- Used Zammad version: 5.3.0-9
- Used Zammad installation type: dockercompose - Portainer
- Operating system: Debian
- Browser + version:
Expected behavior:
- Login after first postinstall
Actual behavior:
- CSFR Token verification error
Steps to reproduce the behavior:
We have installed Zammad on a vm (on promox) via Portainer. We want next used a Yunohost vm to use the redirections like a proxy reverse.
Dockerfile
version: '3'
services:
zammad-backup:
command: ["zammad-backup"]
depends_on:
- zammad-railsserver
- zammad-postgresql
entrypoint: /usr/local/bin/backup.sh
environment:
- BACKUP_SLEEP=86400
- HOLD_DAYS=10
- POSTGRESQL_USER=${POSTGRES_USER}
- POSTGRESQL_PASSWORD=${POSTGRES_PASS}
image: postgres:15.0-alpine
restart: ${RESTART}
volumes:
- zammad_backup:/var/tmp/zammad
- zammad_optdata:/opt/zammad:ro
- /var/lib/docker/zammad_script/backup.sh:/usr/local/bin/backup.sh:ro
zammad-elasticsearch:
image: bitnami/elasticsearch:8.5.1
restart: ${RESTART}
volumes:
- elasticsearch-data:/bitnami/elasticsearch/data
zammad-init:
command: ["zammad-init"]
depends_on:
- zammad-postgresql
environment:
# - ELASTICSEARCH_ENABLED=false
- MEMCACHE_SERVERS=${MEMCACHE_SERVERS}
- POSTGRESQL_USER=${POSTGRES_USER}
- POSTGRESQL_PASS=${POSTGRES_PASS}
- REDIS_URL=${REDIS_URL}
image: ${IMAGE_REPO}:${VERSION}
restart: on-failure
volumes:
- zammad_optdata:/opt/zammad
zammad-memcached:
command: memcached -m 256M
image: memcached:1.6.17-alpine
restart: ${RESTART}
zammad-nginx:
command: ["zammad-nginx"]
expose:
- "8888"
# ports:
# - "8888:8080"
networks:
- default
- mynetwork
depends_on:
- zammad-railsserver
environment:
- NGINX_PORT=${NGINX_PORT}
- NGINX_SERVER_SCHEME:${NGINX_SERVER_SCHEME}
- VIRTUAL_HOST=${VIRTUAL_HOST}
# - NGINX_SERVER_NAME=${NGINX_SERVER_NAME}
- RAILS_TRUSTED_PROXIES=${RAILS_TRUSTED_PROXIES}
image: ${IMAGE_REPO}:${VERSION}
restart: ${RESTART}
volumes:
- zammad_optdata:/opt/zammad
zammad-postgresql:
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASS}
image: postgres:15.1-alpine
restart: ${RESTART}
volumes:
- zammad_pgdata:/var/lib/postgresql/data
zammad-railsserver:
command: ["zammad-railsserver"]
depends_on:
- zammad-memcached
- zammad-postgresql
- zammad-redis
environment:
- MEMCACHE_SERVERS=${MEMCACHE_SERVERS}
- REDIS_URL=${REDIS_URL}
- RAILS_TRUSTED_PROXIES=${RAILS_TRUSTED_PROXIES}
# - ELASTICSEARCH_HOST=${ELASTICSEARCH_HOST}
image: ${IMAGE_REPO}:${VERSION}
restart: ${RESTART}
volumes:
- zammad_optdata:/opt/zammad
zammad-redis:
image: redis:7.0.5-alpine
restart: ${RESTART}
zammad-scheduler:
command: ["zammad-scheduler"]
depends_on:
- zammad-memcached
- zammad-railsserver
- zammad-redis
environment:
- MEMCACHE_SERVERS=${MEMCACHE_SERVERS}
- REDIS_URL=${REDIS_URL}
image: ${IMAGE_REPO}:${VERSION}
restart: ${RESTART}
volumes:
- zammad_optdata:/opt/zammad
zammad-websocket:
command: ["zammad-websocket"]
depends_on:
- zammad-memcached
- zammad-railsserver
- zammad-redis
environment:
- MEMCACHE_SERVERS=${MEMCACHE_SERVERS}
- REDIS_URL=${REDIS_URL}
image: ${IMAGE_REPO}:${VERSION}
restart: ${RESTART}
volumes:
- zammad_optdata:/opt/zammad
volumes:
elasticsearch-data:
driver: local
zammad_pgdata:
external: true
zammad_backup:
external: true
zammad_optdata:
external: true
networks:
mynetwork:
name: my-network
external: true
.env
IMAGE_REPO=zammad/zammad-docker-compose
MEMCACHE_SERVERS=zammad-memcached:11211
POSTGRES_PASS=zammad
POSTGRES_USER=zammad
REDIS_URL=redis://zammad-redis:6379
RESTART=always
VERSION=5.3.0-9
NGINX_PORT=8888
NGINX_SERVER_SCHEME=https
RAILS_TRUSTED_PROXIES=['127.0.0.1', '::1', '10.10.10.20']
NGINX_SERVER_NAME=zammad.numc.eu
VIRTUAL_HOST=zammad.numc.eu
ELASTICSEARCH_HOST=zammad-elasticsearch
We have create a network my-network which is configured as ipvlan.
