Zammad uses local IP of the reverse proxy Traefik instead of the client IP

Infos:

  • Used Zammad version: 5.3.0
  • Used Zammad installation type: docker-compose with Traefik as reverse proxy
  • Operating system: Debian
  • Browser + version: Librewolf / Chromium

Expected behavior:

Zammad shows in Sessions and e.g. mails for new logins the real user IP and not the IP of the reverse proxy.

Actual behavior:

The IP of the reverse proxy is shown.

This topic isn’t new I know and the reason for made nginx X-Forwarded-Proto scheme & rails trusted proxies configurable by monotek · Pull Request #166 · zammad/zammad-docker-compose · GitHub, also in this community is a bunch of topics regarding it but I tried everything mentioned there.

The skeleton required is IMO

services:
  zammad-init:
    environment:
      - RAILS_TRUSTED_PROXIES=['127.0.0.1', '::1']
  zammad-nginx:
    environment:
      - VIRTUAL_HOST=helpdesk.domain.tld
      - NGINX_SERVER_SCHEME=https

Only when I add in the RAILS_TRUSTED_PROXIES the actual IP address of the reverse proxy (currently '192.168.192.2'), the client IP is used as expected. But this local IP is of the docker network and can change every know and then so this isn’t a solution here. I tried to add 'traefik' as mentioned in CSRF token verification failed · Issue #2829 · zammad/zammad · GitHub but this didn’t help but would be the solution IMO.

I also added the X-Forwarded-Proto header to Traefik as a test but that didn’t help either.

Do you have a hint to solve or further troubleshoot this issue?

The only workaround that comes into my mind is to use fixed IP addresses for your containers. That’s dirty but does the trick.

Yes, I have also thought about it, but since I have to do that for all containers, I would like to avoid that.

It works by CSRF token verification failed · Issue #2829 · zammad/zammad · GitHub as far as I understand by adding 'traefik' to the RAILS_TRUSTED_PROXIES because zammad-nginx connects to the reverse proxy Traefik on the instance of the author using the domain name (traefik). If I can force zammad-nginx to use on my instance the domain name of the reverse proxy too, this workaround will work for me too but do you know how I can tell zammad-nginx to use the domain name instead of the IP address? On my instance zammad-nginx connects to 192.168.192.2, would be awesome if I could instead use in my case traefik-1, then I can add traefik-1 to the RAILS_TRUSTED_PROXIES and I’m pretty sure it will work too.

I’m not sure if I understand your question correct.
But I guess the documentation should help you on that regard:
https://docs.zammad.org/en/latest/install/docker-compose/environment.html#nginx

If that no longer works I can’t tell. The compose was changed a lot by monotek in the last weeks and I wasn’t able to keep up.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.