Strato and https

mvoelker · December 29, 2020, 8:45pm

Infos:

Used Zammad version: 3.6
Used Zammad installation source: DEB
Operating system: Ubuntu 18.04
Browser + version: Safari

Hallo,
After 3 days no i quit and need your help. First, i am not an Ubuntu crack or server nerd. I am just a user. we used in our organisationen otrs and got problems with the system. so we decidet to change to Zammad. I migrate the system, so far so good. with http everything is fine.

we use a strato v-server and i don’t understand how to setup the system to use https. The Certificate is also from Strato. The redirection with “return 301 https://$host$request_uri;” in the conf Works fine, but the system dont work on https.

what the f**** i have to do to get this thing work on strato?

thank you for your help

MrGeneration · January 11, 2021, 3:11pm

Sorry but I can’t follow and am afraid others can’t as well.
What I did understand:
You can reach Zammads Web-UI by using HTTP without issues, however, if you try it with HTTPs you can’t.

What I’m missing is:
What is the error message you get? What exactly does not work?

More input on your webserver configuration might be helping as well.

tomsparrow · January 12, 2021, 8:09am

Presumably the return 301 line has gone in the /etc/nginx/sites-enabled/default file. I don’t remember how much is the standard setup and how much I configured, but I also have a /etc/nginx/sites-enabled/zammad.conf file that contains the https settings.

It doesn’t look like I made that from scratch, so I’m assuming it’s part of the default install. You may need to let us know exactly what sort of ‘not work’ you’re getting, but it’s likely you need to look at the certificate configuration in this zammad.conf file:

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

ssl_certificate /insert/certificate/file/path/here;
ssl_certificate_key /insert/key/file/path/here;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

#/ replace ‘localhost’ with your fqdn if you want to use zammad from remote
server_name zammad.example.com;

The cipher list may not be standard, that’s just what I use. If you have a single pem file with certificate and key in, the two file names can be the same file. Restart nginx (systemctl restart nginx) when you’ve saved the file.
Edit:Make sure the certificate is somewhere secure (e.g. /etc/ssl/private/)

Edit2: the second listen line is only needed if you have IPv6 on the server.

SilSte · January 12, 2021, 9:41am

Have you changed from HTTP to HTTPS in the admin configuration in the Webinterface?

For comparison my Nginx zammad.conf . Please be aware that I use Lets-Encrypt but it should be nearly the same except the location of your key.

this is the nginx config for zammad

upstream zammad-railsserver {
server 127.0.0.1:3000;
}

upstream zammad-websocket {
server 127.0.0.1:6042;
}

server {

# replace 'localhost' with your fqdn if you want to use zammad from remote
server_name ticket.domain.de;

# security - prevent information disclosure about server version
server_tokens off;

root /opt/zammad/public;

access_log /var/log/nginx/zammad.access.log;
error_log  /var/log/nginx/zammad.error.log;

client_max_body_size 50M;

location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
    expires max;
}

location /ws {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 86400;
    proxy_pass http://zammad-websocket;
}

location / {
    proxy_set_header Host $http_host;
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 300;
    proxy_pass http://zammad-railsserver;

    gzip on;
    gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
    gzip_proxied any;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/ticket.domain.de/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/ticket.domain.de/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = ticket.domain.de) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;
server_name ticket.domain.de;
return 404; # managed by Certbot

}

system · May 12, 2021, 9:41am

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.