Monday, December 13, 2021

Apache Log4j vulnerability "Log4shell"

A very severe security vulnerability named "Log4shell" was found in Apache Log4j. You can read more about it here:

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

We are getting a lot of questions from customers who are concerned if Group-Office is affected by this vulnerability.

Luckily, I can say that Group-Office or it's dependencies never used this software. The Debian package of Group-Office uses the Apache webserver but this is different software.

That said, it might be that you've installed other package on the server that uses it. You can check this with this command:

dpkg -l | grep log4

Note: This makes sure the Debian package is not installed. But it doesn't check if it was installed by other means!




Friday, April 2, 2021

Group-Office 6.5 released

We're proud to announce Group-Office version 6.5. This version brings you various enhancements.

Smaller header bar

A small visual enhancement but with great benefits. We made the top bar smaller by integrating the navigation tabs into it. This gives you more space for the app.


Smarter employee management

Manage all employment settings from the user dialog. Manage activities, holiday hours and fees at one place. Holiday calculations are automatically made based on the employment agreements. The new business module is the base for time tracking, projects and financial modules.

Manage your businesses and activities


Manage the employee and agreements

History module

Get insight in what happened in detail with the new history logging module. It keeps track of everything. Even property changes are supported.

History module showing details of changes

Improved import and export

Import and export supports excel files now too and you can save column presets that you often use.

Various export options

Save your common used columns


New license system

We've made our license system easier. Instead of uploading files you can now register your key inside Group-Office.

Various

Also a lot of smaller changes were made like:
  • Core: Module dependencies are respected when installing
  • Comments: Editable date field
  • Address book: Removed starred functionality for performance reasons
  • Core: New global search design to improve performance on larger databases
  • Documenttemplates: add selectable folder option
  • Core: Default authentication domain is appended automatically when local user isn't available. This allows ldap users to login with their username without appending or selecting a domain. Removed the domain combo because it's no longer needed with this change.

Upgrading is recommended for everyone!



Friday, March 19, 2021

Installing LibreOffice online

Group-Office integrates nicely with LibreOffice or Collabora Online. Enabling you to edit text, spreadsheet and presentation documents in your browser. You can also collaborate on documents by editing with multiple users.

In this post we'll cover the installation of LibreOffice Online with Docker and a reverse proxy and natively on Debian. When it's running you can proceed to the Group-Office manual to integrate it. Good luck!

LibreOffice Online

Docker

We found the easiest way to set it up is using Docker with Docker compose and Nginx or Apache as reverse proxy. If you run it on the same server as Group-Office you should setup with Apache as the package comes with Apache.

Replace “docs.example.com” everywhere below with your hostname that you’ll use to access LibreOffice Online.

Docker compose

Create a file “docs.example.com/docker-compose.yml”:

version: "3.6"
services:
  libreoffice:
    image: libreoffice/online:master
    environment:
      domain: (.*\.example\.com|host\.docker\.internal)
      username: admin
      password: secret
      extra_params: --o:ssl.enable=false --o:ssl.termination=true
      DONT_GEN_SSL_CERT: 1
    volumes:
      - lo_config_volume:/etc/loolwsd
    cap_add:
      - MKNOD
    ports:
            - "127.0.0.1:9980:9980"
    restart:
      unless-stopped
volumes:
  lo_config_volume:

Replace the domain part with a regular expression that allows the Group-Office hosts. For a single domain you can replace this with just “groupoffice.example.com”.

Start docker with the command in the directory “docs.example.com”:

docker-compose up -d

Nginx

You can use either Nginx or Apache. If you already have Apache installed then skip this section and proceed with Apache. Setup the virtual host in a new text file: /etc/nginx/sites-enabled/docs.example.com:

# HTTPS Server
server {
    listen 443 ssl;
    server_name docs.example.com;

    error_log /var/log/nginx/docs_error.log;

    # We use let's encrypt for SSL
    ssl_certificate /etc/letsencrypt/live/docs.example.com/fullchain.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/docs.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/docs.example.com/privkey.pem;

    include /etc/letsencrypt/options-ssl-nginx.conf;

    # static files
    location ^~ /loleaflet {
        proxy_pass http://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass http://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Capabilities
    location ^~ /hosting/capabilities {
        proxy_pass http://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # main websocket
    location ~ ^/lool/(.*)/ws$ {
        proxy_pass http://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }

    # download, presentation and image upload
    location ~ ^/lool {
        proxy_pass http://localhost:9980;
        proxy_set_header Host $http_host;
    }

    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_pass http://localhost:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $http_host;
        proxy_read_timeout 36000s;
    }
}

Check the nginx syntax with:

nginx -t

It it’s OK then reload nginx:

systemctl reload nginx

Now that LibreOffice online is running you can proceed to the Group-Office configuration here:

https://groupoffice.readthedocs.io/en/latest/install/extras/libreoffice-online.html

Apache

Create this virtual host in the text file /etc/apache2/sites-enabled:

<VirtualHost *:443>
  ServerName docs.example.com:443
  Options -Indexes

  # SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
  SSLEngine on
  SSLCertificateFile /path/to/signed_certificate
  SSLCertificateChainFile /path/to/intermediate_certificate
  SSLCertificateKeyFile /path/to/private/key
  SSLProtocol             all -SSLv2 -SSLv3
  SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  SSLHonorCipherOrder     on

  # Encoded slashes need to be allowed
  AllowEncodedSlashes NoDecode

  # Container uses a unique non-signed certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off

  # keep the host
  ProxyPreserveHost On

  # static html, js, images, etc. served from loolwsd
  # loleaflet is the client part of LibreOffice Online
  ProxyPass           /loleaflet http://127.0.0.1:9980/loleaflet retry=0
  ProxyPassReverse    /loleaflet http://127.0.0.1:9980/loleaflet

