ONLYOFFICE: A Beginner’s Guide to Getting Started

How to Securely Host ONLYOFFICE on Your Own ServerHosting ONLYOFFICE on your own server gives you full control over document storage, user access, and privacy. This guide walks through planning, preparation, secure installation, hardening, backup, monitoring, and maintenance so you can run a reliable, secure ONLYOFFICE deployment.

---

Why self-host ONLYOFFICE?

Self-hosting provides several advantages:

• Full control over data and where it’s stored.
• Integration flexibility with your authentication, storage, and workflows.
• Cost predictability for large teams or organizations that already operate infrastructure.
• Compliance with internal or regulatory requirements.

---

High-level architecture options

Choose the architecture that fits your scale and resources:

• Single VM (small teams): ONLYOFFICE Document Server + Community Server (or integration with Nextcloud/ownCloud) on one virtual machine. Simple but limited in redundancy.
• Multi-VM (production): Separate Document Server, Community Server, database (PostgreSQL), and reverse proxy/load balancer. Enables scaling and isolation.
• Containers/Kubernetes: Docker Compose for small-medium setups; Kubernetes for large, highly available deployments. Best for automated scaling and rolling upgrades.

---

Prerequisites

Hardware (approximate; adjust by team size and usage):

• Small (≤10 concurrent editors): 2 vCPU, 4–8 GB RAM, 50–100 GB disk.
• Medium (10–50 concurrent): 4–8 vCPU, 16–32 GB RAM, 200+ GB disk.
• Large (50+ concurrent): 8+ vCPU, 32+ GB RAM, NVMe storage, separate DB cluster.

Software:

• Linux distribution (Debian/Ubuntu/CentOS/RHEL recommended).
• ONLYOFFICE Document Server (Docker or native packages).
• ONLYOFFICE Community Server or integration platform (Nextcloud, ownCloud).
• PostgreSQL (recommended) or MySQL/MariaDB for Community Server.
• Nginx (reverse proxy) or Apache, certbot for TLS.
• Fail2ban, UFW/iptables.
• Monitoring tools (Prometheus, Grafana, or simpler options like Netdata).

Networking:

• Static IP or reserved private IP.
• DNS records (A/AAAA) and PTR if external access is required.
• Firewall rules to allow necessary ports only (⁄₄₄₃ external; internal ports restricted).

---

Installation overview (Docker Compose example)

Use Docker Compose for reproducible deployments. This example focuses on Document Server + Community Server with Nginx reverse proxy. Modify volumes and environment variables to match your environment.

1. Prepare directories:

   /opt/onlyoffice/documentserver /opt/onlyoffice/communityserver /opt/onlyoffice/nginx 

2. Create a Docker Compose file (illustrative — adapt before running): “`yaml version: “3.7” services: onlyoffice-document-server: image: onlyoffice/documentserver:latest restart: unless-stopped ports:

    - "8000:80" 

   environment:

    - JWT_ENABLED=true  - JWT_SECRET=replace_with_strong_secret 

   volumes:

    - /opt/onlyoffice/documentserver/logs:/var/log/onlyoffice  - /opt/onlyoffice/documentserver/data:/var/www/onlyoffice/Data 

onlyoffice-communityserver:

image: onlyoffice/communityserver:latest restart: unless-stopped environment:   - DB_TYPE=postgres   - DB_HOST=onlyoffice-db   - DB_NAME=onlyoffice   - DB_USER=oo_user   - DB_PASS=strong_db_password   - JWT_ENABLED=true   - JWT_SECRET=replace_with_strong_secret depends_on:   - onlyoffice-db volumes:   - /opt/onlyoffice/communityserver/logs:/var/log/onlyoffice   - /opt/onlyoffice/communityserver/data:/var/www/onlyoffice/Data 

onlyoffice-db:

image: postgres:15 restart: unless-stopped environment:   - POSTGRES_DB=onlyoffice   - POSTGRES_USER=oo_user   - POSTGRES_PASSWORD=strong_db_password volumes:   - /opt/onlyoffice/db:/var/lib/postgresql/data 

nginx:

image: nginx:stable restart: unless-stopped ports:   - "80:80"   - "443:443" volumes:   - /opt/onlyoffice/nginx/conf.d:/etc/nginx/conf.d   - /opt/onlyoffice/nginx/certs:/etc/letsencrypt depends_on:   - onlyoffice-document-server   - onlyoffice-communityserver 

”`

1. Configure Nginx as TLS terminator and reverse proxy, using strong TLS settings and proxy buffering tuned for large file uploads. Use Certbot (Let’s Encrypt) or your CA for certificates.

