Add prof of concept none pivilage execution

Use 'DS_PORT' env to use custom https port
  sudo docker run -e DS_PORT=1234 -itd -p80:1234  \
  onlyoffice/documentserver

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,13 @@
+**Do you want to request a *feature* or report a *bug*?**
+
+**What is the current behavior?**
+
+**If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem.**
+
+**What is the expected behavior?**
+
+**Did this work in previous versions of DocumentServer?**
+
+**DocumentServer Docker tag:**
+
+**Host Operating System:**

Dockerfile

@@ -1,21 +1,52 @@
-FROM ubuntu:14.04
-MAINTAINER Ascensio System SIA <support@onlyoffice.com>
+FROM ubuntu:16.04
+LABEL maintainer Ascensio System SIA <support@onlyoffice.com>
 
 ENV LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_ALL=en_US.UTF-8 DEBIAN_FRONTEND=noninteractive
 
+ARG ONLYOFFICE_VALUE=onlyoffice
+
 RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
     apt-get -y update && \
-    apt-get --force-yes -yq install wget apt-transport-https curl && \
-    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys CB2DE8E5 && \
-    echo "deb http://archive.ubuntu.com/ubuntu precise main universe multiverse" >> /etc/apt/sources.list && \
+    apt-get -yq install wget apt-transport-https curl locales && \
+    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0x8320ca65cb2de8e5 && \
     locale-gen en_US.UTF-8 && \
-    curl -sL https://deb.nodesource.com/setup_6.x | bash - && \
+    curl -sL https://deb.nodesource.com/setup_8.x | bash - && \
     apt-get -y update && \
-    echo ttf-mscorefonts-installer msttcorefonts/accepted-mscorefonts-eula select true | debconf-set-selections && \
-    apt-get --force-yes -yq install software-properties-common adduser postgresql postgresql-client redis-server rabbitmq-server nginx-extras nodejs libstdc++6 libcurl3 libxml2 libboost-regex-dev zlib1g supervisor fonts-dejavu fonts-liberation ttf-mscorefonts-installer fonts-crosextra-carlito fonts-takao-gothic fonts-opensymbol libxss1 libgtkglext1 libcairo2 xvfb libxtst6 libgconf2-4 libasound2 bomstrip libnspr4 libnss3 libnss3-nssdb nano htop && \
-    sudo -u postgres psql -c "CREATE DATABASE onlyoffice;" && \
-    sudo -u postgres psql -c "CREATE USER onlyoffice WITH password 'onlyoffice';" && \
-    sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE onlyoffice TO onlyoffice;" && \ 
+    apt-get -yq install \
+        adduser \
+        bomstrip \
+        htop \
+        libasound2 \
+        libboost-regex-dev \
+        libcairo2 \
+        libcurl3 \
+        libgconf2-4 \
+        libgtkglext1 \
+        libnspr4 \
+        libnss3 \
+        libnss3-nssdb \
+        libstdc++6 \
+        libxml2 \
+        libxss1 \
+        libxtst6 \
+        nano \
+        net-tools \
+        netcat \
+        nginx-extras \
+        nodejs \
+        postgresql \
+        postgresql-client \
+        pwgen \
+        rabbitmq-server \
+        redis-server \
+        software-properties-common \
+        sudo \
+        supervisor \
+        xvfb \
+        zlib1g && \
+    sudo -u postgres psql -c "CREATE DATABASE $ONLYOFFICE_VALUE;" && \
+    sudo -u postgres psql -c "CREATE USER $ONLYOFFICE_VALUE WITH password '$ONLYOFFICE_VALUE';" && \
+    sudo -u postgres psql -c "GRANT ALL privileges ON DATABASE $ONLYOFFICE_VALUE TO $ONLYOFFICE_VALUE;" && \ 
     service postgresql stop && \
     service redis-server stop && \
     service rabbitmq-server stop && \
@@ -23,24 +54,27 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
     service nginx stop && \
     rm -rf /var/lib/apt/lists/*
 
-ADD config /app/onlyoffice/setup/config/
-ADD run-document-server.sh /app/onlyoffice/run-document-server.sh
+COPY config /app/ds/setup/config/
+COPY run-document-server.sh /app/ds/run-document-server.sh
 
 EXPOSE 80 443
 
 ARG REPO_URL="deb http://download.onlyoffice.com/repo/debian squeeze main"
-ARG PRODUCT_NAME=onlyoffice-documentserver
+ARG COMPANY_NAME=onlyoffice
+ARG PRODUCT_NAME=documentserver
 
-RUN echo "$REPO_URL" | tee /etc/apt/sources.list.d/onlyoffice.list && \
+ENV COMPANY_NAME=$COMPANY_NAME
+
+RUN echo "$REPO_URL" | tee /etc/apt/sources.list.d/ds.list && \
     apt-get -y update && \
     service postgresql start && \
-    apt-get --force-yes -yq install $PRODUCT_NAME && \
+    apt-get -yq install $COMPANY_NAME-$PRODUCT_NAME && \
     service postgresql stop && \
     service supervisor stop && \
-    chmod 755 /app/onlyoffice/*.sh && \
-    rm -rf /var/log/onlyoffice && \
+    chmod 755 /app/ds/*.sh && \
+    rm -rf /var/log/$COMPANY_NAME && \
     rm -rf /var/lib/apt/lists/*
 
-VOLUME /etc/onlyoffice /var/log/onlyoffice /var/lib/onlyoffice /var/www/onlyoffice/Data /var/lib/postgresql /usr/share/fonts/truetype/custom
+VOLUME /var/log/$COMPANY_NAME /var/lib/$COMPANY_NAME /var/www/$COMPANY_NAME/Data /var/lib/postgresql /usr/share/fonts/truetype/custom
 
-CMD bash -C '/app/onlyoffice/run-document-server.sh';'bash'
+ENTRYPOINT /app/ds/run-document-server.sh

Makefile

@@ -1,40 +1,66 @@
+COMPANY_NAME ?= onlyoffice
+GIT_BRANCH ?= develop
+PRODUCT_NAME ?= documentserver-ie
+PRODUCT_VERSION ?= 0.0.0
+BUILD_NUMBER ?= 0
+ONLYOFFICE_VALUE ?= onlyoffice
+
 PACKAGE_VERSION := $(PRODUCT_VERSION)-$(BUILD_NUMBER)
 
-REPO_URL := "deb http://repo-doc-onlyoffice-com.s3.amazonaws.com/ubuntu/trusty/$(COMPANY_NAME)-$(PRODUCT_NAME)/$(GIT_BRANCH)/$(PACKAGE_VERSION)/ repo/"
+REPO_URL := "deb [trusted=yes] http://repo-doc-onlyoffice-com.s3.amazonaws.com/ubuntu/trusty/$(COMPANY_NAME)-$(PRODUCT_NAME)/$(GIT_BRANCH)/$(PACKAGE_VERSION)/ repo/"
 