  # WOPI discovery URL
  ProxyPass           /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
  ProxyPassReverse    /hosting/discovery http://127.0.0.1:9980/hosting/discovery

  # Capabilities
  ProxyPass           /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
  ProxyPassReverse    /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities

  # Main websocket
  ProxyPassMatch "/lool/(.*)/ws$" ws://127.0.0.1:9980/lool/$1/ws nocanon

  # Admin Console websocket
  ProxyPass   /lool/adminws ws://127.0.0.1:9980/lool/adminws

  # Download as, Fullscreen presentation and Image upload operations
  ProxyPass           /lool http://127.0.0.1:9980/lool
  ProxyPassReverse    /lool http://127.0.0.1:9980/lool
</VirtualHost>

Now that LibreOffice online is running you can proceed to the Group-Office configuration here:

https://groupoffice.readthedocs.io/en/latest/install/extras/libreoffice-online.html

Verify LibreOffice install

You can verify that the install worked by visiting the URL below in your browser:

https://docs.example.com/hosting/discovery

You should see an XML document. If not then look at the log files:

docker-compose logs

Debian packages

SSL

We’ve used the Debian packages and setup SSL with Letsencrypt. Then we’ve added this SSL configuration to /etc/loolwsd/loolwsd.xml:

<ssl desc="SSL settings">
    <enable type="bool" desc="Controls whether SSL encryption is enable (do not disable for production deployment). If default is false, must first be compiled with SSL support to enable." default="true">true</enable>
    <termination desc="Connection via proxy where loolwsd acts as working via https, but actually uses http." type="bool" default="true">false</termination>
    <cert_file_path desc="Path to the cert file" relative="false">/etc/letsencrypt/live/groupoffice.co/cert.pem</cert_file_path>
    <key_file_path desc="Path to the key file" relative="false">/etc/letsencrypt/live/groupoffice.co/privkey.pem</key_file_path>
    <ca_file_path desc="Path to the ca file" relative="false">/etc/letsencrypt/live/groupoffice.co/fullchain.pem</ca_file_path>
    <cipher_list desc="List of OpenSSL ciphers to accept" default="ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"></cipher_list>
    <hpkp desc="Enable HTTP Public key pinning" enable="false" report_only="false">
        <max_age desc="HPKP's max-age directive - time in seconds browser should remember the pins" enable="true">1000</max_age>
        <report_uri desc="HPKP's report-uri directive - pin validation failure are reported at this URL" enable="false"></report_uri>
        <pins desc="Base64 encoded SPKI fingerprints of keys to be pinned">
        <pin></pin>
        </pins>
    </hpkp>
</ssl>

Network

Change network settings to allow posting from your Group-Office URL. We’ve used a wildcard for all subdomains ..example.com* for example:

<net desc="Network settings">
   <proto type="string" default="all" desc="Protocol to use IPv4, IPv6 or all for both">all</proto>
   <listen type="string" default="any" desc="Listen address that loolwsd binds to. Can be 'any' or 'loopback'.">any</listen>
   <service_root type="path" default="" desc="Prefix all the pages, websockets, etc. with this path."></service_root>
   <post_allow desc="Allow/deny client IP address for POST(REST)." allow="true">
     <host desc="The IPv4 private 192.168 block as plain IPv4 dotted decimal addresses.">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
     <host desc="Ditto, but as IPv4-mapped IPv6 addresses">::ffff:192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
     <host desc="The IPv4 loopback (localhost) address.">127\.0\.0\.1</host>
     <host desc="Ditto, but as IPv4-mapped IPv6 address">::ffff:127\.0\.0\.1</host>
         <host desc="The IPv6 loopback (localhost) address.">::1</host>
         <host desc="wildcard" allow="true">.*\.example\.com</host>
   </post_allow>
   <frame_ancestors desc="Specify who is allowed to embed the LO Online iframe (loolwsd and WOPI host are always allowed). Separate multiple hosts by space."></frame_ancestors>
 </net>

Storage

Change the backend storage to allow your Group-Office URL:

<storage desc="Backend storage">
    <filesystem allow="false" />
        <wopi desc="Allow/deny wopi storage. Mutually exclusive with webdav." allow="true">
        <host desc="wildcard" allow="true">.*\.example\.com</host>
            <host desc="Regex pattern of hostname to allow or deny." allow="true">localhost</host>
        <host desc="Regex pattern of hostname to allow or deny." allow="true">10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.1[6789]\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.2[0-9]\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="Regex pattern of hostname to allow or deny." allow="true">172\.3[01]\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="Regex pattern of hostname to allow or deny." allow="true">192\.168\.[0-9]{1,3}\.[0-9]{1,3}</host>
        <host desc="Regex pattern of hostname to allow or deny." allow="false">192\.168\.1\.1</host>
        <max_file_size desc="Maximum document size in bytes to load. 0 for unlimited." type="uint">0</max_file_size>
    </wopi>
    <webdav desc="Allow/deny webdav storage. Mutually exclusive with wopi." allow="false">
        <host desc="Hostname to allow" allow="false">localhost</host>
    </webdav>
</storage>

After making these changes restart loolwsd:

sudo systemctl restart loolwsd

Check the status:

sudo systemctl status loolwsd

If anything is wrong view the logs:

sudo journalctl -u loolwsd

Now that LibreOffice online is running you can proceed to the Group-Office configuration here:

https://groupoffice.readthedocs.io/en/latest/install/extras/libreoffice-online.html