ONLYOFFICE is an open-source platform that offers robust online document editors for texts, spreadsheets, and presentations, coupled with extensive productivity features like CRM, project management, calendar, mail, chat, and more. ONLYOFFICE Community Server is a collaboration-friendly open-source system under GNU GPL v3.0.
Security is a paramount concern today as we face constant threats from malicious activities, data breaches, unauthorized access attempts, and more.
ONLYOFFICE offers a comprehensive suite of security tools and services to safeguard your data:
- HTTPS for your private server to encrypt traffic with secure HTTPS protocol, regardless of whether you already possess an SSL certificate.
- JWT (JSON Web Token) technology that protects documents from unauthorized access, ensuring users only access permitted data.
- Two-factor authentication to thwart unauthorized access with verification codes sent via mobile texts.
- Trusted mail domains settings to allow email sign-ups only from selected mail servers.
- IP restriction settings to limit portal access to specific IPs.
- Cookie lifetime settings for automatic log-out after a chosen duration.
- Password strength settings to define minimum password length and character types, such as uppercase letters, digits, and special symbols.
- Access rights management for setting individual or group-based access rights to portal modules and data.
Additional security features available in ONLYOFFICE Enterprise Edition’s Control Panel include:
- Single sign-on;
- Login history;
- Audit trail;
- Automatic data backup and recovery.
This tutorial will guide you on how to secure your ONLYOFFICE portal using HTTPS with Let’s Encrypt and two-factor authentication via Twilio.
Part 1. Activating HTTPS protocol with Let’s Encrypt
Step 1. Add Certbot ACME client to your server
You need shell access to your server to install both Certbot and CA-signed certificate from Let’s Encrypt.
Use the drop-down menus at Certbot to select your server software and operating system for specific instructions.
Follow these instructions to install the Certbot ACME client.
Step 2. Generate and install CA-signed certificate
Execute the automated script:
bash /var/www/onlyoffice/Tools/letsencrypt.sh yourdomain.com subdomain1.yourdomain.com subdomain2.yourdomain.com
Replace yourdomain.com with your Community Server’s domain. Use subdomain1.yourdomain.com and subdomain2.yourdomain.com (or any other subdomains) for additional domains.
Check your portal to confirm it has been switched to HTTPS.
Part 2. Activating two-factor authentication via Twilio
Step 1. Open Third Party Services Settings
Go to the Settings section of your ONLYOFFICE portal by clicking the Settings icon at the top of the page or selecting it from the navigation menu.
Navigate to the Integration section and select the Third Party Services page.
Step 2. Connect Twilio to ONLYOFFICE
Select Twilio from the third-party services list and toggle the switch next to it. Integration settings will appear.
Retrieve your keys from the Twilio Console (ACCOUNT SID, AUTH TOKEN, and phone number). Enter these keys into the respective fields and click Enable to save the settings.
Step 3. Enable two-factor authentication
In the Integration section, proceed to Security -> Portal Access. Locate Two-factor authentication and click Enable. Save your settings.
Step 4: Log in to ONLYOFFICE
After enabling two-factor authentication, refresh the page and log in to ONLYOFFICE.
Enter your credentials, specify the phone number for receiving messages (modifiable in your profile), and input the six-digit verification code received via SMS.
Links
- ONLYOFFICE support forum for additional queries
- Access ONLYOFFICE Community Server source code on GitHub
FAQ
- What is Certbot?
- Certbot is a free, open-source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.
- What do I need to start using Let’s Encrypt?
- You’ll need shell access to the server, a registered domain name, and the Certbot client to generate and install SSL certificates.
- Why use Twilio for two-factor authentication?
- Twilio provides a reliable API service for sending SMS messages, which is crucial for effective two-factor authentication implementations to enhance security.
- How can I update my phone number for two-factor authentication?
- You can modify your phone number at any time on your ONLYOFFICE profile page, ensuring you receive verification codes on the preferred number.