---

Secure configuration details

Authentication and tokens

• Enable JWT between Community Server and Document Server. Use long, random secrets and store them securely (not in plain env files).
• Prefer external identity providers (LDAP/Active Directory, SAML, OIDC) for centralized auth and MFA support.

TLS

• Enforce TLS 1.2+ (prefer 1.3) with modern ciphers (AEAD suites). Disable old protocols (TLS 1.0/1.1).
• Use HSTS with an appropriate max-age and includeSubDomains after confirming all subdomains support HTTPS.
• Redirect HTTP to HTTPS.

Network & firewall

• Block all unused ports. Expose only ⁄₄₄₃ to the internet.
• Restrict internal service ports to the management network or localhost.
• Use VPN or private network links for admin access to control plane when feasible.

OS and container hardening

• Keep host OS and container images updated. Use minimal base images.
• Run containers as non-root where possible and set user namespaces.
• Use read-only root filesystem for containers and mount only needed volumes.
• Set resource limits (CPU/memory) for containers.

Database security

• Use strong passwords and restrict DB access to the application host(s).
• Enable PostgreSQL SSL connections between app and DB.
• Regularly rotate DB credentials.

Secrets management

• Don’t store secrets in repository or plain environment files. Use a secrets manager (Vault, AWS Secrets Manager, HashiCorp Vault) or Docker secrets/Kubernetes Secrets with encryption at rest.

File storage and permissions

• Store user documents on dedicated storage with proper permissions and quotas.
• If using NFS/SMB, secure those mounts, use Kerberos where possible, and enforce network-level access controls.

Upload & file scanning

• Implement antivirus/antimalware scanning for uploads (ClamAV, commercial scanners, or gateway scanning).
• Limit file types/extensions if applicable and enforce size limits.

Rate limiting & brute-force protection

• Use fail2ban or web application firewall (WAF) to block suspicious login patterns.
• Configure rate limiting on the reverse proxy for authentication endpoints.

Logging and audit

• Centralize logs (ELK/EFK, Loki) and protect log integrity.
• Enable audit logging in Community Server and Document Server where available.
• Keep logs long enough for incident investigations but manage retention for storage/privacy.

---

Backup and disaster recovery

• Regularly back up PostgreSQL (pg_dump or physical backups) and ONLYOFFICE Data directories.
• Test restores periodically; ensure backup retention policy meets your recovery point/time objectives (RPO/RTO).
• Keep off-site or cloud copies of critical backups.
• Consider snapshot-based backups for fast restores, but still retain logical backups for corruption recovery.

---

Monitoring and alerting

• Monitor service health (HTTP 200 checks), CPU, memory, disk usage (esp. storage used by documents), and DB metrics.
• Track application-specific metrics (active editors, conversion queue length).
• Set alerts for thresholds (disk > 70–80%, CPU sustained high, DB replication lag).
• Use automated tooling to restart crashed containers and notify ops.

---

Operational practices

• Apply security patches promptly; have a maintenance window for major upgrades.
• Use blue/green deployments or rolling updates to reduce downtime.
• Maintain documentation for deployment, recovery procedures, and runbooks.
• Limit admin accounts and use role-based access control (RBAC) for operations.
• Conduct periodic security assessments and penetration tests.

---

Example hardening checklist (quick)

• Enable JWT and use a strong secret.
• Enforce HTTPS only with HSTS.
• Restrict database access and enable DB SSL.
• Run containers as non-root and limit capabilities.
• Use a WAF and fail2ban for brute-force protection.
• Centralize logs and enable audit logging.
• Implement regular backups and test restores.
• Monitor metrics and set alerts.

---

Common pitfalls and how to avoid them

• Weak secrets in environment files — use a secrets manager.
• Exposing internal ports publicly — limit firewall rules.
• Neglecting backups or untested restores — schedule tests.
• Running outdated images/OS — automate updates and scans.
• Skipping TLS or allowing weak ciphers — enforce modern TLS configurations.

---

Further resources

Follow ONLYOFFICE official docs for the latest deployment options and configuration flags. Use Linux and container hardening guides (CIS Benchmarks) for OS-level security. For enterprise needs, consider a dedicated security review and managed services.

---

Secure hosting of ONLYOFFICE requires attention across network, application, storage, and operational practices. With proper architecture, TLS, authentication, secrets management, backups, and monitoring, you can run a private, efficient, and secure document collaboration platform.