How to set apache to reach Zammad with IP

Hello dear Zammad community!

I just installed Zammad for testig uses in an vm.
Somehow i cant reach the Gui via the device ip - only locally via 127…

Iam not a extreme pro with linux, but i tested some sytems before and i could always reach them afterwarts via IP.

Infos:

  • Used Zammad version: 5.2.x
  • Used Zammad installation type: source
  • Operating system: Ubuntu 20.04.4 Desktop x64
  • Browser + version: Firefox 101.0.1

Expected behavior:

I want to reach the Webgui via the ip of the device.

Actual behavior:

I can only reach the GUI via 172.0.0.1:3000

I set the ip in the Setup to 172.16.16.203:3000
The hostname ist ticket03.
I use the default copied zammad.conf (apache)


# this is an example apache 2.4 config for zammad
# Please visit https://docs.zammad.org for further input on how to configure
# your apache to work with Zammad
#

# security - prevent information disclosure about server version
ServerTokens Prod

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

#    SSLCertificateFile /etc/letsencrypt/live/example.com-0000/fullchain.pem
 #   SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0000/privkey.pem
  #  SSLCertificateChainFile /etc/ssl/lets-encrypt-x3-cross-signed.pem
   # SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem

    # replace 'localhost' with your fqdn if you want to use zammad from remote
    ServerName localhost

    ## don't loose time with IP address lookups
    HostnameLookups Off

    ## needed for named virtual hosts
    UseCanonicalName Off

    ## configures the footer on server-generated documents
    ServerSignature Off

    ProxyRequests Off
    ProxyPreserveHost On

    <Proxy 127.0.0.1:3000>
      Require local
    </Proxy>

    ProxyPass /assets !
    ProxyPass /favicon.ico !
    ProxyPass /apple-touch-icon.png !
    ProxyPass /robots.txt !
    ProxyPass /ws ws://127.0.0.1:6042/
    ProxyPass / http://127.0.0.1:3000/

    # change this line in an SSO setup
    RequestHeader unset X-Forwarded-User

    # Use settings below if proxying does not work and you receive HTTP-Errror 404
    # if you use the settings below, make sure to comment out the above two options
    # This may not apply to all systems, applies to openSuse
    #ProxyPass /ws ws://127.0.0.1:6042/ "retry=1 acque=3000 timeout=600 keepalive=On"
    #ProxyPass / http://127.0.0.1:3000/ "retry=1 acque=3000 timeout=600 keepalive=On"

    DocumentRoot "/opt/zammad/public"

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>

    <Directory "/opt/zammad/public">
        Options FollowSymLinks
              Require all granted
    </Directory>
</VirtualHost>


Im evaluating Zamad so it doesnt need HTTPS

Thank you very much in advance!!!

Matthias Dürre

Installed from package, not source

There might be different reasons (or a combination of them)

  • Your Apache webserver might not be running at all: I’m quite - but not completely - sure, that an SSL enabled VirtualHost w/o properly configuredand existing certificates (SSLCertificate... directives) will not start up. Use something like systemctl status apache2 to check if the service is running (the name of the service might be different, I’m not used to Ubuntu)
  • There is a local firewall in place which is blocking ports 80 and 443
  • Your port 80 (http) VirtualHost directive redirects to port 443 (https), which is most surely not working (missing certificates, see above). Either configure the certificates or make this a non-SSL VirtualHost and get rid of the first (port 80) VirtualHost block
  • Your default VirtualHost is not the one with Zammad

This are just a few idea and w/o being able to have a look at the whole system and the complete Apache configuration an analysis is hard to do :-). Also you don’t tell us what happens, if you try to reach it via the host IP? Is there an error message? A timeout?

Thank you!

-Can i comment this part further out?


<VirtualHost *:443>
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

The firewall in my evaluation VM are by default disabled.
I think the apache is not really running, because i get errors when i want to start it.

My problem is, that i just wanted tu have a installation to test the features and have some collegues look and test the system too, because we need a on-prem ticket system in our company.

