- Used Zammad version: 5.3.0-9
- Used Zammad installation type: dockercompose - Portainer
- Operating system: Debian
- Browser + version:
Expected behavior:
- Login after first postinstall
Actual behavior:
- CSFR Token verification error
Steps to reproduce the behavior:
We have installed Zammad on a vm (on promox) via Portainer. We want next used a Yunohost vm to use the redirections like a proxy reverse.
Dockerfile
version: '3'
services:
zammad-backup:
command: ["zammad-backup"]
depends_on:
- zammad-railsserver
- zammad-postgresql
entrypoint: /usr/local/bin/backup.sh
environment:
- BACKUP_SLEEP=86400
- HOLD_DAYS=10
- POSTGRESQL_USER=${POSTGRES_USER}
- POSTGRESQL_PASSWORD=${POSTGRES_PASS}
image: postgres:15.0-alpine
restart: ${RESTART}
volumes:
- zammad_backup:/var/tmp/zammad
- zammad_optdata:/opt/zammad:ro
- /var/lib/docker/zammad_script/backup.sh:/usr/local/bin/backup.sh:ro
zammad-elasticsearch:
image: bitnami/elasticsearch:8.5.1
restart: ${RESTART}
volumes:
- elasticsearch-data:/bitnami/elasticsearch/data
zammad-init:
command: ["zammad-init"]
depends_on:
- zammad-postgresql
environment:
# - ELASTICSEARCH_ENABLED=false
- MEMCACHE_SERVERS=${MEMCACHE_SERVERS}
- POSTGRESQL_USER=${POSTGRES_USER}
- POSTGRESQL_PASS=${POSTGRES_PASS}
- REDIS_URL=${REDIS_URL}
image: ${IMAGE_REPO}:${VERSION}
restart: on-failure
volumes:
- zammad_optdata:/opt/zammad
zammad-memcached:
command: memcached -m 256M
image: memcached:1.6.17-alpine
restart: ${RESTART}
zammad-nginx:
command: ["zammad-nginx"]
expose:
- "8888"
# ports:
# - "8888:8080"
networks:
- default
- mynetwork
depends_on:
- zammad-railsserver
environment:
- NGINX_PORT=${NGINX_PORT}
- NGINX_SERVER_SCHEME:${NGINX_SERVER_SCHEME}
- VIRTUAL_HOST=${VIRTUAL_HOST}
# - NGINX_SERVER_NAME=${NGINX_SERVER_NAME}
- RAILS_TRUSTED_PROXIES=${RAILS_TRUSTED_PROXIES}
image: ${IMAGE_REPO}:${VERSION}
restart: ${RESTART}
volumes:
- zammad_optdata:/opt/zammad
zammad-postgresql:
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASS}
image: postgres:15.1-alpine
restart: ${RESTART}
volumes:
- zammad_pgdata:/var/lib/postgresql/data
zammad-railsserver:
command: ["zammad-railsserver"]
depends_on:
- zammad-memcached
- zammad-postgresql
- zammad-redis
environment:
- MEMCACHE_SERVERS=${MEMCACHE_SERVERS}
- REDIS_URL=${REDIS_URL}
- RAILS_TRUSTED_PROXIES=${RAILS_TRUSTED_PROXIES}
# - ELASTICSEARCH_HOST=${ELASTICSEARCH_HOST}
image: ${IMAGE_REPO}:${VERSION}
restart: ${RESTART}
volumes:
- zammad_optdata:/opt/zammad
zammad-redis:
image: redis:7.0.5-alpine
restart: ${RESTART}
zammad-scheduler:
command: ["zammad-scheduler"]
depends_on:
- zammad-memcached
- zammad-railsserver
- zammad-redis
environment:
- MEMCACHE_SERVERS=${MEMCACHE_SERVERS}
- REDIS_URL=${REDIS_URL}
image: ${IMAGE_REPO}:${VERSION}
restart: ${RESTART}
volumes:
- zammad_optdata:/opt/zammad
zammad-websocket:
command: ["zammad-websocket"]
depends_on:
- zammad-memcached
- zammad-railsserver
- zammad-redis
environment:
- MEMCACHE_SERVERS=${MEMCACHE_SERVERS}
- REDIS_URL=${REDIS_URL}
image: ${IMAGE_REPO}:${VERSION}
restart: ${RESTART}
volumes:
- zammad_optdata:/opt/zammad
volumes:
elasticsearch-data:
driver: local
zammad_pgdata:
external: true
zammad_backup:
external: true
zammad_optdata:
external: true
networks:
mynetwork:
name: my-network
external: true
.env
IMAGE_REPO=zammad/zammad-docker-compose
MEMCACHE_SERVERS=zammad-memcached:11211
POSTGRES_PASS=zammad
POSTGRES_USER=zammad
REDIS_URL=redis://zammad-redis:6379
RESTART=always
VERSION=5.3.0-9
NGINX_PORT=8888
NGINX_SERVER_SCHEME=https
RAILS_TRUSTED_PROXIES=['127.0.0.1', '::1', '10.10.10.20']
NGINX_SERVER_NAME=zammad.numc.eu
VIRTUAL_HOST=zammad.numc.eu
ELASTICSEARCH_HOST=zammad-elasticsearch
We have create a network my-network which is configured as ipvlan.
