Docker Treafik - csrf token validation failed

Hello I am running Zammad with Docker.
In order to be able to use the domain and LetsEnCrypt I have this running with Traefik.

Now I get everything displayed well and when I log in for the first time everything works.

After an initial logout, I can no longer log in.

He then always reports “csrf token validation failed”

sorry here my docker-compose.override.yml

version: '2'
services:

  zammad-backup:
    container_name: Zammad-Backup

  zammad-elasticsearch:
    container_name: Zammad-ElasticSearch

  zammad-init:
    container_name: Zammad-Init

  zammad-memcached:
    container_name: Zammad-MemCached

  zammad-postgresql:
    container_name: Zammad-PostgreSQL

  zammad-railsserver:
    container_name: Zammad-RailsServer

  zammad-scheduler:
    container_name: Zammad-Scheduler

  zammad-websocket:
    container_name: Zammad-WebSocket

  zammad-nginx:
    container_name: Zammad-NGINX
    labels:
      traefik.enable: true

      # Routers
      traefik.http.routers.zammad-nginx.rule: Host(`service.leather-fabrics-online.com`)
      traefik.http.routers.zammad-nginx.entrypoints: websecure
      traefik.http.routers.zammad-nginx.tls.certresolver: myresolver
      traefik.http.routers.zammad-nginx.service: zammad_svc

      traefik.http.services.zammad_svc.loadBalancer.server.port: 80

Hello I have been trying the last few days to fix the error.

Who wants can take my 2 files for testing here.
I saved everything under / home / container and there

git clone GitHub - zammad/zammad-docker-compose: Zammad Docker images for docker-compose

then the 2 attached files overwritten.
All containers go up and you can log in to Zammad for the first time after logging out, only the error then also my config for tobacco does nothing.

Is this header sufficient or does anything else have to be transferred?

Here my
docker-compose-override.yml

version: ‘2’
services:

zammad-backup:
container_name: Zammad-Backup

zammad-elasticsearch:
container_name: Zammad-ElasticSearch

zammad-init:
container_name: Zammad-Init

zammad-memcached:
container_name: Zammad-MemCached

zammad-postgresql:
container_name: Zammad-PostgreSQL

zammad-railsserver:
container_name: Zammad-RailsServer

zammad-scheduler:
container_name: Zammad-Scheduler

zammad-websocket:
container_name: Zammad-WebSocket

zammad-nginx:
container_name: Zammad-NGINX
labels:
traefik.enable: true

  # Routers
  traefik.http.routers.zammad-nginx.rule: Host(`service.example.com`)
  traefik.http.routers.zammad-nginx.entrypoints: websecure
  traefik.http.routers.zammad-nginx.tls.certresolver: myresolver
  traefik.http.routers.zammad-nginx.service: zammad_svc

  traefik.http.services.zammad_svc.loadBalancer.server.port: 80

  traefik.http.routers.zammad-nginx.middlewares: zammadHeader
  traefik.http.middlewares.zammadHeader.headers.customrequestheaders.X-Forwarded-Proto: https

and my docker-compose.yml

version: “2”

services:

traefik:
image: traefik:v2.1
container_name: Traefik
command:
- “–log.level=INFO”
- “–api”
- “–providers.docker=true”
- “–providers.docker.exposedbydefault=false”
- “–entrypoints.web.address=:80”
- “–entrypoints.websecure.address=:443”
- “–certificatesresolvers.myresolver.acme.httpchallenge=true”
- “–certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web”
- “–certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
- “--certificatesresolvers.myresolver.acme.email=infos@example.de
- “–certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json”
ports:
- 80:80
- 443:443
volumes:
- ./letsencrypt:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
labels:
traefik.enable: true

  # Routers
  traefik.http.routers.traefik.rule: Host(`traefik.example.de`)
  traefik.http.routers.traefik.entrypoints: websecure
  traefik.http.routers.traefik.service: api@internal
  traefik.http.routers.traefik.tls.certresolver: myresolver
  traefik.http.routers.traefik.middlewares: traefik-auth

  # global redirect to https
  traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
  traefik.http.routers.http-catchall.entrypoints: web
  traefik.http.routers.http-catchall.middlewares: redirect-to-https

  # Middleware
  traefik.http.middlewares.traefik-auth.basicauth.removeheader: true
  traefik.http.middlewares.traefik-auth.basicauth.users: example:$$1$$X[kMyb^l$$Npy/uslnNuMB4pK0focS00

  # middleware redirect
  traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https

portainer:
image: portainer/portainer
container_name: Portainer
command: -H unix:///var/run/docker.sock
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data
labels:
traefik.enable: true

