NGINX Reverse Proxy for HTTPS

Dirk23 · April 5, 2019, 1:09pm

What may be the correct Config for a NGINX as reverseproxy for Zammad? I have config, wich allows me to open the Webfrontend, but the Chat is not working.

server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
}
server {
        listen 443 ssl;
        server_name helpdesk2.ebel.local;
        server_name helpdesk.ebel.local;

        error_log  /var/log/nginx/helpdesk-error.log;
        access_log /var/log/nginx/helpdesk-access.log;

        ssl_certificate /etc/ssl/certs/helpdesk.ebel.local.pem;
        ssl_certificate_key /etc/ssl/private/helpdesk2.ebel.local.key.pem;
        include /etc/ssl/options-ssl-nginx.conf;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_verify_client off;

        # Set global proxy settings
        proxy_read_timeout      360;
        client_max_body_size 50M;

        location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
                expires max;
        }

        location /ws {
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header CLIENT_IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://172.30.0.35;
    }

        location / {
                proxy_set_header Host $http_host;
                proxy_set_header CLIENT_IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://172.30.0.35:8080;

                gzip on;
                gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
                gzip_proxied any;
        }
}

I guess the reason why the chat doesnt work, is because a wrong reverse Proxy config.

martin.von.wittich · April 5, 2019, 1:34pm

You’re using zammad-docker-compose? 172.30.0.35 is the IP of the host, and 8080 is the exposed port of the zammad-nginx container? In that case I’d say the configuration for /ws is wrong - it should probably point to port 8080 too.

You can use the browser debug console -> network to figure out whether Zammad can connect to the websocket. There should be a successful request to /ws after pressing F5, and there should be transmitted frames in there.

This is how I’ve configured Apache on our server for that purpose:

zammad.ourcompany.tld ~ # cat /root/zammad-docker-compose/docker-compose.override.yml 
version: '2'

services:
  zammad-nginx:
    ports:
      - "8080:80"
[...]

zammad.ourcompany.tld ~ # cat /etc/apache2/sites-enabled/zammad-https.conf              
<IfModule mod_ssl.c>                                                        
    <VirtualHost _default_:443>                         
        ServerAdmin webmaster@localhost                                      
                                                                                   
        ServerName zammad.ourcompany.tld                                
                                                                             
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.                  
        # It is also possible to configure the loglevel for particular
        # modules, e.g.             
        #LogLevel info ssl:warn       
                                     
        # Zammad                                                  
        # https://github.com/zammad/zammad/blob/develop/contrib/apache2/zammad.conf
                                                                              
        <Location />                                                                  
            ProxyPass http://localhost:8080/                                      
            ProxyPassReverse http://localhost:8080/             
        </Location>                                       
        <Location /ws>                                                              
            ProxyPass ws://localhost:8080/ws                                       
            ProxyPassReverse ws://localhost:8080/ws                               
        </Location>                                                                  
[...]

system · August 3, 2019, 1:41pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.