 UPDATE_LATEST := false
 
 ifneq (,$(findstring develop,$(GIT_BRANCH)))
-DOCKER_TAGS += $(subst -,.,$(PACKAGE_VERSION))
+DOCKER_TAG += $(subst -,.,$(PACKAGE_VERSION))
 DOCKER_TAGS += latest
 else ifneq (,$(findstring release,$(GIT_BRANCH)))
-DOCKER_TAGS += $(subst -,.,$(PACKAGE_VERSION))
+DOCKER_TAG += $(subst -,.,$(PACKAGE_VERSION))
 else ifneq (,$(findstring hotfix,$(GIT_BRANCH)))
-DOCKER_TAGS += $(subst -,.,$(PACKAGE_VERSION))
+DOCKER_TAG += $(subst -,.,$(PACKAGE_VERSION))
 else
-DOCKER_TAGS += $(subst -,.,$(PACKAGE_VERSION))-$(subst /,-,$(GIT_BRANCH))
+DOCKER_TAG += $(subst -,.,$(PACKAGE_VERSION))-$(subst /,-,$(GIT_BRANCH))
 endif
 
+DOCKER_TAGS += $(DOCKER_TAG)
+
 DOCKER_REPO = $(COMPANY_NAME)/4testing-$(PRODUCT_NAME)
 
 COLON := __colon__
 DOCKER_TARGETS := $(foreach TAG,$(DOCKER_TAGS),$(DOCKER_REPO)$(COLON)$(TAG))
 
-.PHONY: all clean clean-docker deploy docker
+DOCKER_ARCH := $(COMPANY_NAME)-$(PRODUCT_NAME)_$(PACKAGE_VERSION).tar.gz
+
+.PHONY: all clean clean-docker deploy docker publish
 
 $(DOCKER_TARGETS): $(DEB_REPO_DATA)
 
-	sudo docker build --build-arg REPO_URL=$(REPO_URL) --build-arg PRODUCT_NAME=$(COMPANY_NAME)-$(PRODUCT_NAME) -t $(subst $(COLON),:,$@) . &&\
+	docker build \
+		--build-arg REPO_URL=$(REPO_URL) \
+		--build-arg COMPANY_NAME=$(COMPANY_NAME) \
+		--build-arg PRODUCT_NAME=$(PRODUCT_NAME) \
+		--build-arg ONLYOFFICE_VALUE=$(ONLYOFFICE_VALUE) \
+		-t $(subst $(COLON),:,$@) . &&\
 	mkdir -p $$(dirname $@) &&\
 	echo "Done" > $@
 
+$(DOCKER_ARCH): $(DOCKER_TARGETS)
+	docker save $(DOCKER_REPO):$(DOCKER_TAG) | \
+		gzip > $@
+
 all: $(DOCKER_TARGETS)
 
 clean:
-	rm -rfv $(DOCKER_TARGETS)
+	rm -rfv $(DOCKER_TARGETS) $(DOCKER_ARCH)
 		
 clean-docker:
-	sudo docker rmi -f $$(sudo docker images -q $(COMPANY_NAME)/*) || exit 0
+	docker rmi -f $$(docker images -q $(COMPANY_NAME)/*) || exit 0
 
 deploy: $(DOCKER_TARGETS)
-	$(foreach TARGET,$(DOCKER_TARGETS),sudo docker push $(subst $(COLON),:,$(TARGET));)
+	$(foreach TARGET,$(DOCKER_TARGETS),docker push $(subst $(COLON),:,$(TARGET));)
+
+publish: $(DOCKER_ARCH)
+	aws s3 cp \
+		$(DOCKER_ARCH) \
+		s3://repo-doc-onlyoffice-com.s3.amazonaws.com/docker/amd64/ \
+		--acl public-read

README.md

@@ -13,7 +13,7 @@
 * [Installing ONLYOFFICE Document Server integrated with Community and Mail Servers](#installing-onlyoffice-document-server-integrated-with-community-and-mail-servers)
 * [Issues](#issues)
     - [Docker Issues](#docker-issues)
-    - [Mono Issues](#mono-issues)
+    - [Document Server usage Issues](#document-server-usage-issues)
 * [Project Information](#project-information)
 * [User Feedback and Support](#user-feedback-and-support)
 
@@ -58,15 +58,21 @@ Use this command if you wish to install ONLYOFFICE Document Server separately. T
 All the data are stored in the specially-designated directories, **data volumes**, at the following location:
 * **/var/log/onlyoffice** for ONLYOFFICE Document Server logs
 * **/var/www/onlyoffice/Data** for certificates
+* **/var/lib/onlyoffice** for file cache
+* **/var/lib/postgresql** for database
 
 To get access to your data from outside the container, you need to mount the volumes. It can be done by specifying the '-v' option in the docker run command.
 
     sudo docker run -i -t -d -p 80:80 \
         -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice  \
         -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data  \
-        -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice onlyoffice/documentserver
+        -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
+        -v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql  onlyoffice/documentserver
 
-Storing the data on the host machine allows you to easily update ONLYOFFICE once the new version is released without losing your data.
+Normally, you do not need to store container data because the container's operation does not depend on its state. Saving data will be useful:
+* For easy access to container data, such as logs
+* To remove the limit on the size of the data inside the container
+* When using services launched outside the container such as PostgreSQL, Redis, RabbitMQ
 
 ### Running ONLYOFFICE Document Server on Different Port
 
@@ -161,61 +167,91 @@ Below is the complete list of parameters that can be set using environment varia
 - **POSTGRESQL_SERVER_DB_NAME**: The name of a PostgreSQL database to be created on the image startup.
 - **POSTGRESQL_SERVER_USER**: The new user name with superuser permissions for the PostgreSQL account.
 - **POSTGRESQL_SERVER_PASS**: The password set for the PostgreSQL account.
-- **RABBITMQ_SERVER_URL**: The [AMQP URL](http://www.rabbitmq.com/uri-spec.html "RabbitMQ URI Specification") to connect to RabbitMQ server.
+- **AMQP_SERVER_URL**: The [AMQP URL](http://www.rabbitmq.com/uri-spec.html "RabbitMQ URI Specification") to connect to message broker server.
+- **AMQP_SERVER_TYPE**: The message broker type. Supported values are `rabbitmq` or `activemq`. Defaults to `rabbitmq`.
 - **REDIS_SERVER_HOST**: The IP address or the name of the host where the Redis server is running.
 - **REDIS_SERVER_PORT**:  The Redis server port number.
 - **NGINX_WORKER_PROCESSES**: Defines the number of nginx worker processes.
 - **NGINX_WORKER_CONNECTIONS**: Sets the maximum number of simultaneous connections that can be opened by a nginx worker process.
+- **JWT_ENABLED**: Specifies the enabling the JSON Web Token validation by the ONLYOFFICE Document Server. Defaults to `false`.
+- **JWT_SECRET**: Defines the secret key to validate the JSON Web Token in the request to the ONLYOFFICE Document Server. Defaults to `secret`.
+- **JWT_HEADER**: Defines the http header that will be used to send the JSON Web Token. Defaults to `Authorization`.
 
