Zammad behind external Proxy

  • Used Zammad version: .3.0-1714727086.86c0f001.jammy
  • Used Zammad installation type: on-premise, NOT Docker!
  • Operating system: Ubuntu Server
  • Browser + version: Firefox, Safari, Chrome, Edge, …

Expected behavior:

  • I expect Zammad to not serve its own certificate and instead use the certificate created on our reverseproxy (nginx) which is hosted on its own machine and IP-Address.

Actual behavior:

  • Zammad serves its own certificate, therefore our clients dont trust it.

I suppose it’s a problem with my zammad.conf on the zammad-server.
(it does indeed contain a “listen 443” using its own self-signed certificate)

Question: What zammad.conf do i have to use, so that Zammad does not serve a certificate on its own and just eats up the letsencrypt-certificate from our external ReverseProxy?

Thanks!

I have a question, where does it serve the Certificate? Website? E-Mail?

What Proxy are you using?
When you mention your configuration, what current configuration are you using? Could you, after redacting Information, post it?

1 Like

Of course! Thanks for the quick heads-up.

I am talking about the webinterface/frontend/backend of Zammad.
Our users get the usual “The Browser doesnt trust this certificate, do you want to continue? yada-yada”.

Luckily i’m using the github zammad.conf without any modifications except the ones that are to be redacted anyway (servername, IPs).

So here’s the one i am currently using:
https://github_com/zammad/zammad/blob/develop/contrib/nginx/zammad_ssl.conf

Of course, there’s a 443-block in it, which overrides my reverseproxy certificate.
I do know that this is obviously the Issue.

Our reverseproxy forwards it’s legit certificate, Zammad “throws it away” because of it’s own 443-block and is therefore serving its own self-signed cert, as written in the zammad-ssl.conf. So this works as intended.

So i tried the non-ssl zammad.conf in the hopes that Zammad gets served using my reverseproxys certificate:
https://github_com/zammad/zammad/blob/develop/contrib/nginx/zammad.conf

Which doesnt work at all.
I can’t even connect to zammads interface anymore.

All I want is that zammad just accepts the certificate which is forwarded through our reverseproxy.

Maybe this is worded poorly, so just give me another heads-up if my post isnt understandable.

Thanks!

Edit: We are using nginx (on a different machine) as a reverseproxy which serves a whole bunch of services to our users.

In my humble understanding i would presume a misconfiguration on the part of your proxy.

Technically behind a proxy you don’t need an SSL on Zammad Side or even a self signed is okay.

You just take all :80 and :443 from your proxy IP and through the proxy manager, you point it to zammadIP to either :80 or :443.

Could it be, that you access Zammad directly through it’s own IP?

For my working solution i needed to set the following:

- VIRTUAL_HOST=zammad.domain.com
- NGINX_SERVER_SCHEME=https

I used the docker installation and have traefik v3.0 as Proxy Manager though. The NGINX on the Zammad server runs on the 8080 port, where i point my Traefik to.

So, are you telling me, in my use-case, i dont need a zammad.conf at all, since my reverseproxy does all the work?

You need to have it run without the proxy, the default Config should work.
like for example: zammad.internalhost.com

You then put the proxy with zammad.company.com or what you need.

Attention for all internal URI you have to check if under

https://zammad.company.com/#settings/system the FQDN is correctly set to zammad.company.com and the HTTP Type to https This is needed by Zammad if it’s behind a proxy.

This seems to go out of hand.
Double proxies especially with websockets involved is not trivial and you should proceed with absolute care.

You claim that the Zammad vHost overwrites your 2nd Proxies SSL certificate. That’s the part that is already faulty. That is not possible. It means you communicate directly with Zammad instead of the actual proxy. I am very sure about that.

2 Likes

Good point!
That seems to be true.
Mhhh, i gotta do some more digging.

It seems very reasonable that i am talking directly to Zammads “proxy” and dont even go the route trough our own.
Any idea how to check that? (Traceroute, etc)

How can i avoid speaking to Zammads proxy? Delete the config in /etc/nginx/sites-available? Would that work?

I am sorry. I cannot cover fundamentals in system administration like DNS and such. Your DNS record most likely points to the Zammad server which does not seem to be what you want.

As I said, I can’t help with that really sorry.