This guide shows how to integrate OnlyOffice and FileBrowser via Wiredoor. Wiredoor is a self-hosted ingress-as-a-service platform that lets you route internet traffic to internal apps, IoT, Kubernetes and more using a reverse VPN powered by WireGuard. Below steps are derived from this discussion.

Setting Up Wiredoor node

  • Create a gateway node using your Wiredoor server UI
  • Assign it a Docker subnet, for example: 172.18.100.0/24
  • Copy the token shown when creating the node.

Local Setup

Example of docker-compose.yml:

YAML
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
networks:
  wiredoor:
    driver: bridge
    ipam:
      config:
        - subnet: 172.18.100.0/24

services:
  filebrowser:
    volumes:
      - './filebrowser/data:/srv'
      - './filebrowser/database:/home/filebrowser/database'
      - './filebrowser/config.yaml:/home/filebrowser/config.yaml'
    ports:
      - 80:80
    image: gtstef/filebrowser
    environment:
      FILEBROWSER_ONLYOFFICE_SECRET: ${ONLYOFFICE_SECRET:?ONLYOFFICE environment variable is required in your .env file}
    restart: unless-stopped
    networks:
      - wiredoor

  onlyoffice:
    image: onlyoffice/documentserver
    environment:
      JWT_SECRET: ${ONLYOFFICE_SECRET:?ONLYOFFICE environment variable is required in your .env file}
    ports:
      - 8080:80
    networks:
      - wiredoor

  wiredoor-gw:
    image: wiredoor/wiredoor-cli:latest
    cap_add:
      - NET_ADMIN
    environment:
      WIREDOOR_URL: ${WIREDOOR_URL:?WIREDOOR_URL environment variable is required in your .env file}
      TOKEN: ${WIREDOOR_TOKEN:?WIREDOOR_TOKEN environment variable is required in your .env file}
    networks:
      - wiredoor

Create a .env file with the following:

TEXT
1
2
3
ONLYOFFICE_SECRET=onlyoffice_secret
WIREDOOR_URL=https://your-wiredoor-server.com
WIREDOOR_TOKEN=YOUR_GATEWAY_NODE_TOKEN

Minimal Filebrowser Configuration:

YAML
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
server:
  port: 80
  baseURL:  "/"
  logging:
    - levels: "info|warning|error"
  sources:
    - path: "/srv"
  internalUrl: "http://filebrowser"
userDefaults:
  preview:
    image: true
    popup: true
    video: false
    office: false
    highQuality: false
  darkMode: true
  disableSettings: false
  singleClick: false
  permissions:
    admin: false
    modify: false
    share: false
    api: false
integrations:
  office:
    url: "https://onlyoffice.example.com"   # Domain used to expose onlyoffice

Exposing services via Wiredoor

Use Wiredoor to expose:

  • https://filebrowser.example.comhttp://filebrowser:80
  • https://onlyoffice.example.comhttp://onlyoffice:80

Make sure the names (filebrowser, onlyoffice) match the service names in your Compose file.

At this point, both services should be accessible independently, but the integration will still fail because of iframe restrictions.

Patch Wiredoor’s Default Security Headers

By default, Wiredoor sets X-Frame-Options: DENY, which blocks Onlyoffice from being embedded in Filebrowser’s editor view.

To fix this:

BASH
1
2
3
docker compose exec -u root wiredoor bash
apk add nano
nano /etc/nginx/partials/security.conf

Find and comment out the following lines:

BASH
1
2
# add_header X-Frame-Options "DENY" always;
# add_header X-Frame-Options "SAMEORIGIN" always;

Then reload NGINX:

BASH
1
nginx -s reload

The FileBrowser editor should now successfully load the OnlyOffice iframe, and you should be able to open document files with full editing functionality.