 ## Installing ONLYOFFICE Document Server integrated with Community and Mail Servers
 
 ONLYOFFICE Document Server is a part of ONLYOFFICE Community Edition that comprises also Community Server and Mail Server. To install them, follow these easy steps:
 
-**STEP 1**: Create the 'onlyoffice' network.
+**STEP 1**: Create the `onlyoffice` network.
 
 ```bash
 docker network create --driver bridge onlyoffice
 ```
-Than launch containers on it using the 'docker run --net onlyoffice' option:
+Then launch containers on it using the 'docker run --net onlyoffice' option:
 
-**STEP 1**: Install ONLYOFFICE Document Server.
+**STEP 2**: Install MySQL.
+
+Follow [these steps](#installing-mysql) to install MySQL server.
+
+**STEP 3**: Install ONLYOFFICE Document Server.
 
 ```bash
 sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-document-server \
-	-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
-	-v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \
+	-v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice  \
+	-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data  \
 	-v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
+	-v /app/onlyoffice/DocumentServer/db:/var/lib/postgresql \
 	onlyoffice/documentserver
 ```
 
-**STEP 2**: Install ONLYOFFICE Mail Server. 
+**STEP 4**: Install ONLYOFFICE Mail Server. 
 
 For the mail server correct work you need to specify its hostname 'yourdomain.com'.
-To learn more, refer to the [ONLYOFFICE Mail Server documentation](https://github.com/ONLYOFFICE/Docker-MailServer "ONLYOFFICE Mail Server documentation").
 
 ```bash
-sudo docker run --net onlyoffice --privileged -i -t -d --restart=always --name onlyoffice-mail-server \
-	-p 25:25 -p 143:143 -p 587:587 \
-	-v /app/onlyoffice/MailServer/data:/var/vmail \
-	-v /app/onlyoffice/MailServer/data/certs:/etc/pki/tls/mailserver \
-	-v /app/onlyoffice/MailServer/logs:/var/log \
-	-v /app/onlyoffice/MailServer/mysql:/var/lib/mysql \
-	-h yourdomain.com \
-	onlyoffice/mailserver
+sudo docker run --init --net onlyoffice --privileged -i -t -d --restart=always --name onlyoffice-mail-server -p 25:25 -p 143:143 -p 587:587 \
+ -e MYSQL_SERVER=onlyoffice-mysql-server \
+ -e MYSQL_SERVER_PORT=3306 \
+ -e MYSQL_ROOT_USER=root \
+ -e MYSQL_ROOT_PASSWD=my-secret-pw \
+ -e MYSQL_SERVER_DB_NAME=onlyoffice_mailserver \
+ -v /app/onlyoffice/MailServer/data:/var/vmail \
+ -v /app/onlyoffice/MailServer/data/certs:/etc/pki/tls/mailserver \
+ -v /app/onlyoffice/MailServer/logs:/var/log \
+ -h yourdomain.com \
+ onlyoffice/mailserver
 ```
 
-**STEP 3**: Install ONLYOFFICE Community Server
+The additional parameters for mail server are available [here](https://github.com/ONLYOFFICE/Docker-CommunityServer/blob/master/docker-compose.yml#L75).
+
+To learn more, refer to the [ONLYOFFICE Mail Server documentation](https://github.com/ONLYOFFICE/Docker-MailServer "ONLYOFFICE Mail Server documentation").
+
+**STEP 5**: Install ONLYOFFICE Community Server
 
 ```bash
-sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-community-server \
-	-p 80:80 -p 5222:5222 -p 443:443 \
-	-v /app/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data \
-	-v /app/onlyoffice/CommunityServer/mysql:/var/lib/mysql \
-	-v /app/onlyoffice/CommunityServer/logs:/var/log/onlyoffice \
-	-v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/DocumentServerData \
-	-e DOCUMENT_SERVER_PORT_80_TCP_ADDR=onlyoffice-document-server \
-	-e MAIL_SERVER_DB_HOST=onlyoffice-mail-server \
-	onlyoffice/communityserver
+sudo docker run --net onlyoffice -i -t -d --restart=always --name onlyoffice-community-server -p 80:80 -p 443:443 -p 5222:5222 \
+ -e MYSQL_SERVER_ROOT_PASSWORD=my-secret-pw \
+ -e MYSQL_SERVER_DB_NAME=onlyoffice \
+ -e MYSQL_SERVER_HOST=onlyoffice-mysql-server \
+ -e MYSQL_SERVER_USER=onlyoffice_user \
+ -e MYSQL_SERVER_PASS=onlyoffice_pass \
+ 
+ -e DOCUMENT_SERVER_PORT_80_TCP_ADDR=onlyoffice-document-server \
+ 
+ -e MAIL_SERVER_API_HOST=${MAIL_SERVER_IP} \
+ -e MAIL_SERVER_DB_HOST=onlyoffice-mysql-server \
+ -e MAIL_SERVER_DB_NAME=onlyoffice_mailserver \
+ -e MAIL_SERVER_DB_PORT=3306 \
+ -e MAIL_SERVER_DB_USER=root \
+ -e MAIL_SERVER_DB_PASS=my-secret-pw \
+ 
+ -v /app/onlyoffice/CommunityServer/data:/var/www/onlyoffice/Data \
+ -v /app/onlyoffice/CommunityServer/logs:/var/log/onlyoffice \
+ onlyoffice/communityserver
+```
+
+Where `${MAIL_SERVER_IP}` is the IP address for **ONLYOFFICE Mail Server**. You can easily get it using the command:
+```
+docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' onlyoffice-mail-server
 ```
 
 Alternatively, you can use an automatic installation script to install the whole ONLYOFFICE Community Edition at once. For the mail server correct work you need to specify its hostname 'yourdomain.com'.
@@ -247,14 +283,19 @@ As a relatively new project Docker is being worked on and actively developed by
 
 The known Docker issue with ONLYOFFICE Document Server with rpm-based distributives is that sometimes the processes fail to start inside Docker container. Fedora and RHEL/CentOS users should try disabling selinux with setenforce 0. If it fixes the issue then you can either stick with SELinux disabled which is not recommended by RedHat, or switch to using Ubuntu.
 
-### Mono Issues
+### Document Server usage issues
 
-ONLYOFFICE installation requires the presence of mono (tested for version 3.12.1 or [older](http://www.mono-project.com/docs/getting-started/install/linux/#accessing-older-releases "older")) that may cause problems for some Linux kernel versions. The full list of supported kernel versions is available [here](http://onlyo.co/1PABPEI "here").
+Due to the operational characteristic, **Document Server** saves a document only after the document has been closed by all the users who edited it. To avoid data loss, you must forcefully disconnect the **Document Server** users when you need to stop **Document Server** in cases of the application update, server reboot etc. To do that, execute the following script on the server where **Document Server** is installed:
 
+```
+sudo docker exec <CONTAINER> documentserver-prepare4shutdown.sh
+```
+
+Please note, that both executing the script and disconnecting users may take a long time (up to 5 minutes).
 