10.10.10.2/24
parent eth0
The container zammad_test-zammad-nginx-1
is using the IP 10.10.10.2
and port expose to 8888
.
Now we can use an app Redirect on Yunohost which is on another VM. The Yunohost is on IP 10.10.10.20
We declare a redirection for zammad http://10.10.10.2:8888
for zammad on domain https://zammad.numc.eu (the domain have a let’s encrypt ssl), Nginx ProxyPass
The nginx conf in Yunohost for this redirection
/etc/nginx/conf.d/zammad.numc.eu.d/redirect__4.conf
location / {
proxy_pass http://10.10.10.2:8888;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Port $server_port;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Include SSOWAT user panel.
# include conf.d/yunohost_panel.conf.inc;
# more_clear_input_headers 'Accept-Encoding';
}
/etc/nginx/conf.d/zammad.numc.eu.conf
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name zammad.numc.eu xmpp-upload.zammad.numc.eu;
access_by_lua_file /usr/share/ssowat/access.lua;
include /etc/nginx/conf.d/acme-challenge.conf.inc;
location ^~ '/.well-known/ynh-diagnosis/' {
alias /tmp/.well-known/ynh-diagnosis/;
}
location ^~ '/.well-known/autoconfig/mail/' {
alias /var/www/.well-known/zammad.numc.eu/autoconfig/mail/;
}
location / {
return 301 https://$http_host$request_uri;
}
access_log /var/log/nginx/zammad.numc.eu-access.log;
error_log /var/log/nginx/zammad.numc.eu-error.log;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name zammad.numc.eu;
include /etc/nginx/conf.d/security.conf.inc;
ssl_certificate /etc/yunohost/certs/zammad.numc.eu/crt.pem;
ssl_certificate_key /etc/yunohost/certs/zammad.numc.eu/key.pem;
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
# OCSP settings
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/yunohost/certs/zammad.numc.eu/crt.pem;
resolver 127.0.0.1 127.0.1.1 valid=300s;
resolver_timeout 5s;
location ^~ '/.well-known/autoconfig/mail/' {
alias /var/www/.well-known/zammad.numc.eu/autoconfig/mail/;
}
access_by_lua_file /usr/share/ssowat/access.lua;
include /etc/nginx/conf.d/zammad.numc.eu.d/*.conf;
include /etc/nginx/conf.d/yunohost_sso.conf.inc;
include /etc/nginx/conf.d/yunohost_admin.conf.inc;
include /etc/nginx/conf.d/yunohost_api.conf.inc;
access_log /var/log/nginx/zammad.numc.eu-access.log;
error_log /var/log/nginx/zammad.numc.eu-error.log;
}
# vhost dedicated to XMPP http_upload
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xmpp-upload.zammad.numc.eu;
root /dev/null;
location /upload/ {
alias /var/xmpp-upload/zammad.numc.eu/upload/;
# Pass all requests to metronome, except for GET and HEAD requests.
limit_except GET HEAD {
proxy_pass http://localhost:5290;
}
include proxy_params;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'HEAD, GET, PUT, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization';
add_header 'Access-Control-Allow-Credentials' 'true';
client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server
}
include /etc/nginx/conf.d/security.conf.inc;
ssl_certificate /etc/yunohost/certs/zammad.numc.eu/crt.pem;
ssl_certificate_key /etc/yunohost/certs/zammad.numc.eu/key.pem;
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
# OCSP settings
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/yunohost/certs/zammad.numc.eu/crt.pem;
resolver 127.0.0.1 127.0.1.1 valid=300s;
resolver_timeout 5s;
access_log /var/log/nginx/xmpp-upload.zammad.numc.eu-access.log;
error_log /var/log/nginx/xmpp-upload.zammad.numc.eu-error.log;
}
I have try a lot of things, also in console in the rails container
rails c
Setting.get('http_type')
=> "https"
Setting.set('http_type','http')
quit
exit
or back to https…
We always stay with a CSFR verification error when we try login… What is missing ??