upgrade version from 9.1.0 to 9.1.1

build/install/deb/Files/god/conf.d/nginx.god

@@ -7,11 +7,12 @@ God.watch do |w|
   w.restart = "/etc/init.d/nginx restart"
   w.pid_file = "/var/run/nginx.pid"
   w.behavior(:clean_pid_file)
-
+  w.keepalive
+
   w.start_if do |start|
       start.condition(:process_running) do |c|
         c.interval = 10.seconds
         c.running = false
       end
     end
-end
+end

build/install/deb/Files/nginx/includes/onlyoffice-communityserver-common-init.conf.template

@@ -0,0 +1,43 @@
+upstream fastcgi_backend {
+        server unix:/var/run/onlyoffice/onlyoffice.socket;
+        keepalive 32;
+}
+
+server {
+        listen 80;
+
+        fastcgi_keep_conn on;
+        fastcgi_index   Default.aspx;
+        fastcgi_intercept_errors on;
+
+
+        include fastcgi_params;
+
+        fastcgi_param HTTP_X_REWRITER_URL $http_x_rewriter_url;
+        fastcgi_param SERVER_NAME $host;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO "";
+
+        fastcgi_read_timeout    600;
+        fastcgi_send_timeout    600;
+
+
+        location / {
+                root    /var/www/onlyoffice/WebStudio/;
+                expires           0;
+                add_header        Cache-Control no-cache;
+                rewrite ^(.*)$ /StartConfigure.htm  break;
+        }
+
+	location /api {
+		fastcgi_pass fastcgi_backend;
+		break;
+	}
+
+        location  ~* ^/(warmup[2-9]?)/ {
+		rewrite /warmup([^/]*)/(.*) /$2 break;
+                fastcgi_pass unix:/var/run/onlyoffice/onlyoffice$1.socket;
+        }
+}
+
+

build/install/deb/Files/nginx/includes/onlyoffice-communityserver-common-ssl.conf.template

@@ -0,0 +1,120 @@
+upstream fastcgi_backend_apisystem {
+        server unix:/var/run/onlyoffice/onlyofficeApiSystem.socket;
+        keepalive 32;
+}
+
+upstream fastcgi_backend {
+	server unix:/var/run/onlyoffice/onlyoffice.socket;
+	keepalive {{ONLYOFFICE_NIGNX_KEEPLIVE}};
+}
+
+fastcgi_cache_path /var/cache/nginx/onlyoffice
+	levels=1:2
+	keys_zone=onlyoffice:16m
+	max_size=256m
+	inactive=1d;
+
+geo $ip_external {
+     default 1;
+     {{DOCKER_ONLYOFFICE_SUBNET}} 0;
+     127.0.0.1 0;
+}
+
+map $http_host $this_host {
+  "" $host;
+  default $http_host;
+}
+
+map $http_x_forwarded_proto $the_scheme {
+  default $http_x_forwarded_proto;
+  "" $scheme;
+}
+
+map $http_x_forwarded_host $the_host {
+  default $http_x_forwarded_host;
+  "" $this_host;
+}
+
+## Normal HTTP host
+server {
+	listen 0.0.0.0:80;
+	listen [::]:80 default_server;
+	server_name _;
+	server_tokens off;
+
+        root /nowhere; ## root doesn't have to be a valid path since we are redirecting
+
+        location / {
+	        if ($ip_external) {
+	                ## Redirects all traffic to the HTTPS host
+      		         rewrite ^ https://$host$request_uri? permanent;
+                }
+
+
+                client_max_body_size 100m;
+
+                proxy_pass https://127.0.0.1;
+                proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Host $server_name;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_ssl_verify off;
+        }
+}
+
+## HTTPS host
+server {
+	listen 0.0.0.0:443 ssl http2;
+	listen [::]:443 ssl http2 default_server;
+	server_tokens off;
+	root /usr/share/nginx/html;
+
+	## Increase this if you want to upload large attachments
+	client_max_body_size 100m;
+
+	## Strong SSL Security
+	## https://cipherli.st/
+	ssl on;
+	ssl_certificate {{SSL_CERTIFICATE_PATH}};
+	ssl_certificate_key {{SSL_KEY_PATH}};
+	ssl_verify_client {{SSL_VERIFY_CLIENT}};
+	ssl_client_certificate {{CA_CERTIFICATES_PATH}};
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+	ssl_session_cache shared:SSL:10m;
+	ssl_session_tickets off; # Requires nginx >= 1.5.9
+
+	add_header Strict-Transport-Security "max-age={{ONLYOFFICE_HTTPS_HSTS_MAXAGE}}; includeSubDomains; preload" always;
+#	add_header X-Frame-Options DENY;
+	add_header X-Content-Type-Options nosniff;
+	add_header Access-Control-Allow-Origin *;	
+
+	## [Optional] If your certficate has OCSP, enable OCSP stapling to reduce the overhead and latency of running SSL.
+	## Replace with your ssl_trusted_certificate. For more info see:
+	## - https://medium.com/devops-programming/4445f4862461
+	## - https://www.ruby-forum.com/topic/4419319
+	## - https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_trusted_certificate {{SSL_OCSP_CERTIFICATE_PATH}};
+	resolver 8.8.8.8 8.8.4.4 127.0.0.11 valid=300s; # Can change to your DNS resolver if desired
+	resolver_timeout 10s;
+
+	## [Optional] Generate a stronger DHE parameter:
+	## cd /etc/ssl/certs
+	## sudo openssl dhparam -out dhparam.pem 4096
+	##
+	ssl_dhparam {{SSL_DHPARAM_PATH}};
+
+        include /etc/nginx/includes/onlyoffice-communityserver-*.conf;
+}
+
+
+