  # Routers
  traefik.http.routers.portainer.rule: Host(`portainer.example.de`)
  traefik.http.routers.portainer.entrypoints: websecure
  traefik.http.routers.portainer.tls.certresolver: myresolver
  traefik.http.routers.portainer.service: portainer_svc

  traefik.http.services.portainer_svc.loadBalancer.server.port: 9000

zammad-backup:
command: [“zammad-backup”]
depends_on:
- zammad-railsserver
entrypoint: /usr/local/bin/backup.sh
environment:
- BACKUP_SLEEP=86400
- HOLD_DAYS=10
- POSTGRESQL_USER=${POSTGRES_USER}
- POSTGRESQL_PASSWORD=${POSTGRES_PASS}
image: ${IMAGE_REPO}:zammad-postgresql${VERSION}
links:
- zammad-postgresql
restart: ${RESTART}
volumes:
- zammad-backup:/var/tmp/zammad
- zammad-data:/opt/zammad

zammad-elasticsearch:
environment:
- discovery.type=single-node
image: ${IMAGE_REPO}:zammad-elasticsearch${VERSION}
restart: ${RESTART}
volumes:
- elasticsearch-data:/usr/share/elasticsearch/data

zammad-init:
command: [“zammad-init”]
depends_on:
- zammad-postgresql
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-elasticsearch
- zammad-postgresql
restart: on-failure
volumes:
- zammad-data:/opt/zammad

zammad-memcached:
command: memcached -m 256M
image: memcached:1.5.22-alpine
restart: ${RESTART}

zammad-nginx:
command: [“zammad-nginx”]
expose:
- “80”
depends_on:
- zammad-railsserver
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-railsserver
- zammad-websocket
restart: ${RESTART}
volumes:
- zammad-data:/opt/zammad

zammad-postgresql:
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASS}
image: ${IMAGE_REPO}:zammad-postgresql${VERSION}
restart: ${RESTART}
volumes:
- postgresql-data:/var/lib/postgresql/data

zammad-railsserver:
command: [“zammad-railsserver”]
depends_on:
- zammad-memcached
- zammad-postgresql
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-elasticsearch
- zammad-memcached
- zammad-postgresql
restart: ${RESTART}
volumes:
- zammad-data:/opt/zammad

zammad-scheduler:
command: [“zammad-scheduler”]
depends_on:
- zammad-memcached
- zammad-railsserver
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-elasticsearch
- zammad-memcached
- zammad-postgresql
restart: ${RESTART}
volumes:
- zammad-data:/opt/zammad

zammad-websocket:
command: [“zammad-websocket”]
depends_on:
- zammad-memcached
- zammad-railsserver
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-postgresql
- zammad-memcached
restart: ${RESTART}
volumes:
- zammad-data:/opt/zammad

volumes:
portainer_data:
elasticsearch-data:
driver: local
postgresql-data:
driver: local
zammad-backup:
driver: local
zammad-data:
driver: local

Hello, have you found a solution?

I have the same problem, in the same configuration.

Well…

I solved this problem by creating a new NginX container with an optimized configuration that you can find here : https://github.com/zammad/zammad-docker-compose/issues/120#issuecomment-567013772

Here is my code, something really simple.

Dockerfile

FROM nginx
RUN rm /etc/nginx/conf.d/default.conf
COPY config/nginx.conf /etc/nginx/nginx.conf
COPY config/services/* /etc/nginx/conf.d/
EXPOSE 443 80

config/nginx.conf (the same as zammad)

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
}

http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;
	gzip on;
	include /etc/nginx/conf.d/*.conf;
}

config/services/default.conf

upstream zammad-railsserver {
    server zammad-railsserver:3000;
}

upstream zammad-websocket {
    server zammad-websocket:6042;
}

map $http_x_forwarded_proto $real_scheme {
    default $http_x_forwarded_proto;
    '' $scheme;
}

server {
    listen 80;

    # replace 'localhost' with your fqdn if you want to use zammad from remote
    server_name _;

    root /opt/zammad/public;

    access_log /dev/stdout;
    error_log  /dev/stdout;

    client_max_body_size 50M;

    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
        expires max;
    }

    location /ws {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header CLIENT_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $real_scheme;
        proxy_read_timeout 86400;
        proxy_pass http://zammad-websocket;
    }

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header CLIENT_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $real_scheme;
        proxy_read_timeout 300;
        proxy_pass http://zammad-railsserver;

        gzip on;
        gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
        gzip_proxied any;
    }
}
1 Like

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.