal 
      - container_external 
    deploy:
      resources:
        limits:
          cpus: '4.0'
          memory: 8192M
      update_config:
        delay: 10s
      restart_policy:
        condition: on-failure
      labels:
        - haproxy.frontend.rule=Host:cloud.XXXX.com.co
        - haproxy.docker.network=container_external
        - haproxy.port=80 
    ports:
      - IP_HOST_DOCKER:10105:80
    depends_on:
      - db
      - db_backup
      - redis
    volumes:
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/var/www/html:/var/www/html
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/var/www/html/config:/var/www/html/config
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/var/www/html/custom_apps:/var/www/html/custom_apps
      - /PATH_TO_DOCKER_VOLUMES/NCData/cloud:/var/www/html/data
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/var/www/html/themes:/var/www/html/themes
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/www/onlyoffice/Data/certs/WildcardCPP.all.pem:/etc/ssl/certs/ssl-cert-snakeoil.pem
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/www/onlyoffice/Data/certs/WildcardCPP.key:/etc/ssl/private/ssl-cert-snakeoil.key
      - /etc/localtime:/etc/localtime:ro
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/etc/apache2/mods-enabled/mpm_prefork.conf:/etc/apache2/mods-enabled/mpm_prefork.conf
    restart: unless-stopped

  cron:
    image: nextcloud:latest
    hostname: nc_cron
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: 256M
      update_config:
        delay: 15s
      restart_policy:
        condition: on-failure
    depends_on:
      - apps
    volumes:
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-apps/var/www/html:/var/www/html
      - /PATH_TO_DOCKER_VOLUMES/NCData/cloud:/var/www/html/data
    user: www-data
    networks:
      - internal 
    entrypoint: |
      bash -c 'bash -s <<EOF
        trap "break;exit" SIGHUP SIGINT SIGTERM
        while [ ! -f /var/www/html/config/config.php ]; do
          sleep 1
        done
        while true; do
          php -f /var/www/html/cron.php
          sleep 5m
        done
      EOF'

  documentserver:
    image: onlyoffice/documentserver:latest
    hostname: nc_onlyoffice
    env_file: /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice.env
    networks:
      - container_external
    deploy:
      resources:
        limits:
          cpus: '4.0'
          memory: 4096M
      update_config:
        delay: 15s
      restart_policy:
        condition: on-failure
    ports:
      - IP_HOST_DOCKER:10106:80
      - IP_HOST_DOCKER:10107:443
    depends_on:
      - apps
    volumes:
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/lib/onlyoffice:/var/lib/onlyoffice
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/www/onlyoffice/Data:/var/www/onlyoffice/Data 
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/log/onlyoffice:/var/log/onlyoffice  
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/lib/redis:/var/lib/redis
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/lib/postgresql:/var/lib/postgresql
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/www/onlyoffice/Data/certs/WildcardCPP.crt:/var/www/onlyoffice/Data/certs/tls.crt:rw
      - /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/www/onlyoffice/Data/certs/WildcardCPP.key:/var/www/onlyoffice/Data/certs/tls.key:rw
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped

networks:
  container_external :
    external: true
  internal :
    driver: bridge

I'm not running any other script, just the docker setup, because it's on a NAS system

This is my setup on nextcloud:

All of this is behind a proxy (HAProxy):

backend documentserver.XXXX.com.co_ipvANY
	mode			http
	id			113
	log			global
	timeout connect		30000
	timeout server		7200000
	retries			3
	source ipv4@ usesrc clientip
	acl			existing-x-forwarded-host	req.hdr(X-Forwarded-Host) -m found
	acl			existing-x-forwarded-proto 	req.hdr(X-Forwarded-Proto) -m found
	http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host 
	http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto 
	server			documentserver IP_HOST_DOCKER:10107 id 101 ssl  verify none

All saves perfect on nextcloud and there is no error on logs, but when I open a file from nextcloud, throws the "Unknown error"