build/install/deb/Files/nginx/includes/onlyoffice-communityserver-common.conf.template

@@ -0,0 +1,38 @@
+upstream fastcgi_backend_apisystem {
+        server unix:/var/run/onlyoffice/onlyofficeApiSystem.socket;
+        keepalive 32;
+}
+
+upstream fastcgi_backend {
+	server unix:/var/run/onlyoffice/onlyoffice.socket;
+	keepalive {{ONLYOFFICE_NIGNX_KEEPLIVE}};
+}
+
+fastcgi_cache_path /var/cache/nginx/onlyoffice
+	levels=1:2
+	keys_zone=onlyoffice:16m
+	max_size=256m
+	inactive=1d;
+
+map $http_host $this_host {
+  "" $host;
+  default $http_host;
+}
+
+map $http_x_forwarded_proto $the_scheme {
+  default $http_x_forwarded_proto;
+  "" $scheme;
+}
+
+map $http_x_forwarded_host $the_host {
+  default $http_x_forwarded_host;
+  "" $this_host;
+}
+
+server {
+	listen 80;
+
+	add_header Access-Control-Allow-Origin *;
+
+        include /etc/nginx/includes/onlyoffice-communityserver-*.conf;
+}

build/install/deb/Files/nginx/includes/onlyoffice-communityserver-nginx.conf.template

@@ -0,0 +1,32 @@
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+    include /etc/nginx/sites-enabled/*;
+    include /etc/nginx/conf.d/*.conf;
+}
+

build/install/deb/Files/tools/default-onlyoffice-ssl.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+if [ ! -f /var/www/onlyoffice/Data/certs/dhparam.pem ]; then
+        sudo openssl dhparam -out dhparam.pem 2048
+
+        mv dhparam.pem /var/www/onlyoffice/Data/certs/dhparam.pem;
+fi
+
+DOCKER_ONLYOFFICE_SUBNET=$(ip -o -f inet addr show | awk '/scope global/ {print $4}');
+
+cp /etc/nginx/includes/onlyoffice-communityserver-common-ssl.conf.template default-onlyoffice-ssl.conf;
+
+SSL_CERTIFICATE_PATH="/var/www/onlyoffice/Data/certs/onlyoffice.crt"
+SSL_KEY_PATH="/var/www/onlyoffice/Data/certs/onlyoffice.key"
+ONLYOFFICE_SERVICES_DIR="/var/www/onlyoffice/Services"
+
+sed "s,{{SSL_CERTIFICATE_PATH}},${SSL_CERTIFICATE_PATH}," -i default-onlyoffice-ssl.conf;
+sed "s,{{SSL_KEY_PATH}},${SSL_KEY_PATH}," -i default-onlyoffice-ssl.conf;
+sed 's,{{SSL_DHPARAM_PATH}},/var/www/onlyoffice/Data/certs/dhparam.pem,' -i default-onlyoffice-ssl.conf;
+sed 's,{{SSL_VERIFY_CLIENT}},off,' -i default-onlyoffice-ssl.conf;
+sed '/{{CA_CERTIFICATES_PATH}}/d' -i default-onlyoffice-ssl.conf;
+sed 's/{{ONLYOFFICE_HTTPS_HSTS_MAXAGE}}/63072000/' -i default-onlyoffice-ssl.conf;
+sed 's,{{DOCKER_ONLYOFFICE_SUBNET}},'"${DOCKER_ONLYOFFICE_SUBNET}"',' -i default-onlyoffice-ssl.conf;
+sed 's/{{ONLYOFFICE_NIGNX_KEEPLIVE}}/64/g' -i default-onlyoffice-ssl.conf;
+
+SSL_OCSP_CERTIFICATE_PATH="/var/www/onlyoffice/Data/certs/stapling.trusted.crt"
+
+# if dhparam path is valid, add to the config, otherwise remove the option
+if [ -r "${SSL_OCSP_CERTIFICATE_PATH}" ]; then
+        sed 's,{{SSL_OCSP_CERTIFICATE_PATH}},'"${SSL_OCSP_CERTIFICATE_PATH}"',' -i default-onlyoffice-ssl.conf;
+else
+        sed '/ssl_stapling/d' -i default-onlyoffice-ssl.conf;
+        sed '/ssl_stapling_verify/d' -i default-onlyoffice-ssl.conf;
+        sed '/ssl_trusted_certificate/d' -i default-onlyoffice-ssl.conf;
+        sed '/resolver/d' -i default-onlyoffice-ssl.conf;
+        sed '/resolver_timeout/d' -i default-onlyoffice-ssl.conf;
+fi
+
+# sed '/certificate/s/\(value\s*=\s*\"\).*\"/\1${SSL_CERTIFICATE_PATH}"\"/' -i ${ONLYOFFICE_SERVICES_DIR}/TeamLabSvc/TeamLabSvc.exe.Config
+# sed '/certificatePrivateKey/s/\(value\s*=\s*\"\).*\"/\1${SSL_KEY_PATH}"\"/' -i ${ONLYOFFICE_SERVICES_DIR}/TeamLabSvc/TeamLabSvc.exe.Config;
+# sed '/startTls/s/\(value\s*=\s*\"\).*\"/\1optional"\"/' -i ${ONLYOFFICE_SERVICES_DIR}/TeamLabSvc/TeamLabSvc.exe.Config;
+
+sed '/mail\.default-api-scheme/s/\(value\s*=\s*\"\).*\"/\1https\"/' -i /var/www/onlyoffice/Services/MailAggregator/ASC.Mail.Aggregator.CollectionService.exe.config;
+
+mv default-onlyoffice-ssl.conf /etc/nginx/sites-enabled/onlyoffice
+
+service onlyofficeMailAggregator restart
+# service onlyofficeJabber restart
+service nginx reload

