NGINX reverse proxy in different machine


  • Used Zammad version: 3.6
  • Used Zammad installation source: package
  • Operating system: UBUNTU 18
  • Browser + version: chrome

Expected behavior:

  • Login to zammad without CSRF token verification failed!

Actual behavior:

  • CSRF token verification failed! Can’t reconfigure reverse proxy to correct IP address

Steps to reproduce the behavior:

  • Follow tutorial to install in ubuntu configure reverse proxy in another machine

Hello community!
I am using a NGINX reverse proxy in a separate machine to serve my zammad app. (packet ubuntu 18). I want to know how can I change ruby’s listening IP address, by default. I want to change to the server Private IP address, if not my reverse proxy can’t access localhost because it is not in the same machine. Here are my confs:

Nginx reverse proxy in another machine:

# this is the nginx config for zammad

upstream zammad-railsserver {
	server 192.168.xx.xx:3000; <-- Zammad Server Private IP

upstream zammad-websocket {
	server 192.168.xx.xx:6042; <-- Zammad Server Private IP

server {
	listen 443;

	# replace 'localhost' with your fqdn if you want to use zammad from remote
	server_name zammad.fqdn;

	# security - prevent information disclosure about server version
	server_tokens off;

	root /opt/zammad/public;

	access_log /var/log/nginx/zammad.access.log;
	error_log  /var/log/nginx/zammad.error.log;

	client_max_body_size 50M;

	location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
		expires max;

	location /ws {
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "Upgrade";
		proxy_set_header CLIENT_IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_read_timeout 86400;
		proxy_pass http://zammad-websocket;

	location / {
		proxy_set_header Host $http_host;
		proxy_set_header CLIENT_IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;

		# Change this line in an SSO setup
		proxy_set_header X-Forwarded-User "";

		proxy_read_timeout 300;
		proxy_pass http://zammad-railsserver;

		gzip on;
		gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
		gzip_proxied any;

# http redirect to https

server {
	listen 80;
	if ($host = {
		return 301 https://$host$request_uri;
	return 404; 


You’re looking for environment variables for Zammad:

A word of warning:
Ensure no user is able / allowed to directly talk to Zammads application server for security reasons.
Always have a proxy in between.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.