Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
513 changes: 513 additions & 0 deletions modules/admin_manual/pages/configuration/envvars/envvars.adoc

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,10 @@ By default, the folder containing the relevant configuration is not part of the

[source,docker]
----
/var/www/owncloud/resources --> <mount-point-resources>
/var/www/owncloud/core/img/filetypes --> <mount-point-filetypes>
<mount-point-resources> --> /var/www/owncloud/resources
<mount-point-filetypes> --> /var/www/owncloud/core/img/filetypes
----



The folder for the ownCloud config is already a mounted Docker volume and accessible under `<mount-point>/config`.

== Mimetype Aliases
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ ownCloud supports the preview generation of file types such as PDF, SVG or vario

IMPORTANT: Be careful enabling preview thumbnail generation for documents which could contain or reference executable code! ownCloud does NOT take any responsibility for any issues.

IMPORTANT: The ownCloud Docker image provides the `imagick` PHP extension but not the ImageMagick binary, which is required for an enhanced configuration. To resolve this, you need to create a custom image that installs this requirement manually. Please note that other binaries may be required; these are listed in the relevant sections below.

== Important Considerations

. Rendering takes place when the user accesses the folder and the preview has not been generated before. This means that each first folder access may create additional load on the server.
Expand Down Expand Up @@ -60,11 +62,9 @@ If you want to add or change the default list, you MUST define all elements. If

When defining your own preview providers, some things need to be considered. For some file types, ownCloud uses ImageMagick to generate previews.

IMPORTANT: The ownCloud Docker Image provides the `imagic` php extension, but not the ImageMagick binary. To mitigate this issue, you need to manually create an image that installs this requirement. Please note that other binaries may be required, which are listed in the relevant sections below.

Starting with version 7 of ImageMagick, additional file formats like SVG or HEIC and many others can be processed.

You can check your ImageMagick version installed in your image by issuing the following command:
You can check your ImageMagick version, if installed in your image, by issuing the following command:

[source,docker]
----
Expand Down
51 changes: 51 additions & 0 deletions modules/admin_manual/pages/configuration/important_notes.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
= Important Configuration Notes
:toc: right
:page-aliases: installation/configuration_notes.adoc
:description: This page provides some important configuration notes.

== Introduction

{description}

Due to this version's Docker-only approach, some aspects of configuring your ownCloud Classic Server have changed. With a few exceptions, using environment variables is the only way to configure the instance.

== Environment Variables

The majority of config keys that are provided by ownCloud can be found in the xref:configuration/envvars/envvars.adoc[Environment Variables] documentation. For the few exceptions, the traditional configuration key approach must be used. The documentation for the configuration keys also refers to the corresponding environment variables.

== Using Configuration Keys

IMPORTANT: This approach should only be used if there is no environment variable available. This is noted in the relevant section of the documentation.

=== Preparation

In order to add configuration keys instead of using environment variables, some preparation is required.

* Change to the mounted docker volume where the configuration is stored.
+
[source,bash]
----
cd <mount_point>/config
----

* Next, create a new file with the same owner and permissions as the existing files. The naming must follow the scheme `<name>.config.php`. Replace `<name>` with the name of choice but consider that the order in which configuration files are read is alphabetical.
+
IMPORTANT: If a key/value pair exists in a file, it will take precedence over any existing ones defined in a config file that is read earlier. It is therefore crucial that you use a name that makes the file last read.

* This file must have the following mandatory content:
+
[source,php]
----
<?php
$CONFIG = array (

);
----

=== Add own Configuration Keys

Once you have finished preparing the file, you can add the relevant configuration keys manually.

* Add your configuration keys and values to the array as usual.
+
CAUTION: Be careful not to overwrite any existing values from other files defined via environment variables. These variables are activated and configured when the container starts up.
Original file line number Diff line number Diff line change
Expand Up @@ -314,6 +314,24 @@ These appear on the User page, on user's Personal pages and are used by some app
'allow_user_to_change_mail_address' => true,
....

=== Allow or disallow the group administrator (subadmin) feature
`true` allows administrators to delegate user management of specific groups
to non-admin users (group admins / subadmins).

`false` (default) disables the feature entirely: existing group-admin
assignments are ignored and no new ones can be created.

