- Used Zammad version: 6.4.1-1738853098.9075b144.bookworm
- Used Zammad installation type: package, self-hosted
- Operating system: Debian Bookworm
- Browser + version: Safari, Chromo (irrelevant)
Expected behavior:
- Continue to allow log-in after switching from Nginx Proxy-Manager to Zoraxy
Actual behavior:
- CSFR Token verification error
Steps to reproduce the behavior:
- I used Zammad successfully in https mode with un-encrypted traffic (http) on the local network and encrypted behind a reverse proxy (Nginx PM, https). So traffic from “outside” was always SSL-encypted with a let’s encrypt SSL certificate, but the “internal” traffic from reverse proxy to Zammad was always http only. However, that worked well with the ‘http_type’ set to https. That has the advantage that all links to the FQDN generated by Zammad were always correct and have a https URLs.
Now I had to change my reverse proxy to Zoraxy. Now, login attempts result in the ‘CSFR Token verification error’.
I tried editing the Nginx conf file for Zammad from
proxy_set_header X-Forwarded-Proto $scheme
to
proxy_set_header X-Forwarded-Proto https
on all three different lines but with no effect.
When I set the ‘http_type’ to http (by rails command), I can access and work with the installation. That however now creates false http URLs when sending from Zammad.
Why does it work with Nginx-PM but not with another reverse proxy and what can I do to make it work in https mode again? Unfortunately ‘direct’ SSL certificates for the installation is no option since I have to operator behind the reverse proxy.
Thank you for any recommendation!