Hey everyone, hope all is well! I just wanted to share here the way that I was able to properly install of Zammad on a server running Plesk after running into the CSRF error. My problem was actually the same one described here ( CSRF token verification failed and Session invalid ) where I could install everything, set it up, and then after the first time I logged out it would not allow me to log back in and I’d get that CSRF error. In my troubleshooting, I also ran across several other topics:
- Zammad 6.0 behind Nginx Reverse Proxy
- Swag Nginx Reverse Proxy - #2 by Floris
- User Login - CSRF token verification failed!
I installed Zammad 6.5.0 on a Digital Ocean droplet running Plesk 18.0.62 on Ubuntu 22.04. The installation method was the using Zammad’s Docker compose repository and deploying with portainer.
Plesk has a Docker extension, and within that docker extension is a useful shortcut to install Portainer through the Plesk interface. I used that to install Portainer. After the initial install I could not access it through the normal port, and eventually I found out that if I returned to that same page, the button to ‘Install Portainer’ actually changed to a button to ‘Open Portainer’ and I could access it that way.
Once that was done, I installed Zammad using their instructions (linked above) with absolutely no deviations. I then used Plesk’s method for setting up a reverse proxy to Docker which uses nginx as a reverse proxy. Once that was done, I was able to access the installation and set it up completely.
This is where the trouble came. I set everything up, logged out to set up some API keys for other users I had made, and all of a sudden I could not log back in. I received the CSRF error. Oddly, it seemed like websockets were working absolutely fine even though other topics on CSRF led me to believe they’d be related. And, nothing that I read in any of the topics I linked above were helping.
By inspecting my browser panel I noticed one major difference between it and the install in my dev environment, which was that I was not able to keep a session cookie after logging out. I would never receive another one. I tried reinstalling several times, and installing different versions, but no luck.
It was actually the first topic I linked that helped start to lead me down the right path, and just some lucky tinkering. I started to inspect the vhost configuration for my domain to see how it set up the reverse proxy, this is what it generated:
location ~ ^/.* {
proxy_pass http://0.0.0.0:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
}
After much testing, I found the following to work:
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
The main differences here were:
- The order of items. I copied what I found in Zammad’s own configuration files. I’m not sure if this mattered.
- The first line,
location ~ ^/.* {vslocation / {. That pattern in the location block opening. As I changed this, some things would stop and start working. It might not have ultimately been the cause of the problem but I do think this was important to have this way. - The
proxy_passsetting beingproxy_pass http://0.0.0.0:8080;vsproxy_pass http://127.0.0.1:8080;. This is another one I’m not sure mattered. - The addition of the line
proxy_set_header X-Forwarded-Ssl on;. This, I think was the most important thing. You might be able to get it to work with just adding that line.
I couldn’t find any way to change that configuration that would be created by using Plesk’s built-in Docker Proxy Rules interface. So, I ended up having to remove that setting entirely. Then, under ‘Hosting and DNS’ for the domain, I went into ‘Apache & Nginx Settings’ and unchecked “Proxy Mode” (proxies nginx to Apache), and added the block listed above under ‘Additional nginx directives’. It may not have mattered, but I also turned off PHP for the domain entirely and changed changed a few other settings that I thought were unnecessary for such a situation.
I hope this helps anyone that may run into the same problems! I’m very excited to use Zammad; it’s for my ministry, and I’ve had trouble using other open-source options in the past. This seems like such a good project; thank you developers and everyone working on it!