Basic definitions and procedures

Technical assistance
1
  • Used Zammad version: 6.4.1-1738853098.9075b144.bookworm
  • Used Zammad installation type: package, self-hosted
  • Operating system: Debian Bookworm
  • Browser + version: Safari, Chrome (irrelevant)
  • Webserver: Nginx
  • Reverse Proxy: Nginx proxy-manager

Full disclosure, I posted my specific problem here but maybe that was too specific for the community to be able to help. Therefore, with this thread I try to gain some more basic/generic understanding of how to follow the docs correctly and get my Zammad installation back to working.

Since I’m not a dev but a simple user trying to set up Zammad in my homelab, please help me clarify my following understanding on how to set up Zammad correctly:

  1. WEBSERVER - Zammad - as any other web service - requires some kind of webserver to display the sites. Preferable options are Nginx and Apache2. They are referenced as “webserver” as here.

  2. REVERSE PROXY - Zammad is typically expected to operate behind a reverse proxy server as described here under 2.6. When speaking of the “proxy server” in the documentation that is what is meant, not the webserver and not the proxy settings you can access via the GUI under Settings->System. Nginx-PM and Apache are officially supported reverse proxies but basically any reverse proxy should work. Or is there some “hidden auto-configuration” between Nginx webserver and Nginx-pm that make that combo work where other combos need more manual configuration?

  3. HTTP(S) - The documentation on how to Configure the Webserver says

Do not expose Zammad directly to the internet, as Zammad only provides HTTP!

However it also strongly recommends getting an SSL certificate via Certbot-plugin via the webserver itself (NOT the reverse proxy) and then communicate everything via https. So my understanding is now that the webserver itself should take care of the SSL certificates - and not the reverse proxy.

  1. ALL HTTPS - Based on #3 even local network traffic with Zammad should be SSL-encrypted, not just the traffic “outside” the reverse proxy manager (the evil internet). Logically then http_type should be set to “https”.

  2. NO REVERSE-PROXY-OBTAINED CERTS - Based on #4 there is no need to obtain a(nother) Letsencrypt SSL certificate via the (Nginx) proxy manager. It should simply route “zammad.mydomain.com” to the correct internal IP and port.

  3. NO WEBSOCKETS - When leaving Zammad itself to http (http_type) on the local network and only adding SSL via the reverse proxy manager for internet traffic, the mobile app via web sockets cannot be reached and you will see the “Lost server connection” error.

Thank you for confirming or rejecting even only some of my statements.