SECURITY NOTE: this feature is disabled by default as a risk-mitigation.
Only enable it if you require delegated group administration and understand
that group admins can manage users within their groups.

==== Code Sample

[source,php]
....
'allow_subadmins' => false,
....

=== Define the lifetime of the remember-login cookie
The remember-login cookie is set when the user clicks the `remember` checkbox
on the login screen. The default is 15 days, expressed in seconds.
Expand Down Expand Up @@ -1619,6 +1637,7 @@ server configuration above and perform HA on the hostname.
Redis Cluster support requires the php module phpredis in version 3.0.0 or higher.

Available failover modes:

- \RedisCluster::FAILOVER_NONE - only send commands to primary nodes (default)
- \RedisCluster::FAILOVER_ERROR - failover to replicas for read commands if primary is unavailable
- \RedisCluster::FAILOVER_DISTRIBUTE - randomly distribute read commands across primary and replica nodes
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@

Login policies will emit a `failed login` event if the user isn't allowed to log in.

// if there will be no one envvar for loginPolicy.groupLoginPolicy.forbidMap , we need to add: include::partial$manual_config_file.adoc[]

== Use Cases

Login policies can be used to restrict members of particular groups to use only particular login types. This is especially true for guest users as they do not have an ownCloud account and cannot be validated via OpenID Connect but can log in using their email and password.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -173,14 +173,16 @@ In general, when using this authentication method, the user and the password use
* The username is the same as the `user id` of the ownCloud session. +
For example, ownCloud user "Alice" with password "mysecret" (or even without password) will use "Alice" as username and the password from the config.php file to access the storage. Note that for LDAP, the `user id` is usually like _1223-cbdf-cacc-1234...,_ unless the configuration in the user_ldap app is changed.

* The password will be fetched from a key inside the config.php file. +
For details see the section below. Even if the account doesn't have a password like OAuth or OpenIDConnect, etc., the connection with the storage will use the password from config.php.
* The password will be fetched from a key inside the configuration file. +
For details see the section below. Even if the account doesn't have a password like OAuth or OpenIDConnect, etc., the connection with the storage will use the password from the configuration file.
+
NOTE: The password will be the same for any user accessing the particular mount!

==== Defining key/value pairs in config.php

Key/value pairs in config.php must have the following structure:
include::partial$manual_config_file.adoc[]

Key/value pairs in the configuration file must have the following structure:

.Example having a single array
[source,php]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@

With the Kerberos app, you can reuse the authentication ticket generated from a user's Windows domain login for ownCloud and access file server resources via ownCloud without re-authentication.

IMPORTANT: The Docker image does not provide the required Kerberos `krb5` PHP extension and the `krb5-user` CLI tool. This tool is an actual requirement, the Kerberos implementation in the WND app requires the `kvno` command which is contained in the package installed. To mitigate this issue, you need to manually create an image that installs and enables these requirements. Please note that the app will not enable unless the `kvno` tool exists.

include::partial$manual_config_file.adoc[]

== General Information

When using the Kerberos app, the Windows login session from the user is taken to log in to ownCloud. This is very convenient, as the user does not need to re-authenticate for using ownCloud as he already has authenticated to his Domain. In addition by using the Kerberos ticket, the user can also use file resources via the xref:enterprise/external_storage/windows-network-drive_configuration.adoc[Windows Network Drive (WND)] app without the need to re-authenticate. This generates a seamless user experience. This is done by the configuration made, which enables the webserver to make the ticket available for PHP for further processing.
Expand Down Expand Up @@ -135,10 +139,6 @@ The administration server. This is typically the same as the LDAP/Active Directo
** If this is not the case, you need to https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member[Setting up Samba as a Domain Member].
////

* {empty}
+
IMPORTANT: The Docker image does not provide the required Kerberos `krb5` PHP extension and the `krb5-user` CLI tool. This tool is an actual requirement, the Kerberos implementation in the WND app requires the `kvno` command which is contained in the package installed. To mitigate this issue, you need to manually create an image that installs and enables these requirements.

