I just installed Zammad for testig uses in an vm.
Somehow i cant reach the Gui via the device ip - only locally via 127…
Iam not a extreme pro with linux, but i tested some sytems before and i could always reach them afterwarts via IP.
Infos:
Used Zammad version: 5.2.x
Used Zammad installation type: source
Operating system: Ubuntu 20.04.4 Desktop x64
Browser + version: Firefox 101.0.1
Expected behavior:
I want to reach the Webgui via the ip of the device.
Actual behavior:
I can only reach the GUI via 172.0.0.1:3000
I set the ip in the Setup to 172.16.16.203:3000
The hostname ist ticket03.
I use the default copied zammad.conf (apache)
# this is an example apache 2.4 config for zammad
# Please visit https://docs.zammad.org for further input on how to configure
# your apache to work with Zammad
#
# security - prevent information disclosure about server version
ServerTokens Prod
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
# SSLCertificateFile /etc/letsencrypt/live/example.com-0000/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0000/privkey.pem
# SSLCertificateChainFile /etc/ssl/lets-encrypt-x3-cross-signed.pem
# SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem
# replace 'localhost' with your fqdn if you want to use zammad from remote
ServerName localhost
## don't loose time with IP address lookups
HostnameLookups Off
## needed for named virtual hosts
UseCanonicalName Off
## configures the footer on server-generated documents
ServerSignature Off
ProxyRequests Off
ProxyPreserveHost On
<Proxy 127.0.0.1:3000>
Require local
</Proxy>
ProxyPass /assets !
ProxyPass /favicon.ico !
ProxyPass /apple-touch-icon.png !
ProxyPass /robots.txt !
ProxyPass /ws ws://127.0.0.1:6042/
ProxyPass / http://127.0.0.1:3000/
# change this line in an SSO setup
RequestHeader unset X-Forwarded-User
# Use settings below if proxying does not work and you receive HTTP-Errror 404
# if you use the settings below, make sure to comment out the above two options
# This may not apply to all systems, applies to openSuse
#ProxyPass /ws ws://127.0.0.1:6042/ "retry=1 acque=3000 timeout=600 keepalive=On"
#ProxyPass / http://127.0.0.1:3000/ "retry=1 acque=3000 timeout=600 keepalive=On"
DocumentRoot "/opt/zammad/public"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory "/opt/zammad/public">
Options FollowSymLinks
Require all granted
</Directory>
</VirtualHost>
There might be different reasons (or a combination of them)
Your Apache webserver might not be running at all: I’m quite - but not completely - sure, that an SSL enabled VirtualHost w/o properly configuredand existing certificates (SSLCertificate... directives) will not start up. Use something like systemctl status apache2 to check if the service is running (the name of the service might be different, I’m not used to Ubuntu)
There is a local firewall in place which is blocking ports 80 and 443
Your port 80 (http) VirtualHost directive redirects to port 443 (https), which is most surely not working (missing certificates, see above). Either configure the certificates or make this a non-SSL VirtualHost and get rid of the first (port 80) VirtualHost block
Your default VirtualHost is not the one with Zammad
This are just a few idea and w/o being able to have a look at the whole system and the complete Apache configuration an analysis is hard to do :-). Also you don’t tell us what happens, if you try to reach it via the host IP? Is there an error message? A timeout?
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
The firewall in my evaluation VM are by default disabled.
I think the apache is not really running, because i get errors when i want to start it.
My problem is, that i just wanted tu have a installation to test the features and have some collegues look and test the system too, because we need a on-prem ticket system in our company.
I couldnt restart the webserver by default following the guide, because i think the default copied config need the certificates set up. Maybe the Webserver needs some lines Commented out to use :80 but im not shure which.
So i tried apache instead of ngnix, because i know apache a bit longer.
I talked with a collegue and found out, that the guide for not using https is lacking information, what you need to set up in the config files.
i had the problem with first the default install with ngnix,because when i tried to restart the Server i get errors, because it could not find the paths/certificate files of the default copied config.
And i got stuck with ngnix and the letsencrypt part of the documentation, because i dont use an web address, because the zammad server only will be reacable in the local network.
I will try this config for apace - if its not posible i will reinstgall Zammad with ngnix and Self signed cert.
# this is an example apache 2.4 config for zammad
# Please visit https://docs.zammad.org for further input on how to configure
# your apache to work with Zammad
#
# security - prevent information disclosure about server version
ServerTokens Prod
#<VirtualHost *:80>
# ServerName example.com
# Redirect permanent / https://example.com
#</VirtualHost>
<VirtualHost *:80>
# SSLEngine on
# SSLProtocol all -SSLv2 -SSLv3
# SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
# SSLCertificateFile /etc/letsencrypt/live/example.com-0000/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0000/privkey.pem
# SSLCertificateChainFile /etc/ssl/lets-encrypt-x3-cross-signed.pem
# SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem
# replace 'localhost' with your fqdn if you want to use zammad from remote
ServerName ticket03
## don't loose time with IP address lookups
HostnameLookups Off
## needed for named virtual hosts
UseCanonicalName Off
## configures the footer on server-generated documents
ServerSignature Off
ProxyRequests Off
ProxyPreserveHost On
<Proxy 127.0.0.1:3000>
Require local
</Proxy>
ProxyPass /assets !
ProxyPass /favicon.ico !
ProxyPass /apple-touch-icon.png !
ProxyPass /robots.txt !
ProxyPass /ws ws://127.0.0.1:6042/
ProxyPass / http://127.0.0.1:3000/
# change this line in an SSO setup
RequestHeader unset X-Forwarded-User
# Use settings below if proxying does not work and you receive HTTP-Errror 404
# if you use the settings below, make sure to comment out the above two options
# This may not apply to all systems, applies to openSuse
#ProxyPass /ws ws://127.0.0.1:6042/ "retry=1 acque=3000 timeout=600 keepalive=On"
#ProxyPass / http://127.0.0.1:3000/ "retry=1 acque=3000 timeout=600 keepalive=On"
DocumentRoot "/opt/zammad/public"
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory "/opt/zammad/public">
Options FollowSymLinks
Require all granted
</Directory>
</VirtualHost>
Documentation guy responsible here.
The documentation intentionally does help you zero with HTTP intentionally.
This is an unsafe configuration that we’re not helping any one with.
I’ve seen too many productive Zammad installations on HTTP on public interface by now.
Sorry that this is breaking your bone but it’s for the safety of our users / admins.
Thank you!
I can understand your reasons.
I reinstalled Zammad and are stuck with ngnix and the self signed certificate.
Do i have to comment the Lines with ssl_certificate_key and ssl_trusted_certificate out?
I created the dhparam.pem file.
I looked the docu here, but they use a diffrent approach i cant connect inm my head for my case.
I set this sytem for elaboration up.
The productive system will be only reachable via vpn.
We are a company with health related data of pacients and the privacy regulation is extreme strict.
So our Server cant never be reaced via Domain - only IP or Hostname and this is my problem now
I have read this docu again and discovered, the code for gereating the self signed certificate generates two files.
I put the private key now in the config and the nginx now seems alsmost sadisfied: