Docker Setup with stable password

Docs
,
1

I’m running ONLYOFFICE DocumentServer (Docker) using an NGINX reverse proxy integrated with several external Nextcloud servers.

My goal: find a persistent and supported way to:

  • Use a fixed, custom JWT secret and header name,
  • Keep it across container restarts,
  • Ensure compatibility with Nextcloud’s OnlyOffice integration.

Please find the detailled description of my challange:

JWT / Authorization header mismatch:

  • ONLYOFFICE automatically generates its own JWT secret when starting.
  • When mounting a custom local.json file or manually editing the secret, the server reverts or rejects the new value.
  • Result: 403 Forbidden or Invalid token in Nextcloud.
  • Works only when DocumentServer runs without external JWT configuration or when it can write its own secret.

Configuration persistence & mounting

  • Mounting only /etc/onlyoffice/documentserver/local.json causes file-locking (EBUSY) and overwriting issues.
  • Mounting the entire directory works better, but still breaks authentication if the secret mismatches.
  • The official JWT_SECRET, JWT_ENABLED, and JWT_HEADER environment variables don’t always override existing internal settings.

Time synchronization (timezone drift)

  • Container time initially differed by ~2 hours from host (UTC vs CEST).
  • Mounting /etc/localtime and /etc/timezone fixed that.
  • NGINX proxy conflicts
  • Duplicate server_name definitions and 502/403 errors when misconfigured.
  • Eventually resolved by cleaning up redundant site configs and ensuring correct upstream to the Docker internal IP.

File permission / user ownership

  • Mounted directories (/srv/onlyoffice, /srv/sftp/onlyoffice) required correct ownership (e.g., root:root or ds:ds) and permissions (755 or 775).
  • Behavior difference:
  • Everything works perfectly without JWT auth (open access).
  • Once JWT is enforced (via secret or header), DocumentServer rejects all connections from Nextcloud with 403.
2

Hey @markusgeorg, :wave:

Thanks for sharing Docker setup challenges with ONLYOFFICE Docs
I might not fully grasp the nuances of your situation yet, so let me know if I’m off-base.

In the standard Docker installation, you can tweak things like the JWT secret and header via environment variables in the docker run command. Check out the Available configuration parameters here: Docs Community Install Docker.

For NGINX proxy examples that play nice with JWT and external integrations (like Nextcloud), these should help: Docs Community Proxy.