 ## Project Information
 
-Official website: [http://www.onlyoffice.org](http://onlyoffice.org "http://www.onlyoffice.org")
+Official website: [https://www.onlyoffice.com](https://www.onlyoffice.com/?utm_source=github&utm_medium=cpc&utm_campaign=GitHubDockerDS)
 
 Code repository: [https://github.com/ONLYOFFICE/DocumentServer](https://github.com/ONLYOFFICE/DocumentServer "https://github.com/ONLYOFFICE/DocumentServer")
 
@@ -262,7 +303,9 @@ Docker Image: [https://github.com/ONLYOFFICE/Docker-DocumentServer](https://gith
 
 License: [GNU AGPL v3.0](https://help.onlyoffice.com/products/files/doceditor.aspx?fileid=4358397&doc=K0ZUdlVuQzQ0RFhhMzhZRVN4ZFIvaHlhUjN2eS9XMXpKR1M5WEppUk1Gcz0_IjQzNTgzOTci0 "GNU AGPL v3.0")
 
-SaaS version: [http://www.onlyoffice.com](http://www.onlyoffice.com "http://www.onlyoffice.com")
+Free version vs commercial builds comparison: https://github.com/ONLYOFFICE/DocumentServer#onlyoffice-document-server-editions
+
+SaaS version: [https://www.onlyoffice.com/cloud-office.aspx](https://www.onlyoffice.com/cloud-office.aspx?utm_source=github&utm_medium=cpc&utm_campaign=GitHubDockerDS)
 
 ## User Feedback and Support
 

activemq.yml

@@ -0,0 +1,31 @@
+version: '2'
+services:
+  onlyoffice-documentserver:
+    container_name: onlyoffice-documentserver
+    image: onlyoffice/4testing-documentserver-ie:latest
+    environment:
+      - AMQP_SERVER_URL=amqp://guest:guest@onlyoffice-activemq
+      - AMQP_SERVER_TYPE=activemq
+    stdin_open: true
+    restart: always
+    ports:
+      - '80:80'
+      - '443:443'
+    networks:
+      - onlyoffice
+
+  onlyoffice-activemq:
+    container_name: onlyoffice-activemq
+    image: webcenter/activemq:5.14.3
+    environment:
+      - ACTIVEMQ_USERS_guest=guest
+      - ACTIVEMQ_GROUPS_owners=guest
+    restart: always
+    networks:
+     - onlyoffice
+    expose:
+      - '5672'
+
+networks:
+  onlyoffice:
+    driver: 'bridge'

config/nginx/nginx

@@ -0,0 +1,196 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides:       nginx
+# Required-Start:    $local_fs $remote_fs $network $syslog $named
+# Required-Stop:     $local_fs $remote_fs $network $syslog $named
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: starts the nginx web server
+# Description:       starts nginx using start-stop-daemon
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/nginx
+NAME=nginx
+DESC=nginx
+
+# Include nginx defaults if available
+if [ -r /etc/default/nginx ]; then
+        . /etc/default/nginx
+fi
+
+STOP_SCHEDULE="${STOP_SCHEDULE:-QUIT/5/TERM/5/KILL/5}"
+
+test -x $DAEMON || exit 0
+
+. /lib/init/vars.sh
+. /lib/lsb/init-functions
+
+# Try to extract nginx pidfile
+PID=$(cat /etc/nginx/nginx.conf | grep -Ev '^\s*#' | awk 'BEGIN { RS="[;{}]" } { if ($1 == "pid") print $2 }' | head -n1)
+if [ -z "$PID" ]; then
+        PID=/tmp/nginx.pid
+fi
+
+if [ -n "$ULIMIT" ]; then
+        # Set ulimit if it is set in /etc/default/nginx
+        ulimit $ULIMIT
+fi
+
+start_nginx() {
+        # Start the daemon/service
+        #
+        # Returns:
+        #   0 if daemon has been started
+        #   1 if daemon was already running
+        #   2 if daemon could not be started
+        start-stop-daemon --start --quiet --pidfile $PID --chuid www-data:www-data --exec $DAEMON --test > /dev/null \
+                || return 1
+        start-stop-daemon --start --quiet --pidfile $PID --chuid www-data:www-data --exec $DAEMON -- \
+                $DAEMON_OPTS 2>/dev/null \
+                || return 2
+}
+
+test_config() {
+        # Test the nginx configuration
+        $DAEMON -t $DAEMON_OPTS >/dev/null 2>&1
+}
+
+stop_nginx() {
+        # Stops the daemon/service
+        #
+        # Return
+        #   0 if daemon has been stopped
+        #   1 if daemon was already stopped
+        #   2 if daemon could not be stopped
+        #   other if a failure occurred
+        start-stop-daemon --stop --quiet --retry=$STOP_SCHEDULE --pidfile $PID --name $NAME
+        RETVAL="$?"
+        sleep 1
+        return "$RETVAL"
+}
+
+reload_nginx() {
+        # Function that sends a SIGHUP to the daemon/service
+        start-stop-daemon --stop --signal HUP --quiet --pidfile $PID --name $NAME
+        return 0
+}
+
+rotate_logs() {
+        # Rotate log files
+        start-stop-daemon --stop --signal USR1 --quiet --pidfile $PID --name $NAME
+        return 0
+}
+
+upgrade_nginx() {
+        # Online upgrade nginx executable
+        # http://nginx.org/en/docs/control.html
+        #
+        # Return
+        #   0 if nginx has been successfully upgraded
+        #   1 if nginx is not running
+        #   2 if the pid files were not created on time
+        #   3 if the old master could not be killed
+        if start-stop-daemon --stop --signal USR2 --quiet --pidfile $PID --name $NAME; then
+                # Wait for both old and new master to write their pid file
+                while [ ! -s "${PID}.oldbin" ] || [ ! -s "${PID}" ]; do
+                        cnt=`expr $cnt + 1`
+                        if [ $cnt -gt 10 ]; then
+                                return 2
+                        fi
+                        sleep 1
+                done
+                # Everything is ready, gracefully stop the old master
+                if start-stop-daemon --stop --signal QUIT --quiet --pidfile "${PID}.oldbin" --name $NAME; then
+                        return 0
+                else
+                        return 3
+                fi
+        else
+                return 1
+        fi
+}
+
+case "$1" in
+        start)
+                log_daemon_msg "Starting $DESC" "$NAME"
+                start_nginx
+                case "$?" in
+                        0|1) log_end_msg 0 ;;
+                        2)   log_end_msg 1 ;;
+                esac
+                ;;
+        stop)
+                log_daemon_msg "Stopping $DESC" "$NAME"
+                stop_nginx
+                case "$?" in
+                        0|1) log_end_msg 0 ;;
+                        2)   log_end_msg 1 ;;
+                esac
+                ;;
+        restart)
+                log_daemon_msg "Restarting $DESC" "$NAME"
+
+                # Check configuration before stopping nginx
+                if ! test_config; then
+                        log_end_msg 1 # Configuration error
+                        exit $?
+                fi
+
+                stop_nginx
+                case "$?" in
+                        0|1)
+                                start_nginx
+                                case "$?" in
+                                        0) log_end_msg 0 ;;
+                                        1) log_end_msg 1 ;; # Old process is still running
+                                        *) log_end_msg 1 ;; # Failed to start
+                                esac
+                                ;;
+                        *)
+                                # Failed to stop
+                                log_end_msg 1
+                                ;;
+                esac
+                ;;
+        reload|force-reload)
+                log_daemon_msg "Reloading $DESC configuration" "$NAME"
+
+                # Check configuration before stopping nginx
+                #
+                # This is not entirely correct since the on-disk nginx binary
+                # may differ from the in-memory one, but that's not common.
+                # We prefer to check the configuration and return an error
+                # to the administrator.
+                if ! test_config; then
+                        log_end_msg 1 # Configuration error
+                        exit $?
+                fi
+
+                reload_nginx
+                log_end_msg $?
+                ;;
+        configtest|testconfig)
+                log_daemon_msg "Testing $DESC configuration"
+                test_config
+                log_end_msg $?
+                ;;
+        status)
+                status_of_proc -p $PID "$DAEMON" "$NAME" && exit 0 || exit $?
+                ;;
+        upgrade)
+                log_daemon_msg "Upgrading binary" "$NAME"
+                upgrade_nginx
+                log_end_msg $?
+                ;;
+        rotate)
+                log_daemon_msg "Re-opening $DESC log files" "$NAME"
+                rotate_logs
+                log_end_msg $?
+                ;;
+        *)
+                echo "Usage: $NAME {start|stop|restart|reload|force-reload|status|configtest|rotate|upgrade}" >&2
+                exit 3
+                ;;
+esac