10.10.10.2/24 parent eth0
The container zammad_test-zammad-nginx-1 is using the IP 10.10.10.2 and port expose to 8888.
Now we can use an app Redirect on Yunohost which is on another VM. The Yunohost is on IP 10.10.10.20 We declare a redirection for zammad http://10.10.10.2:8888 for zammad on domain https://zammad.numc.eu (the domain have a let’s encrypt ssl), Nginx ProxyPass
The nginx conf in Yunohost for this redirection
/etc/nginx/conf.d/zammad.numc.eu.d/redirect__4.conf
location / {
proxy_pass http://10.10.10.2:8888;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Port $server_port;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Include SSOWAT user panel.
# include conf.d/yunohost_panel.conf.inc;
# more_clear_input_headers 'Accept-Encoding';
}
/etc/nginx/conf.d/zammad.numc.eu.conf
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name zammad.numc.eu xmpp-upload.zammad.numc.eu;
access_by_lua_file /usr/share/ssowat/access.lua;
include /etc/nginx/conf.d/acme-challenge.conf.inc;
location ^~ '/.well-known/ynh-diagnosis/' {
alias /tmp/.well-known/ynh-diagnosis/;
}
location ^~ '/.well-known/autoconfig/mail/' {
alias /var/www/.well-known/zammad.numc.eu/autoconfig/mail/;
}
location / {
return 301 https://$http_host$request_uri;
}
access_log /var/log/nginx/zammad.numc.eu-access.log;
error_log /var/log/nginx/zammad.numc.eu-error.log;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name zammad.numc.eu;
include /etc/nginx/conf.d/security.conf.inc;
ssl_certificate /etc/yunohost/certs/zammad.numc.eu/crt.pem;
ssl_certificate_key /etc/yunohost/certs/zammad.numc.eu/key.pem;
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
# OCSP settings
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/yunohost/certs/zammad.numc.eu/crt.pem;
resolver 127.0.0.1 127.0.1.1 valid=300s;
resolver_timeout 5s;
location ^~ '/.well-known/autoconfig/mail/' {
alias /var/www/.well-known/zammad.numc.eu/autoconfig/mail/;
}
access_by_lua_file /usr/share/ssowat/access.lua;
include /etc/nginx/conf.d/zammad.numc.eu.d/*.conf;
include /etc/nginx/conf.d/yunohost_sso.conf.inc;
include /etc/nginx/conf.d/yunohost_admin.conf.inc;
include /etc/nginx/conf.d/yunohost_api.conf.inc;
access_log /var/log/nginx/zammad.numc.eu-access.log;
error_log /var/log/nginx/zammad.numc.eu-error.log;
}
# vhost dedicated to XMPP http_upload
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xmpp-upload.zammad.numc.eu;
root /dev/null;
location /upload/ {
alias /var/xmpp-upload/zammad.numc.eu/upload/;
# Pass all requests to metronome, except for GET and HEAD requests.
limit_except GET HEAD {
proxy_pass http://localhost:5290;
}
include proxy_params;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'HEAD, GET, PUT, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization';
add_header 'Access-Control-Allow-Credentials' 'true';
client_max_body_size 105M; # Choose a value a bit higher than the max upload configured in XMPP server
}
include /etc/nginx/conf.d/security.conf.inc;
ssl_certificate /etc/yunohost/certs/zammad.numc.eu/crt.pem;
ssl_certificate_key /etc/yunohost/certs/zammad.numc.eu/key.pem;
more_set_headers "Strict-Transport-Security : max-age=63072000; includeSubDomains; preload";
# OCSP settings
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/yunohost/certs/zammad.numc.eu/crt.pem;
resolver 127.0.0.1 127.0.1.1 valid=300s;
resolver_timeout 5s;
access_log /var/log/nginx/xmpp-upload.zammad.numc.eu-access.log;
error_log /var/log/nginx/xmpp-upload.zammad.numc.eu-error.log;
}
I have try a lot of things, also in console in the rails container
rails c
Setting.get('http_type')
=> "https"
Setting.set('http_type','http')
quit
exit
or back to https…
We always stay with a CSFR verification error when we try login… What is missing ??