All healtcheck pass with "true" result

In the /var/log/onlyoffice/documentserver/nginx.error.log of onlyoffice show this: Permission denied
2021/05/19 05:37:19 [error] 13024#13024: *21 open() "/var/lib/onlyoffice/documentserver/App_Data/cache/files/409621677/Editor.bin" failed (13: Permission denied), client: 192.168.16.1, server: , request: "GET /cache/files/409621677/Editor.bin/Editor.bin?md5=OMlXJtxJY4iPP0pXiy64sQ&expires=1624012640&disposition=attachment&filename=Editor.bin HTTP/1.1", host: "documentserver.XXXX.com.co", referrer: "https://documentserver.XXXX.com.co/6.2.2-21/web-apps/apps/documenteditor/main/index_loader.html?_dc=6.2.2-21&lang=es&customer=ONLYOFFICE&frameEditorId=iframeEditor&compact=true&parentOrigin=https://XXXX.XXXX.com.co"

If I use this setup on nextcloud:

There is an error on Nextcloud: Forbidden

Please help!

The text was updated successfully, but these errors were encountered:

agolybev · 2021-05-19T14:31:41Z

hi @julyusito, try adding all rights for files in /PATH_TO_DOCKER_VOLUMES/nextcloud-onlyoffice/var/lib/onlyoffice directory. It looks like Nginx process don't have enough permission for files in /var/lib/onlyoffice/documentserver/App_Data/cache/files.
In the second case, the root of the problem is JWT mismatch.

julyusito · 2021-05-19T18:25:21Z

Hi @agolybev,

Thanks for the answer.

I set all rights for the /var/lib/onlyoffice directory into the container:
chmod 777 /var/lib/onlyoffice/* -R

Same results

In the second case I check the JWT and post here the json config and nextcloud config:

      "token": {
        "enable": {
          "request": {
            "inbox": true,
            "outbox": true
          },
          "browser": true
        },
        "inbox": {
          "header": "AuthorizationJwt",
          "prefix": "Bearer ",
          "inBody": false
        },
        "outbox": {
          "header": "AuthorizationJwt",
          "prefix": "Bearer ",
          "inBody": false
        }
      },
      "secret": {
        "inbox": {
          "string": "secret"
        },
        "outbox": {
          "string": "secret"
        },
        "session": {
          "string": "secret"
        }
      }

and the nextcloud conf:

  'onlyoffice' => array(
    'verify_peer_off' => true,
    'jwt_header' => "AuthorizationJwt",
    'jwt_secret' => "secret",
  ),

julyusito · 2021-05-22T21:08:24Z

Hello @agolybev,

I disabled the JWT on onlyoffice config:

      "token": {
        "enable": {
          "request": {
            "inbox": false,
            "outbox": false
          },
          "browser": false
        },
        "inbox": {
          "header": "AuthorizationJwt",
          "prefix": "Bearer ",
          "inBody": false
        },
        "outbox": {
          "header": "AuthorizationJwt",
          "prefix": "Bearer ",
          "inBody": false
        }
      },
      "secret": {
        "inbox": {
          "string": "secret"
        },
        "outbox": {
          "string": "secret"
        },
        "session": {
          "string": "secret"
        }
      }

And nextcloud config:

  'onlyoffice' => array(
    'verify_peer_off' => true,
  ),

even I change the default.json like this:

"ipfilter": {
                                "rules": [{"address": "*", "allowed": true}],
                                "useforrequest": true,
                                "errorcode": 403
                        },

The forbidden persist

julyusito · 2021-05-26T16:28:24Z

Hello @agolybev

I've install from zero and disabled everything in JWT access

This is my setup:
Internet - HAProxy (https) --> nextcloud (http)
Internet - HAProxy (https) --> onlyoffice (http)

nextcloud and onlyoffice are in the same network and can talk between them
nextcloud(container_external) <---> onlyoffice(conatiner_external)

nextcloud config.php:
'trusted_domains' =>
array (
0 => 'cloud.XXXX.com.co',
1 => 'documentserver.XXXX.com.co',
2 => 'documentserver',
3 => 'nextcloud.XXXX.com.co',
)
'overwrite.cli.url' => 'https://cloud.XXXX.com.co',
'overwritehost' => 'cloud.XXXX.com.co',
'overwriteprotocol' => 'https',