config/nginx/nginx.conf

@@ -0,0 +1,63 @@
+user www-data;
+worker_processes 1;
+pid /tmp/nginx.pid;
+
+events {
+        worker_connections 524288;
+        # multi_accept on;
+}
+
+http {
+
+        ##
+        # Basic Settings
+        ##
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        # server_tokens off;
+
+        # server_names_hash_bucket_size 64;
+        # server_name_in_redirect off;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        ##
+        # SSL Settings
+        ##
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+        ssl_prefer_server_ciphers on;
+
+        ##
+        # Logging Settings
+        ##
+
+        access_log off;
+        error_log /var/log/nginx/error.log;
+
+        ##
+        # Gzip Settings
+        ##
+
+        gzip on;
+        gzip_disable "msie6";
+
+        # gzip_vary on;
+        # gzip_proxied any;
+        # gzip_comp_level 6;
+        # gzip_buffers 16 8k;
+        # gzip_http_version 1.1;
+        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+        ##
+        # Virtual Host Configs
+        ##
+
+        include /etc/nginx/conf.d/*.conf;
+        include /etc/nginx/sites-enabled/*;
+}

config/supervisor/supervisor

@@ -30,8 +30,8 @@ DESC=supervisor
 
 test -x $DAEMON || exit 0
 
-LOGDIR=/var/log/supervisor
-PIDFILE=/var/run/$NAME.pid
+LOGDIR=/tmp
+PIDFILE=/tmp/$NAME.pid
 PS_COUNT=0
 DODTIME=5                   # Time to wait for the server to die, in seconds
                             # If this value is set too low you might not
@@ -101,7 +101,7 @@ case "$1" in
             rm -f "$PIDFILE"
         fi
 	echo -n "Starting $DESC: "
-	start-stop-daemon --start --quiet --pidfile $PIDFILE \
+	start-stop-daemon --start --quiet --chuid ds:ds --pidfile $PIDFILE \
 		--startas $DAEMON -- $DAEMON_OPTS
 	test -f $PIDFILE || sleep 1
         if running ; then
@@ -152,7 +152,7 @@ case "$1" in
     echo -n "Restarting $DESC: "
     start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE
 	[ -n "$DODTIME" ] && sleep $DODTIME
-	start-stop-daemon --start --quiet --pidfile $PIDFILE \
+	start-stop-daemon --start --quiet --chuid ds:ds --pidfile $PIDFILE \
 		--startas $DAEMON -- $DAEMON_OPTS
 	echo "$NAME."
 	;;

config/supervisor/supervisord.conf

@@ -4,9 +4,9 @@
 port = 127.0.0.1:9001
 
 [supervisord]
-logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
-pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
-childlogdir=/var/log/supervisor            ; ('AUTO' child log dir, default $TEMP)
+logfile=/tmp/supervisord.log ; (main log file;default $CWD/supervisord.log)
+pidfile=/tmp/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
+childlogdir=/tmp            ; ('AUTO' child log dir, default $TEMP)
 
 ; the below section must remain in the config file for RPC
 ; (supervisorctl/web interface) to work, additional interfaces may be

docker-compose.yml

@@ -9,14 +9,19 @@ services:
       - POSTGRESQL_SERVER_PORT=5432
       - POSTGRESQL_SERVER_DB_NAME=onlyoffice
       - POSTGRESQL_SERVER_USER=onlyoffice
-      - RABBITMQ_SERVER_URL=amqp://guest:guest@onlyoffice-rabbitmq
+      - AMQP_SERVER_URL=amqp://guest:guest@onlyoffice-rabbitmq
       - REDIS_SERVER_HOST=onlyoffice-redis
       - REDIS_SERVER_PORT=6379
+      # Uncomment strings below to enable the JSON Web Token validation.
+      #- JWT_ENABLED=true
+      #- JWT_SECRET=secret
+      #- JWT_HEADER=Authorization
     stdin_open: true
     restart: always
     networks:
       - onlyoffice
     volumes:
+       - /etc/onlyoffice
        - /var/www/onlyoffice/Data
        - /var/log/onlyoffice
        - /var/lib/onlyoffice/documentserver/App_Data/cache/files

run-document-server.sh

@@ -1,8 +1,15 @@
 #!/bin/bash
 
-APP_DIR="/var/www/onlyoffice/documentserver"
-DATA_DIR="/var/www/onlyoffice/Data"
-LOG_DIR="/var/log/onlyoffice/documentserver"
+# Define '**' behavior explicitly
+shopt -s globstar
+
+APP_DIR="/var/www/${COMPANY_NAME}/documentserver"
+DATA_DIR="/var/www/${COMPANY_NAME}/Data"
+LOG_DIR="/var/log/${COMPANY_NAME}"
+DS_LOG_DIR="${LOG_DIR}/documentserver"
+LIB_DIR="/var/lib/${COMPANY_NAME}"
+DS_LIB_DIR="${LIB_DIR}/documentserver"
+CONF_DIR="/etc/${COMPANY_NAME}/documentserver"
 
 ONLYOFFICE_DATA_CONTAINER=${ONLYOFFICE_DATA_CONTAINER:-false}
 ONLYOFFICE_DATA_CONTAINER_HOST=${ONLYOFFICE_DATA_CONTAINER_HOST:-localhost}
@@ -15,45 +22,62 @@ CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certific
 SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem}
 SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}
 ONLYOFFICE_HTTPS_HSTS_ENABLED=${ONLYOFFICE_HTTPS_HSTS_ENABLED:-true}
-ONLYOFFICE_HTTPS_HSTS_MAXAGE=${ONLYOFFICE_HTTPS_HSTS_MAXAG:-31536000}
-SYSCONF_TEMPLATES_DIR="/app/onlyoffice/setup/config"
+ONLYOFFICE_HTTPS_HSTS_MAXAGE=${ONLYOFFICE_HTTPS_HSTS_MAXAGE:-31536000}
+SYSCONF_TEMPLATES_DIR="/app/ds/setup/config"
 