* DNS records +
Create a DNS record for the public FQDN of the ownCloud instance (`<FQDN>`).
** If there is only a single web site on the web server, the simplest option is to make sure that the public URL of the site is the same as the FQDN of the server configured in the `/etc/hosts` configuration file. Create an A DNS record for this FQDN pointing directly to the server’s IP address.
Expand Down Expand Up @@ -442,7 +442,7 @@ Tickets destroyed
Note that if you issue this command during regular operation, all sessions for users using ownCloud with Kerberos will end and need to re-login.
--

. Create a new ownCloud config file `/path-to-owncloud/config/kerberos.config.php` with the following contents or add only the comment and key to an existing `config.php` file. More Kerberos config options can be found in the xref:configuration/server/config_apps_sample_php_parameters.adoc#app-kerberos[Config Apps Sample] description:
. Add the following contents to your own config file. More Kerberos config options can be found in the xref:configuration/server/config_apps_sample_php_parameters.adoc#app-kerberos[Config Apps Sample] description:
+
--
[source,php]
Expand All @@ -456,7 +456,6 @@ Note that if you issue this command during regular operation, all sessions for u
];
----
--
A new file will be read xref:configuration/server/config_sample_php_parameters.adoc#introduction[additionally] to existing config files. See the xref:configuration/server/config_apps_sample_php_parameters.adoc[Apps Config.php Parameters] for more Kerberos configuration options.

////
=== Webserver Side
Expand All @@ -479,15 +478,6 @@ A new file will be read xref:configuration/server/config_sample_php_parameters.a

See the https://modauthkerb.sourceforge.net/configure.html[mod-auth-kerb,window=_blank] documentation for more details on the settings used.
--

* Restart Apache:
+
--
[source,bash]
----
sudo apachectl -k graceful
----
--
////

== Browser Prerequisites
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,17 @@
:secure-view-label: Secure View (with watermarks)
:page-aliases: collabora_online_integration.adoc, enterprise/collaboration/index.adoc

////

Secure View is under review.
The required marketplace app is not in ownClouds responsibility but a necessity for the functionality.
If the functionality is dropped, a new OC image is provided no longer showing the sec view capabilities.
Note that in this case, we ned to also remove entries in config.apps.samle (richdocuments) and do a config-to-docs run.
Then we can remove the page, all of the images related and all occ commands that manage sec view (richdocuments).
If the functionality is kept, the app needs to be OC11 ready and either provided in the image or downloadable.

////

== Introduction

Collabora Online allows you to work with all kinds of Collabora office documents directly in your browser. This application can connect to a Collabora Online (or other) server (WOPI-like client) where ownCloud is the WOPI host.
Expand Down Expand Up @@ -33,7 +44,6 @@ If a file or folder has been shared multiple times to different groups with diff

== Prerequisites

* ownCloud *10.3* or above
* _Enterprise Edition_
* {oc-marketplace-url}/apps/richdocuments[ownCloud Collabora Online] app version *2.2.0* or above
* Collabora Online Server *4.0.10* or above, set up and integrated
Expand Down Expand Up @@ -67,15 +77,15 @@ NOTE: Admins can specify that all shares are "_secure view_" by default and that

When "_{secure-view-label}_" is enabled, any attempts to download the file will be blocked as shown in the screenshot below. In addition, copy & paste is disabled.

image:enterprise/collaboration/access-denied.png[Access denied to a document when it is protected by secure view, width=80%]
image:enterprise/collaboration/access-denied.png[Access denied to a document when it is protected by secure view, width=350]

== Limitations and Security Hardening

To make sure that the secure view feature is deployed securely and cannot be circumvented, it is important to disable the following extensions:
To ensure the Secure View feature is deployed securely and cannot be bypassed, disable the following apps if they were enabled beforehand:

* {oc-marketplace-url}/apps/onlyoffice[ONLYOFFICE]
* {oc-marketplace-url}/apps/wopi[Microsoft Office Online]
* {oc-marketplace-url}/apps/files_texteditor[Text editor]
* ONLYOFFICE
* Microsoft Office Online
* Text editor

Additionally, you might want to _disable public link sharing_ via menu:Settings[Admin > Sharing > Allow users to share via link] so that users cannot accidentally share files publicly without secure view protection.

