How to secure ONLYOFFICE with Let's Encrypt and two-factor authentication

Author: Daria

ONLYOFFICE is an open-source solution that combines powerful online document editors for text documents, spreadsheets and presentations, as well as broad productivity features: CRM, project management, calendar, mail, chat, and more. ONLYOFFICE Community Server is the collaborative open-source system distributed under GNU GPL v3.0.

Security issue really matters nowadays, since we're constantly vulnerable to various malicious actions, data leaks, unauthorized access attempts etc.

ONLYOFFICE provides a wide range of security tools and services to keep your data safe:

HTTPS for your private server that allows you to encrypt traffic through moving your portal to secure HTTPS protocol, whether you already have an SSL certificate or not.
JWT (JSON Web Token) technology that protects documents from unauthorized access, so that you can be sure users couldn't access more data than permitted to them.
Two-factor authentication that prevents any unauthorized access and protects the data stored on your portal with passcodes sent via mobile text messages.
Trusted mail domains settings to manually select mail servers that sign-up emails should belong to.
IP restriction settings to permit access to the portal only from selected IPs.
Cookie lifetime option that performs automatic log-out after chosen period.
Password strength settings to set the minimum password length or determine certain types of characters - capitals, digits and special symbols.
Access rights management that permits you to arrange access rights to portal modules and data for each user individually or for a selected group of users.

Besides, some more security features are available in Control Panel in ONLYOFFICE Enterprise Edition:

Single sign-on;
Login history;
Audit trail;
Automatic data backup and data recovery.

In this tutorial, we'll learn how to protect your ONLYOFFICE portal with HTTPS using Let's Encrypt, and with two-factor authentication using Twilio service.

Part 1. Activating HTTPS protocol with Let's Encrypt

Step 1. Add Certbot ACME client to your server

Before you start, note that shell access to your server is needed to install both Certbot and CA-signed certificate from Let's Encrypt.
Using two drop-down menus on the Certbot website, choose your server software and the system it is running on to get specific instructions.

Follow the given instructions and install Certbot ACME client.

Step 2. Generate and install CA-signed certificate

Run the automated script:

bash /var/www/onlyoffice/Tools/letsencrypt.sh yourdomain.com subdomain1.yourdomain.com subdomain2.yourdomain.com

Under yourdomain.com specify the address of the domain where your Community Server is installed.
Under subdomain1.yourdomain.com and subdomain2.yourdomain.com (actually, any other) specify the subdomains for the main domain you use.

Now, enter your portal and check it has been switched to HTTPS protocol.

Part 2. Activating two-factor authentication via Twilio

Step 1. Open Third Party Services Settings

Enter your ONLYOFFICE portal and go to the Settings section by clicking the Settings icon at the top of the page, or select the appropriate option from the navigation menu.

Then, go to the Integration section and open the Third Party Services page.

Step 2. Connect Twilio to ONLYOFFICE

Select Twilio from the list of third-party services and click the switcher next to its icon. The window containing integration settings opens.

Specify the keys used to integrate Twilio with your portal. Get these keys in Twilio Console after signing in to your account (you will need ACCOUNT SID and AUTH TOKEN, and the appropriate phone number).

Paste the necessary data to the corresponding fields and click the Enable button to save settings.

Step 3. Enable two-factor authentication

Go from the Integration section to the Security -> Portal Access section. Find Two-factor authentication option and click the Enable button. Once done, click the Save button.

Step 4: Log in to ONLYOFFICE

When two-factor authentication is enabled, refresh the page and sign in to ONLYOFFICE once again.
Enter your credentials as usual, then write down the phone number you would like the message to be sent at (you can change it at any moment on your profile page), and enter a six-digit verification code received via SMS.