build/install/deb/Files/tools/default-onlyoffice.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+cp /etc/nginx/includes/onlyoffice-communityserver-common.conf.template default-onlyoffice.conf;
+
+sed 's/{{ONLYOFFICE_NIGNX_KEEPLIVE}}/64/g' -i default-onlyoffice.conf;
+sed '/mail\.default-api-scheme/s/\(value\s*=\s*\"\).*\"/\1http\"/' -i /var/www/onlyoffice/Services/MailAggregator/ASC.Mail.Aggregator.CollectionService.exe.config;
+
+mv default-onlyoffice.conf /etc/nginx/sites-enabled/onlyoffice
+
+service onlyofficeMailAggregator restart
+service nginx reload
+

build/install/deb/Files/tools/letsencrypt.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+_domains="";
+
+for arg; do
+    _domains="$_domains -d $arg";
+done
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+certbot certonly --expand --webroot -w /var/www/onlyoffice/Data/certs --noninteractive --agree-tos --email support@$1 $_domains;
+
+cp /etc/letsencrypt/live/$1/fullchain.pem /var/www/onlyoffice/Data/certs/onlyoffice.crt
+cp /etc/letsencrypt/live/$1/privkey.pem /var/www/onlyoffice/Data/certs/onlyoffice.key
+cp /etc/letsencrypt/live/$1/chain.pem /var/www/onlyoffice/Data/certs/stapling.trusted.crt
+
+cat > /etc/cron.d/letsencrypt <<END
+@weekly root certbot renew >> /var/log/le-renew.log
+@weekly root cp /etc/letsencrypt/live/$1/fullchain.pem /var/www/onlyoffice/Data/certs/onlyoffice.crt
+@weekly root cp /etc/letsencrypt/live/$1/privkey.pem /var/www/onlyoffice/Data/certs/onlyoffice.key
+@weekly root cp /etc/letsencrypt/live/$1/chain.pem /var/www/onlyoffice/Data/certs/stapling.trusted.crt
+@weekly root nginx reload
+END
+
+source $DIR/default-onlyoffice-ssl.sh

build/install/deb/debian/onlyoffice-communityserver.install

@@ -5,5 +5,6 @@ Files/god/* etc/god/
 Files/Services/* var/www/onlyoffice/Services/
 Files/WebStudio/* var/www/onlyoffice/WebStudio/
 Files/sql/* var/www/onlyoffice/Sql/
+Files/tools/* var/www/onlyoffice/Tools/
 Files/licenses/* usr/share/doc/onlyoffice-communityserver/licenses/
 Files/ApiSystem/* var/www/onlyoffice/ApiSystem/