I couldnt restart the webserver by default following the guide, because i think the default copied config need the certificates set up. Maybe the Webserver needs some lines Commented out to use :80 but im not shure which.
So i tried apache instead of ngnix, because i know apache a bit longer.

I talked with a collegue and found out, that the guide for not using https is lacking information, what you need to set up in the config files.
i had the problem with first the default install with ngnix,because when i tried to restart the Server i get errors, because it could not find the paths/certificate files of the default copied config.
And i got stuck with ngnix and the letsencrypt part of the documentation, because i dont use an web address, because the zammad server only will be reacable in the local network.

I will try this config for apace - if its not posible i will reinstgall Zammad with ngnix and Self signed cert.


# this is an example apache 2.4 config for zammad
# Please visit https://docs.zammad.org for further input on how to configure
# your apache to work with Zammad
#

# security - prevent information disclosure about server version
ServerTokens Prod

#<VirtualHost *:80>
#    ServerName example.com
#    Redirect permanent / https://example.com
#</VirtualHost>

<VirtualHost *:80>
 #   SSLEngine on
  #  SSLProtocol all -SSLv2 -SSLv3
   # SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

#    SSLCertificateFile /etc/letsencrypt/live/example.com-0000/fullchain.pem
 #   SSLCertificateKeyFile /etc/letsencrypt/live/example.com-0000/privkey.pem
  #  SSLCertificateChainFile /etc/ssl/lets-encrypt-x3-cross-signed.pem
   # SSLOpenSSLConfCmd DHParameters /etc/ssl/dhparam.pem

    # replace 'localhost' with your fqdn if you want to use zammad from remote
    ServerName ticket03

    ## don't loose time with IP address lookups
    HostnameLookups Off

    ## needed for named virtual hosts
    UseCanonicalName Off

    ## configures the footer on server-generated documents
    ServerSignature Off

    ProxyRequests Off
    ProxyPreserveHost On

    <Proxy 127.0.0.1:3000>
      Require local
    </Proxy>

    ProxyPass /assets !
    ProxyPass /favicon.ico !
    ProxyPass /apple-touch-icon.png !
    ProxyPass /robots.txt !
    ProxyPass /ws ws://127.0.0.1:6042/
    ProxyPass / http://127.0.0.1:3000/

    # change this line in an SSO setup
    RequestHeader unset X-Forwarded-User

    # Use settings below if proxying does not work and you receive HTTP-Errror 404
    # if you use the settings below, make sure to comment out the above two options
    # This may not apply to all systems, applies to openSuse
    #ProxyPass /ws ws://127.0.0.1:6042/ "retry=1 acque=3000 timeout=600 keepalive=On"
    #ProxyPass / http://127.0.0.1:3000/ "retry=1 acque=3000 timeout=600 keepalive=On"

    DocumentRoot "/opt/zammad/public"

    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>

    <Directory "/opt/zammad/public">
        Options FollowSymLinks
              Require all granted
    </Directory>
</VirtualHost>



Documentation guy responsible here.
The documentation intentionally does help you zero with HTTP intentionally.

This is an unsafe configuration that we’re not helping any one with.
I’ve seen too many productive Zammad installations on HTTP on public interface by now.

Sorry that this is breaking your bone but it’s for the safety of our users / admins.

2 Likes

Thank you!
I can understand your reasons.
I reinstalled Zammad and are stuck with ngnix and the self signed certificate.
Do i have to comment the Lines with ssl_certificate_key and ssl_trusted_certificate out?
I created the dhparam.pem file.
I looked the docu here, but they use a diffrent approach i cant connect inm my head for my case.

I set this sytem for elaboration up.
The productive system will be only reachable via vpn.
We are a company with health related data of pacients and the privacy regulation is extreme strict.

So our Server cant never be reaced via Domain - only IP or Hostname and this is my problem now :laughing:

Thank you!

I have read this docu again and discovered, the code for gereating the self signed certificate generates two files.
I put the private key now in the config and the nginx now seems alsmost sadisfied:

…and everything seems finde now:

1 Like