Same error:

julyusito · 2021-05-26T17:31:32Z

Hi everyone,

I set the debug mode in nginx and I see the path for cache files does not match with any regex expresion set in the /etc/nginx/includes/ds-docservice.conf file:

docker logs office_onlyoffice_1 | grep -e error -e notice

2021/05/26 12:37:06 [notice] 5963#5963: *1 "^/$" does not match "/healthcheck", client: 192.168.16.1, server: , request: "GET /healthcheck HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *1 "^\/OfficeWeb(\/apps\/.*)$" does not match "/healthcheck", client: 192.168.16.1, server: , request: "GET /healthcheck HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *1 "^(\/web-apps\/apps\/(?!api\/).*)$" does not match "/healthcheck", client: 192.168.16.1, server: , request: "GET /healthcheck HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [debug] 5963#5963: *1 uploadprogress error-tracker error: 0
2021/05/26 12:37:06 [notice] 5963#5963: *3 "^/$" does not match "/coauthoring/CommandService.ashx", client: 192.168.16.1, server: , request: "POST /coauthoring/CommandService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *3 "^\/OfficeWeb(\/apps\/.*)$" does not match "/coauthoring/CommandService.ashx", client: 192.168.16.1, server: , request: "POST /coauthoring/CommandService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *3 "^(\/web-apps\/apps\/(?!api\/).*)$" does not match "/coauthoring/CommandService.ashx", client: 192.168.16.1, server: , request: "POST /coauthoring/CommandService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [debug] 5963#5963: *3 uploadprogress error-tracker error: 0
2021/05/26 12:37:06 [notice] 5963#5963: *5 "^/$" does not match "/ConvertService.ashx", client: 192.168.16.1, server: , request: "POST /ConvertService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *5 "^\/OfficeWeb(\/apps\/.*)$" does not match "/ConvertService.ashx", client: 192.168.16.1, server: , request: "POST /ConvertService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:06 [notice] 5963#5963: *5 "^(\/web-apps\/apps\/(?!api\/).*)$" does not match "/ConvertService.ashx", client: 192.168.16.1, server: , request: "POST /ConvertService.ashx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:07 [debug] 5963#5963: *5 uploadprogress error-tracker error: 0
2021/05/26 12:37:07 [notice] 5963#5963: *7 "^/$" does not match "/cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx", client: 192.168.16.1, server: , request: "GET /cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx?md5=Qm2rHXrMD9bMmpZX_0BcFQ&expires=1622051528&disposition=attachment&filename=check_417210437.docx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:07 [notice] 5963#5963: *7 "^\/OfficeWeb(\/apps\/.*)$" does not match "/cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx", client: 192.168.16.1, server: , request: "GET /cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx?md5=Qm2rHXrMD9bMmpZX_0BcFQ&expires=1622051528&disposition=attachment&filename=check_417210437.docx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:07 [notice] 5963#5963: *7 "^(\/web-apps\/apps\/(?!api\/).*)$" does not match "/cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx", client: 192.168.16.1, server: , request: "GET /cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx?md5=Qm2rHXrMD9bMmpZX_0BcFQ&expires=1622051528&disposition=attachment&filename=check_417210437.docx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:07 [error] 5963#5963: *7 open() "/var/lib/onlyoffice/documentserver/App_Data/cache/files/conv_check_417210437_docx/output.docx" failed (13: Permission denied), client: 192.168.16.1, server: , request: "GET /cache/files/conv_check_417210437_docx/output.docx/check_417210437.docx?md5=Qm2rHXrMD9bMmpZX_0BcFQ&expires=1622051528&disposition=attachment&filename=check_417210437.docx HTTP/1.1", host: "documentserver.XXXX.com.co"
2021/05/26 12:37:07 [debug] 5963#5963: *7 uploadprogress error-tracker error: 403
2021/05/26 12:37:07 [debug] 5963#5963: *7 uploadprogress error-tracker not tracking in this location

