Zammad 6.0 behind Nginx Reverse Proxy

bur · June 6, 2023, 1:20pm

Just upgraded to Zammad 6.0.
Everything works fine, but the Mobile View has some errors. I can’t comment anything and it shows “connection lost”.

Edge tells me:

action_cable.js:197 WebSocket connection to ‘wss://support.domain.com/cable’ failed:

I put the code inside the working conf and restartet nginx:

location /cable {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://1.2.3.4:3000
}

But this seems to be ignored or does not work.

MrGeneration · June 6, 2023, 1:55pm

The order of the directives may be relevant, see the original file here:

github.com

zammad/zammad/blob/d873b2a04bd172b90573170bc2d1d4ee75a47f02/contrib/nginx/zammad.conf#L46-L56


      
          # action cable
          location /cable {
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "Upgrade";
              proxy_set_header CLIENT_IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_read_timeout 86400;
              proxy_pass http://zammad-railsserver;
          }

Also, unless you’re using super specific custom configurations and installation methods (which is hard to tell because you didn’t provide information about your environment), you should use the default proxy_pass to reduce maintenance on your configuration file.

bur · June 6, 2023, 2:27pm

So Ports 3000 and 6042 TCP have to be opened to outside?
Until now, I just used 443.

MrGeneration · June 6, 2023, 2:32pm

How am I supposed to tell with the information you provided.

bur · June 6, 2023, 2:35pm

I am sorry, what Informations do you need?
I installed Zammad 5.X 2 years ago with default configurations, didn’t change any port, and used the Reverse Proxy without the upstream 3000 and upstream 6042. Everything runs fine but the new mobile view.

awedor · June 6, 2023, 2:46pm

Just use the example config provided /opt/zammad/contrib/nginx/zammad_ssl.conf and change servername and certificate paths accordingly, maybe also ssl settings if you want to add more backward compatibility.

As you can see here:

upstream zammad-railsserver {
  server 127.0.0.1:3000;
}

Those ports you mentioned are not needed from external, they are used locally.

bur · June 6, 2023, 2:58pm

Ah OK, so this is the nginx webserver config, not a nginx reverse Proxy Config.
I will give it a try.

bur · June 6, 2023, 9:35pm

I tried the default configuration, it did not work. Same Error.

awedor · June 7, 2023, 11:48am

Just to be sure: you copied the config file to /etc/nginx/conf.d/ and replaced your old zammad.conf in this location, right? And afterwards you entered nginx -s reload or restarted the server?
If you just edit it in the contrib folder I mentioned above you did nothing to the running config.

bur · June 7, 2023, 11:59am

I just realized that I have to do this on the Zammad Server, not the Reverse Proxy.
My Fault, everything is fine now.

goldstony · June 8, 2023, 7:58am

It is not working

Operating System is Ubuntu 20.04.6 LTS

Zammad.conf was updated in etc/nginx/sites-available.zammad.conf

this is an example nginx config for using SSL with zammad

this can be adjusted to be used with self-signed, trusted ca and letsencrypt certs

this example uses letsencrypt certs. replace all occurrences of example.com with your domain

If using LetsEncrypt create letsencrypt certificate by: certbot certonly --webroot -w /var/www/html -d www.example.com

create dhparam.pem by: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

download LetsEncrypt x3 certificate by: wget -q https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -P /etc/nginx/ssl

you can test your ssl configuration @ SSL Server Test (Powered by Qualys SSL Labs)

upstream zammad-railsserver {
server 127.0.0.1:3000;
}

upstream zammad-websocket {
server 127.0.0.1:6042;
}

server {
listen 80;
listen [::]:80;

server_name SERVERNAME_DELETED;

# security - prevent information disclosure about server version
server_tokens off;

access_log /var/log/nginx/zammad.access.log;
error_log /var/log/nginx/zammad.error.log;

location /.well-known/ {
root /var/www/html;
}

return 301 https://$server_name$request_uri;

}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

server_name SERVERNAME_DELETED;

# security - prevent information disclosure about server version
server_tokens off;

ssl_certificate /etc/nginx/ssl/certificate.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;

ssl_protocols TLSv1.2;

ssl_ciphers ‘EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH’;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

ssl_prefer_server_ciphers on;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 180m;

ssl_stapling on;
ssl_stapling_verify on;

ssl_trusted_certificate /etc/nginx/ssl/lets-encrypt-x3-cross-signed.pem;

resolver 8.8.8.8 8.8.4.4;

add_header Strict-Transport-Security “max-age=31536000” always;

location = /robots.txt {
access_log off; log_not_found off;
}

location = /favicon.ico {
access_log off; log_not_found off;
}

root /opt/zammad/public;

access_log /var/log/nginx/zammad.access.log;
error_log /var/log/nginx/zammad.error.log;

client_max_body_size 50M;

location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
expires max;
}

# legacy web socket server
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://zammad-websocket;
}

# action cable
location /cable {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “Upgrade”;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://zammad-railsserver;
}

location / {
proxy_set_header Host $http_host;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

# change this line in an SSO setup
proxy_set_header X-Forwarded-User “”;

proxy_read_timeout 180;
proxy_pass http://zammad-railsserver;

gzip on;
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
gzip_proxied any;
}

7qubit · June 8, 2023, 9:48am

grep Production log for errors, there is certainly more information. an check the listening ports

#: lsof -i -P -n | grep LISTEN

add above lines (/cable) to the following file:

#: /etc/nginx/sites-avalable/zammad.conf

restart nginx and zammad-web

#: systemctl restart nginx zammad-web

if you have a proxy entry for WAN connection, check that noproxy is entered for internal ports.

goldstony · June 8, 2023, 10:41am

Thank you for your fast reply.

#: lsof -i -P -n | grep LISTEN
Where to insert this line?

This is production log:

MrGeneration · June 8, 2023, 12:38pm

Ensure that you’re using exactly one FQDN (not several like IP plus domain based access) and that your FQDN plus HTTP type (https / http) is set correctly. Your issue inidicates a configuration issue.

system · June 15, 2023, 12:39pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.