Infos:
- Used Zammad version: 6.1.0
- Used Zammad installation type: docker-compose
- Operating system: ununtu 22.04
- Browser + version:
Expected behavior:
- Install Zammad with docker compose should be possible by following the docs.
Actual behavior:
- I can’t follow the installation tutorial for docker compose on the point, where the SSL part starts. I want to use letsencrypt. But the docker container for nginx has no
certbot installed, nor acme.sh. And I can’t install them inside the container, because it has no sudo.
Steps to reproduce the behavior:
My approach
Maybe I get it wrong by trying to work from inside the nginx container? I found the zammad_ssl.conf and read that I have to use it in place of zammad.conf. There I can set my domain. But the part for obtaining the certificate and running certbot is not well explained in the docs. Actually certbot is missing, to start with.
I don’t know, if this is a problem, but in my nginx container, zammad.conf is under ~/contrib/nginx, and not where this reply suggests. There is also /etc/nginx/sites-available/default, which maybe the active nginx config and the above are just samples? But which one I have to use. And do I have to set the servername already as environment variable for docker compose?
1 Like
You’re not forced to use the nginx of Zammad. As long as the nginx in question is actually able to connect to Zammads ports.
A starter would be to look into the vhost configuration of your compose. The default compose version should allow you to have another proxy in front theoretically. But that’s double the trouble if you’re unlucky so…
i set the extenal nginx conf to reverse the port 8080 ; but now i met a problem which is zammad can’t get the true IP from session , Now the ip is docker ip .
I’m struggling with the same problem. Is it safe to say then that we can’t have SSL with letsencrypt/certbot if we’re using the stock Zammad docker-compose?
Here is how to do it with Apache and Nginx.
1 Apache:
# Zammad Docker
<VirtualHost *:80>
ServerName FQDN
ServerAdmin johndoe@foor.bar
RewriteCond %{SERVER_NAME} =FQDN [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# Zammad Docker
<VirtualHost *:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/letsencrypt/live/FQDN/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/FQDN/privkey.pem
ServerAdmin johndoe@foor.bar
ServerName FQDN
ErrorLog "/var/log/apache2/FQDN-error.log"
CustomLog "/var/log/apache2/FQDN-access.log" combined
LogFormat "%h %l %u %t %{Host}i \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %V %p" combined
RequestHeader set X-Forwarded-Proto https
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
- Nginx:
# Redirect HTTP -> HTTPS
server {
listen 80;
listen [::]:80;
server_name FQDN;
return 404;
if ($host = FQDN) {
return 301 https://$host$request_uri;
}
}
# Redirect WWW -> NON-WWW
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl http2;
server_name FQDN;
ssl_certificate /etc/letsencrypt/live/FQDN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/FQDN/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# log files
access_log /var/log/nginx/FQDN-access.log;
error_log /var/log/nginx/FQDN-error.log;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
client_max_body_size 100m;
proxy_read_timeout 300;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}
I hope this helps.