This is the content of /etc/nginx/includes/ds-docservice.conf file:

#welcome page
rewrite ^/$ $the_scheme://$the_host/welcome/ redirect;

#support old version
rewrite ^\/OfficeWeb(\/apps\/.*)$ $the_scheme://$the_host/6.2.2-21/web-apps$1 redirect;

#script caching protection
rewrite ^(\/web-apps\/apps\/(?!api\/).*)$ $the_scheme://$the_host/6.2.2-21$1 redirect;

#disable caching for api.js
location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps\/apps\/api\/documents\/api\.js)$ {
  expires -1;
  gzip_static on;
  alias  /var/www/onlyoffice/documentserver/$2;
}

#suppress logging the unsupported locale error in web-apps
location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps)(\/.*\.json)$ {
  expires 365d;
  error_log /dev/null crit;
  gzip_static on;
  alias /var/www/onlyoffice/documentserver/$2$3;
}

#suppress logging the unsupported locale error in plugins
location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(sdkjs-plugins)(\/.*\.json)$ {
  expires 365d;
  error_log /dev/null crit;
  gzip_static on;
  alias /var/www/onlyoffice/documentserver/$2$3;
}

location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(web-apps|sdkjs|sdkjs-plugins|fonts)(\/.*)$ {
  expires 365d;
  gzip_static on;
  alias /var/www/onlyoffice/documentserver/$2$3;
}

location ~* ^(\/cache\/files.*)(\/.*) {
  alias /var/lib/onlyoffice/documentserver/App_Data$1;
  add_header Content-Disposition "$arg_disposition; filename*=UTF-8''$arg_filename";

  set $secret_string verysecretstring;
  secure_link $arg_md5,$arg_expires;
  secure_link_md5 "$secure_link_expires$uri$secret_string";

  if ($secure_link = "") {
    return 403;
  }

  if ($secure_link = "0") {
    return 410;
  }
}

# Allow internal service only from 127.0.0.1
location ~* ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?\/(info|internal)(\/.*)$ {
  allow 127.0.0.1;
  deny all;
  proxy_pass http://docservice/$2$3;
}

location / {
  proxy_pass http://docservice;
}

location ~ ^(\/[\d]+\.[\d]+\.[\d]+[\.|-][\d]+)?(\/doc\/.*) {
  proxy_pass http://docservice$2;
  proxy_http_version 1.1;
}

location /6.2.2-21/ {
  proxy_pass http://docservice/;
}

The full nginx error log output is here:

full_log_nginx_error.zip

Robin-Sch · 2023-05-02T12:58:12Z

did you manage to fix this?

LinneyS transferred this issue from ONLYOFFICE/Docker-CommunityServer May 19, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Permission denied nginx and unknown error on nextcloud #58

Permission denied nginx and unknown error on nextcloud #58

julyusito commented May 19, 2021 •

edited

Loading

agolybev commented May 19, 2021

julyusito commented May 19, 2021 •

edited

Loading

julyusito commented May 22, 2021

julyusito commented May 26, 2021 •

edited

Loading

julyusito commented May 26, 2021 •

edited

Loading

Robin-Sch commented May 2, 2023

Permission denied nginx and unknown error on nextcloud #58

Permission denied nginx and unknown error on nextcloud #58

Comments

julyusito commented May 19, 2021 • edited Loading

agolybev commented May 19, 2021

julyusito commented May 19, 2021 • edited Loading

julyusito commented May 22, 2021

julyusito commented May 26, 2021 • edited Loading

julyusito commented May 26, 2021 • edited Loading

Robin-Sch commented May 2, 2023

julyusito commented May 19, 2021 •

edited

Loading

julyusito commented May 19, 2021 •

edited

Loading

julyusito commented May 26, 2021 •

edited

Loading

julyusito commented May 26, 2021 •

edited

Loading