 NGINX_CONFD_PATH="/etc/nginx/conf.d";
-NGINX_ONLYOFFICE_PATH="${NGINX_CONFD_PATH}/onlyoffice-documentserver.conf";
-NGINX_ONLYOFFICE_INCLUDES_PATH="/etc/nginx/includes";
-NGINX_ONLYOFFICE_EXAMPLE_PATH=${NGINX_ONLYOFFICE_INCLUDES_PATH}/onlyoffice-documentserver-example.conf
+NGINX_ONLYOFFICE_PATH="${CONF_DIR}/nginx"
+NGINX_ONLYOFFICE_CONF="${NGINX_ONLYOFFICE_PATH}/ds.conf"
+NGINX_ONLYOFFICE_EXAMPLE_PATH="${CONF_DIR}-example/nginx"
+NGINX_ONLYOFFICE_EXAMPLE_CONF="${NGINX_ONLYOFFICE_EXAMPLE_PATH}/includes/ds-example.conf"
 
 NGINX_CONFIG_PATH="/etc/nginx/nginx.conf"
-NGINX_WORKER_PROCESSES=${NGINX_WORKER_PROCESSES:-$(grep processor /proc/cpuinfo | wc -l)}
+NGINX_WORKER_PROCESSES=${NGINX_WORKER_PROCESSES:-1}
 NGINX_WORKER_CONNECTIONS=${NGINX_WORKER_CONNECTIONS:-$(ulimit -n)}
 
-ONLYOFFICE_DEFAULT_CONFIG=/etc/onlyoffice/documentserver/default.json
+JWT_ENABLED=${JWT_ENABLED:-false}
+JWT_SECRET=${JWT_SECRET:-secret}
+JWT_HEADER=${JWT_HEADER:-Authorization}
 
-JSON="json -q -f ${ONLYOFFICE_DEFAULT_CONFIG}"
+ONLYOFFICE_DEFAULT_CONFIG=${CONF_DIR}/local.json
+ONLYOFFICE_LOG4JS_CONFIG=${CONF_DIR}/log4js/production.json
+ONLYOFFICE_EXAMPLE_CONFIG=${CONF_DIR}-example/local.json
+
+JSON_BIN=${APP_DIR}/npm/node_modules/.bin/json
+JSON="${JSON_BIN} -q -f ${ONLYOFFICE_DEFAULT_CONFIG}"
+JSON_LOG="${JSON_BIN} -q -f ${ONLYOFFICE_LOG4JS_CONFIG}"
+JSON_EXAMPLE="${JSON_BIN} -q -f ${ONLYOFFICE_EXAMPLE_CONFIG}"
+
+DS_PORT=${DS_PORT:-80}
 
 LOCAL_SERVICES=()
 
-PG_VERSION=9.3
+PG_ROOT=/var/lib/postgresql
+PG_VERSION=9.5
 PG_NAME=main
-PGDATA=/var/lib/postgresql/${PG_VERSION}/${PG_NAME}
+PGDATA=${PG_ROOT}/${PG_VERSION}/${PG_NAME}
 PG_NEW_CLUSTER=false
 
 read_setting(){
   POSTGRESQL_SERVER_HOST=${POSTGRESQL_SERVER_HOST:-$(${JSON} services.CoAuthoring.sql.dbHost)}
-  POSTGRESQL_SERVER_PORT=${POSTGRESQL_SERVER_PORT:-$(${JSON} services.CoAuthoring.sql.dbPort)}
+  POSTGRESQL_SERVER_PORT=${POSTGRESQL_SERVER_PORT:-5432}
   POSTGRESQL_SERVER_DB_NAME=${POSTGRESQL_SERVER_DB_NAME:-$(${JSON} services.CoAuthoring.sql.dbName)}
   POSTGRESQL_SERVER_USER=${POSTGRESQL_SERVER_USER:-$(${JSON} services.CoAuthoring.sql.dbUser)}
   POSTGRESQL_SERVER_PASS=${POSTGRESQL_SERVER_PASS:-$(${JSON} services.CoAuthoring.sql.dbPass)}
 
   RABBITMQ_SERVER_URL=${RABBITMQ_SERVER_URL:-$(${JSON} rabbitmq.url)}
-  parse_rabbitmq_url
+  AMQP_SERVER_URL=${AMQP_SERVER_URL:-${RABBITMQ_SERVER_URL}}
+  AMQP_SERVER_TYPE=${AMQP_SERVER_TYPE:-rabbitmq}
+  parse_rabbitmq_url ${AMQP_SERVER_URL}
 
   REDIS_SERVER_HOST=${REDIS_SERVER_HOST:-$(${JSON} services.CoAuthoring.redis.host)}
-  REDIS_SERVER_PORT=${REDIS_SERVER_PORT:-$(${JSON} services.CoAuthoring.redis.port)}
+  REDIS_SERVER_PORT=${REDIS_SERVER_PORT:-6379}
+
+  DS_LOG_LEVEL=${DS_LOG_LEVEL:-$(${JSON_LOG} categories.default.level)}
 }
 
 parse_rabbitmq_url(){
-  local amqp=${RABBITMQ_SERVER_URL}
+  local amqp=$1
 
   # extract the protocol
   local proto="$(echo $amqp | grep :// | sed -e's,^\(.*://\).*,\1,g')"
@@ -70,7 +94,6 @@ parse_rabbitmq_url(){
   else
     user=$userpass
   fi
-  echo $user
 
   # extract the host
   local hostport="$(echo ${url/$userpass@/} | cut -d/ -f1)"
@@ -88,10 +111,11 @@ parse_rabbitmq_url(){
   # extract the path (if any)
   local path="$(echo $url | grep / | cut -d/ -f2-)"
 
-  RABBITMQ_SERVER_HOST=$host
-  RABBITMQ_SERVER_USER=$user
-  RABBITMQ_SERVER_PASS=$pass
-  RABBITMQ_SERVER_PORT=$port
+  AMQP_SERVER_PROTO=${proto:0:-3}
+  AMQP_SERVER_HOST=$host
+  AMQP_SERVER_USER=$user
+  AMQP_SERVER_PASS=$pass
+  AMQP_SERVER_PORT=$port
 }
 
 waiting_for_connection(){
@@ -105,8 +129,8 @@ waiting_for_postgresql(){
   waiting_for_connection ${POSTGRESQL_SERVER_HOST} ${POSTGRESQL_SERVER_PORT}
 }
 