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
= Microsoft Office Online / WOPI Integration
:toc: right
:toclevels: 1
:msoffice-online-server-url: https://www.microsoft.com/en-us/microsoft-365/blog/2016/05/04/office-online-server-now-available/
:office365-url: https://products.office.com/en-us/business/office
:wopi-protocol-url: https://docs.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/rest/
Expand All @@ -27,7 +26,6 @@ Please bear in mind:
* WOPI is only available for ownCloud enterprise. It _is not available_ in the community version.
* Out-of-the box only the on-premise version of Microsoft Office Online Server is supported.
* If you want to integrate the {office365-url}[Office 365 (cloud)] version of Microsoft Office Online, you need to {oc-support-url}[get in touch with us].
* This app requires at minimum ownCloud Version 10.5 and php 7.1.
====

== Procedure using Microsoft 365
Expand All @@ -52,9 +50,9 @@ All involved servers (Office Online Server and the ownCloud server) need to be a

== Configuring the WOPI App in ownCloud

To configure the WOPI app in your ownCloud installation, add the following configuration to `config/config.php`, and adjust it based on the details of your setup:
To configure the WOPI app in your ownCloud installation, add the following environment variables, adjusting them as necessary based on the details of your setup:

[source,php,subs="post_replacements,attributes+"]
[source,.env,subs="post_replacements,attributes+"]
----
# ownCloud Support URL: {oc-support-url}

Expand All @@ -63,7 +61,7 @@ To configure the WOPI app in your ownCloud installation, add the following confi
# For Office 365 (cloud): Request the string from us
# (this has to match the `O365_PROXY_SHARED_KEY`
# configuration of the O365 proxy)
'wopi.token.key' => 'REPLACE_WITH_WOPI_TOKEN_KEY'
OWNCLOUD_WOPI_TOKEN_KEY=<REPLACE_WITH_WOPI_TOKEN_KEY>

# Office server URL
# For Office Online Server: Enter your https://your.office.online.server.tld
Expand All @@ -73,35 +71,35 @@ To configure the WOPI app in your ownCloud installation, add the following confi
# https://ffc-onenote.officeapps.live.com/hosting/discovery
# For Office 365 production upstream URL:
# https://onenote.officeapps.live.com/hosting/discovery
'wopi.office-online.server' => 'https://THE_OFFICE_SERVER_URL',
OWNCLOUD_WOPI_OFFICE_ONLINE_SERVER='https://THE_OFFICE_SERVER_URL'

# Proxy URL
# Only for Office 365 (cloud), not needed for Office Online Server
# URL of the O365 proxy instance.
# Note that you will get a working URL from ownCloud Support
# post a written declaration that your company has an eligible
# Microsoft Business contract.
'wopi.proxy.url' => 'https://o365.example.com',
OWNCLOUD_WOPI_PROXY_URL='https://o365.example.com'

# Enable Business Flow
# Only for Office 365 (cloud), not needed for Office Online Server
# Necessary for the O365 proxy key above.
'wopi.business-flow.enabled' => 'yes',
OWNCLOUD_WOPI_BUSINESS_FLOW_ENABLED=yes

# Samesite Cookie
# Only for Office 365 (cloud), not needed for Office Online Server
# Necessary to allow e.g. opening ownCloud sharing from O365.
# Use `None` if you are using OpenID Connect.
'http.cookie.samesite' => 'Lax',
OWNCLOUD_HTTP_COOKIE_SAMESITE=Lax
----

== Restrict Usage to Users in a Specific Group

Microsoft Office Online access can be restricted to users in a specific group, by use of the `wopi_group` configuration key (in `config/config.php`), as in the following example.
Access to Microsoft Office Online can be restricted to users in a specific group by using the `OWNCLOUD_WOPI_GROUP` environment variable, as shown in the following example:

[source,php]
[source,.env]
----
'wopi_group' => 'admin'
OWNCLOUD_WOPI_GROUP=admin
----

In the example above, only users in the `admin` group would be able to access Microsoft Office Online.
Expand All @@ -118,7 +116,7 @@ You can always click on the lock icon next to your file name and unlock it manua

=== Lock Timeout

If a user is editing a file and loses their internet connection, the lock will timeout, freeing the lock after 30 minutes. Refer to {wopi-timeout-documentation-url}[the WOPI documentation] for further information.
If a user is editing a file and loses their internet connection, the lock will timeout, freeing the lock after 30 minutes. Refer to the {wopi-timeout-documentation-url}[WOPI documentation] for further information.

== Known Issues

Expand Down
Loading