feat: office deployment hardening #11339

jvillafanez · 2025-05-21T13:57:40Z

Description

Harden office installation:

The wopi server isn't expected to be exposed with Collabora or OnlyOffice (it might be needed for Microsoft, but it isn't covered here)
Connectivity between Collabora / OnlyOffice and the wopi server will be done through the docker network.
OnlyOffice will use IP filters:
- It's expected that you can only open documents from the collaboration-oo host (the wopi server for OnlyOffice).
- The editor is expected to be used without any change
The wopi server for OnlyOffice will use proof keys.

In general, you shouldn't need to change anything. If the installation worked before these changes, it should also work with this PR without touching anything else.
For new installations, you can still go through the regular installation steps. The only change is that you won't need to setup a domain for the wopiserver (so less things to do)

Note that this is just deployment changes and there is no code change involved.

Related Issue

#11325

Motivation and Context

Using both ip filters and the proof keys, it should help to harden the installation by making sure the requests come from trusted sources. Requests coming from untrusted sources should be rejected or ignored

How Has This Been Tested?

Quick test by uploading a .docx file and edit it in the office editor (both Collabora and OnlyOffice). There are no problems with the regular scenario and the changes are saved properly.

Screenshots (if appropriate):

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)
Technical debt
Tests only (no source changes)

Checklist:

Code changes
Unit tests added
Acceptance tests added
Documentation ticket raised:

update-docs · 2025-05-21T13:57:45Z

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

jvillafanez · 2025-05-21T14:00:03Z

Pinging @mmattel in case this is merged because it's probably doc relevant.

mmattel · 2025-05-22T06:40:50Z

@jp, yes this is docs relevant and many thanks for taking care. This eases the configuration and setup. I did an important change for collabora recently and added a changelog. Could you also add a changelog for this PR. Normally we dont do this for ocis_full, except for PR's like this one.

sonarqubecloud · 2025-05-22T07:23:34Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

feat: office deployment hardening

c0d2e7c

jvillafanez self-assigned this May 21, 2025

chore: add changelog entry

1a2524d

jvillafanez mentioned this pull request May 22, 2025

OnlyOffice JWT Secret #11325

Closed

jvillafanez requested review from 2403905 and kobergj June 10, 2025 10:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: office deployment hardening #11339

feat: office deployment hardening #11339

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

feat: office deployment hardening #11339

Are you sure you want to change the base?

feat: office deployment hardening #11339

Uh oh!

Conversation

Description

Related Issue

Motivation and Context

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

Checklist:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Quality Gate passed

Uh oh!

Uh oh!