-waiting_for_rabbitmq(){
-  waiting_for_connection ${RABBITMQ_SERVER_HOST} ${RABBITMQ_SERVER_PORT}
+waiting_for_amqp(){
+  waiting_for_connection ${AMQP_SERVER_HOST} ${AMQP_SERVER_PORT}
 }
 
 waiting_for_redis(){
@@ -124,7 +148,47 @@ update_postgresql_settings(){
 }
 
 update_rabbitmq_setting(){
-  ${JSON} -I -e "this.rabbitmq.url = '${RABBITMQ_SERVER_URL}'"
+  if [ "${AMQP_SERVER_TYPE}" == "rabbitmq" ]; then
+    ${JSON} -I -e "if(this.queue===undefined)this.queue={};"
+    ${JSON} -I -e "this.queue.type = 'rabbitmq'"
+    ${JSON} -I -e "this.rabbitmq.url = '${AMQP_SERVER_URL}'"
+  fi
+  
+  if [ "${AMQP_SERVER_TYPE}" == "activemq" ]; then
+    ${JSON} -I -e "if(this.queue===undefined)this.queue={};"
+    ${JSON} -I -e "this.queue.type = 'activemq'"
+    ${JSON} -I -e "if(this.activemq===undefined)this.activemq={};"
+    ${JSON} -I -e "if(this.activemq.connectOptions===undefined)this.activemq.connectOptions={};"
+
+    ${JSON} -I -e "this.activemq.connectOptions.host = '${AMQP_SERVER_HOST}'"
+
+    if [ ! "${AMQP_SERVER_PORT}" == "" ]; then
+      ${JSON} -I -e "this.activemq.connectOptions.port = '${AMQP_SERVER_PORT}'"
+    else
+      ${JSON} -I -e "delete this.activemq.connectOptions.port"
+    fi
+
+    if [ ! "${AMQP_SERVER_USER}" == "" ]; then
+      ${JSON} -I -e "this.activemq.connectOptions.username = '${AMQP_SERVER_USER}'"
+    else
+      ${JSON} -I -e "delete this.activemq.connectOptions.username"
+    fi
+
+    if [ ! "${AMQP_SERVER_PASS}" == "" ]; then
+      ${JSON} -I -e "this.activemq.connectOptions.password = '${AMQP_SERVER_PASS}'"
+    else
+      ${JSON} -I -e "delete this.activemq.connectOptions.password"
+    fi
+
+    case "${AMQP_SERVER_PROTO}" in
+      amqp+ssl|amqps)
+        ${JSON} -I -e "this.activemq.connectOptions.transport = 'tls'"
+        ;;
+      *)
+        ${JSON} -I -e "delete this.activemq.connectOptions.transport"
+        ;;
+    esac 
+  fi
 }
 
 update_redis_settings(){
@@ -132,6 +196,27 @@ update_redis_settings(){
   ${JSON} -I -e "this.services.CoAuthoring.redis.port = '${REDIS_SERVER_PORT}'"
 }
 
+update_jwt_settings(){
+  if [ "${JWT_ENABLED}" == "true" ]; then
+    ${JSON} -I -e "this.services.CoAuthoring.token.enable.browser = ${JWT_ENABLED}"
+    ${JSON} -I -e "this.services.CoAuthoring.token.enable.request.inbox = ${JWT_ENABLED}"
+    ${JSON} -I -e "this.services.CoAuthoring.token.enable.request.outbox = ${JWT_ENABLED}"
+
+    ${JSON} -I -e "this.services.CoAuthoring.secret.inbox.string = '${JWT_SECRET}'"
+    ${JSON} -I -e "this.services.CoAuthoring.secret.outbox.string = '${JWT_SECRET}'"
+    ${JSON} -I -e "this.services.CoAuthoring.secret.session.string = '${JWT_SECRET}'"
+
+    ${JSON} -I -e "this.services.CoAuthoring.token.inbox.header = '${JWT_HEADER}'"
+    ${JSON} -I -e "this.services.CoAuthoring.token.outbox.header = '${JWT_HEADER}'"
+
+    if [ -f "${ONLYOFFICE_EXAMPLE_CONFIG}" ] && [ "${JWT_ENABLED}" == "true" ]; then
+      ${JSON_EXAMPLE} -I -e "this.server.token.enable = ${JWT_ENABLED}"
+      ${JSON_EXAMPLE} -I -e "this.server.token.secret = '${JWT_SECRET}'"
+      ${JSON_EXAMPLE} -I -e "this.server.token.authorizationHeader = '${JWT_HEADER}'"
+    fi
+  fi
+}
+
 create_postgresql_cluster(){
   local pg_conf_dir=/etc/postgresql/${PG_VERSION}/${PG_NAME}
   local postgresql_conf=$pg_conf_dir/postgresql.conf
@@ -139,7 +224,7 @@ create_postgresql_cluster(){
 
   mv $postgresql_conf $postgresql_conf.backup
   mv $hba_conf $hba_conf.backup
-  
+
   pg_createcluster ${PG_VERSION} ${PG_NAME}
 }
 
@@ -150,7 +235,7 @@ create_postgresql_db(){
 }
 
 create_postgresql_tbl(){
-  CONNECTION_PARAMS="-h${POSTGRESQL_SERVER_HOST} -U${POSTGRESQL_SERVER_USER} -w"
+  CONNECTION_PARAMS="-h${POSTGRESQL_SERVER_HOST} -p${POSTGRESQL_SERVER_PORT} -U${POSTGRESQL_SERVER_USER} -w"
   if [ -n "${POSTGRESQL_SERVER_PASS}" ]; then
     export PGPASSWORD=${POSTGRESQL_SERVER_PASS}
   fi
@@ -160,7 +245,7 @@ create_postgresql_tbl(){
 
   # Create db on remote server
   if $PSQL -lt | cut -d\| -f 1 | grep -qw | grep 0; then
-    $CREATEDB $DB_NAME
+    $CREATEDB $POSTGRESQL_SERVER_DB_NAME
   fi
 
   $PSQL -d "${POSTGRESQL_SERVER_DB_NAME}" -f "${APP_DIR}/server/schema/postgresql/createdb.sql"
@@ -174,38 +259,46 @@ update_nginx_settings(){
 
   # setup HTTPS
   if [ -f "${SSL_CERTIFICATE_PATH}" -a -f "${SSL_KEY_PATH}" ]; then
-    cp ${NGINX_CONFD_PATH}/onlyoffice-documentserver-ssl.conf.template ${NGINX_ONLYOFFICE_PATH}
+    cp -f ${NGINX_ONLYOFFICE_PATH}/ds-ssl.conf.tmpl ${NGINX_ONLYOFFICE_CONF}
 
     # configure nginx
-    sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i ${NGINX_ONLYOFFICE_PATH}
-    sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i ${NGINX_ONLYOFFICE_PATH}
+    sed 's,{{SSL_CERTIFICATE_PATH}},'"${SSL_CERTIFICATE_PATH}"',' -i ${NGINX_ONLYOFFICE_CONF}
+    sed 's,{{SSL_KEY_PATH}},'"${SSL_KEY_PATH}"',' -i ${NGINX_ONLYOFFICE_CONF}
+
+    # turn on http2
+    sed 's,\(443 ssl\),\1 http2,' -i ${NGINX_ONLYOFFICE_CONF}
 
     # if dhparam path is valid, add to the config, otherwise remove the option
     if [ -r "${SSL_DHPARAM_PATH}" ]; then
-      sed 's,{{SSL_DHPARAM_PATH}},'"${SSL_DHPARAM_PATH}"',' -i ${NGINX_ONLYOFFICE_PATH}
+      sed 's,\(\#* *\)\?\(ssl_dhparam \).*\(;\)$,'"\2${SSL_DHPARAM_PATH}\3"',' -i ${NGINX_ONLYOFFICE_CONF}
     else
-      sed '/ssl_dhparam {{SSL_DHPARAM_PATH}};/d' -i ${NGINX_ONLYOFFICE_PATH}
+      sed '/ssl_dhparam/d' -i ${NGINX_ONLYOFFICE_CONF}
     fi
 
