You can configure IP filter for ONLYOFFICE Docs.
The IP filter settings are stored in the ONLYOFFICE Docs configuration file: /etc/onlyoffice/documentserver/default.json
. They look like this:
"ipfilter": {
"rules": [
{
"address": "ip_address",
"allowed": true
},
{
"address": "*",
"allowed": false
}
],
"useforrequest": false,
"errorcode": 403
}
If you change the parameters in the default.json
file, all the changes will be lost after the ONLYOFFICE Docs update or Docker container restart. To ensure that your changes persist after the update, please edit the /etc/onlyoffice/documentserver/local.json
file preserving the structure.
A rule consists of two parts: the host name and the allowed
rule itself which has the true
of false
value. By default, one rule exists: address * allowed true
.
An address can be specified in the following ways:
- An IP address in the
X.X.X.X
format for ipv4.
- An IP address in the
xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx
format for ipv6.
- A DNS name.
It's also possible to use the *
wildcard character. It replaces any character any number of times.
The host name in links is checked as a DNS address at first, if it does not match any rule, the IP address is found by the name and the check is performed once again.
ImportantIf the "useforrequest": true
check is enabled, the address
parameter must be specified as an IP address, not a DNS name.
"useforrequest": true/false
By default, the useforrequest
parameter is set to false
. In this case, the text URLs which come to ONLYOFFICE Docs as parameters are checked:
If the useforrequest
parameter is set to true
(not recommended), the client IP address in the following http requests is additionally checked:
coauthoring/CommandService.ashx
ConvertService.ashx
converter
FileUploader.ashx
healthcheck
docbuilder
info/info.json
internal/cluster/inactive
hosting/discovery
hosting/capabilities
lool/convert-to/:format?
dummyCallback
For these requests, an error is returned with the code specified in the errorcode
parameter.
ImportantOnly the IP address of the storage that ONLYOFFICE Docs can see (taking into account the x-forwarded headers) is checked.
E.g., if ONLYOFFICE Docs and the test example are installed on the same machine, the client IP address will be the address of the internal network. ONLYOFFICE Docs can't find out the host of the client, so it's not possible to use a DNS name in the address
field with this setting. It's recommended to leave this setting with the default value and perform checks at the proxy level.