-    sed 's,{{SSL_VERIFY_CLIENT}},'"${SSL_VERIFY_CLIENT}"',' -i ${NGINX_ONLYOFFICE_PATH}
+    sed 's,\(ssl_verify_client \).*\(;\)$,'"\1${SSL_VERIFY_CLIENT}\2"',' -i ${NGINX_ONLYOFFICE_CONF}
 
     if [ -f "${CA_CERTIFICATES_PATH}" ]; then
-      sed 's,{{CA_CERTIFICATES_PATH}},'"${CA_CERTIFICATES_PATH}"',' -i ${NGINX_ONLYOFFICE_PATH}
-    else
-      sed '/{{CA_CERTIFICATES_PATH}}/d' -i ${NGINX_ONLYOFFICE_PATH}
+      sed '/ssl_verify_client/a '"ssl_client_certificate ${CA_CERTIFICATES_PATH}"';' -i ${NGINX_ONLYOFFICE_CONF}
     fi
 
     if [ "${ONLYOFFICE_HTTPS_HSTS_ENABLED}" == "true" ]; then
-      sed 's/{{ONLYOFFICE_HTTPS_HSTS_MAXAGE}}/'"${ONLYOFFICE_HTTPS_HSTS_MAXAGE}"'/' -i ${NGINX_ONLYOFFICE_PATH}
+      sed 's,\(max-age=\).*\(;\)$,'"\1${ONLYOFFICE_HTTPS_HSTS_MAXAGE}\2"',' -i ${NGINX_ONLYOFFICE_CONF}
     else
-      sed '/{{ONLYOFFICE_HTTPS_HSTS_MAXAGE}}/d' -i ${NGINX_ONLYOFFICE_PATH}
+      sed '/max-age=/d' -i ${NGINX_ONLYOFFICE_CONF}
     fi
   else
-    cp ${NGINX_CONFD_PATH}/onlyoffice-documentserver.conf.template ${NGINX_ONLYOFFICE_PATH}
+    ln -sf ${NGINX_ONLYOFFICE_PATH}/ds.conf.tmpl ${NGINX_ONLYOFFICE_CONF}
+    # set up default listening port
+    sed 's,\(listen.\+:\)\([0-9]\+\)\(.*;\),'"\1${DS_PORT}\3"',' -i ${NGINX_ONLYOFFICE_CONF}
   fi
-  
-  if [ -f "${NGINX_ONLYOFFICE_EXAMPLE_PATH}" ]; then
-    sed 's/linux/docker/' -i ${NGINX_ONLYOFFICE_EXAMPLE_PATH}
+
+  # check if ipv6 supported otherwise remove it from nginx config
+  if [ ! -f /proc/net/if_inet6 ]; then
+    sed '/listen\s\+\[::[0-9]*\].\+/d' -i $NGINX_ONLYOFFICE_CONF
+  fi
+
+  if [ -f "${NGINX_ONLYOFFICE_EXAMPLE_CONF}" ]; then
+    sed 's/linux/docker/' -i ${NGINX_ONLYOFFICE_EXAMPLE_CONF}
   fi
 }
 
@@ -214,25 +307,60 @@ update_supervisor_settings(){
   cp ${SYSCONF_TEMPLATES_DIR}/supervisor/supervisor /etc/init.d/
   # Copy modified supervisor config
   cp ${SYSCONF_TEMPLATES_DIR}/supervisor/supervisord.conf /etc/supervisor/supervisord.conf
+  # Copy modified nginx start script
+  cp ${SYSCONF_TEMPLATES_DIR}/nginx/nginx /etc/init.d/
+  # Copy modified ngnix config
+  cp ${SYSCONF_TEMPLATES_DIR}/nginx/nginx.conf /etc/nginx/nginx.conf
+}
+
+update_log_settings(){
+   ${JSON_LOG} -I -e "this.categories.default.level = '${DS_LOG_LEVEL}'"
+}
+
+update_logrotate_settings(){
+  sed 's|\(^su\b\).*|\1 root root|' -i /etc/logrotate.conf
 }
 
 # create base folders
 for i in converter docservice spellchecker metrics gc; do
-  mkdir -p "${LOG_DIR}/$i"
+  mkdir -p "${DS_LOG_DIR}/$i"
 done
 
-mkdir -p ${LOG_DIR}-example
+mkdir -p ${DS_LOG_DIR}-example
+
+# create app folders
+for i in App_Data/cache/files App_Data/docbuilder; do
+  mkdir -p "${DS_LIB_DIR}/$i"
+done
+
+# change folder rights
+for i in ${LOG_DIR} ${LIB_DIR} ${DATA_DIR}; do
+  chown -R ds:ds "$i"
+  chmod -R 755 "$i"
+done
+
+touch ${DS_LOG_DIR}/nginx.error.log
+chown www-data:www-data ${DS_LOG_DIR}/nginx.error.log
 
 if [ ${ONLYOFFICE_DATA_CONTAINER_HOST} = "localhost" ]; then
 
   read_setting
 
+  update_log_settings
+
+  update_jwt_settings
+
   # update settings by env variables
   if [ ${POSTGRESQL_SERVER_HOST} != "localhost" ]; then
     update_postgresql_settings
     waiting_for_postgresql
     create_postgresql_tbl
   else
+    # change rights for postgres directory
+    chown -R postgres:postgres ${PG_ROOT}
+    chmod -R 700 ${PG_ROOT}
+
+    # create new db if it isn't exist
     if [ ! -d ${PGDATA} ]; then
       create_postgresql_cluster
       PG_NEW_CLUSTER=true
@@ -240,10 +368,12 @@ if [ ${ONLYOFFICE_DATA_CONTAINER_HOST} = "localhost" ]; then
     LOCAL_SERVICES+=("postgresql")
   fi
 
-  if [ ${RABBITMQ_SERVER_HOST} != "localhost" ]; then
+  if [ ${AMQP_SERVER_HOST} != "localhost" ]; then
     update_rabbitmq_setting
   else
     LOCAL_SERVICES+=("rabbitmq-server")
+    # allow Rabbitmq startup after container kill
+    rm -rf /var/run/rabbitmq
   fi
 
   if [ ${REDIS_SERVER_HOST} != "localhost" ]; then
@@ -272,13 +402,17 @@ fi
 
 if [ ${ONLYOFFICE_DATA_CONTAINER} != "true" ]; then
   waiting_for_postgresql
-  waiting_for_rabbitmq
+  waiting_for_amqp
   waiting_for_redis
 
   update_nginx_settings
 
   update_supervisor_settings
   service supervisor start
+  
+  # start cron to enable log rotating
+  update_logrotate_settings
+  service cron start
 fi
 
 # nginx used as a proxy, and as data container status service.
@@ -287,3 +421,6 @@ service nginx start
 
 # Regenerate the fonts list and the fonts thumbnails
 documentserver-generate-allfonts.sh ${ONLYOFFICE_DATA_CONTAINER}
+documentserver-static-gzip.sh ${ONLYOFFICE_DATA_CONTAINER}
+
+tail -f /var/log/${COMPANY_NAME}/**/*.log