zammad / zammad-docker-compose

Zammad Docker images for docker-compose
https://hub.docker.com/r/zammad/zammad-docker-compose/
GNU Affero General Public License v3.0
273 stars 223 forks source link

Using own webserver/reverseproxy #345

Closed Appel-flappen closed 1 year ago

Appel-flappen commented 1 year ago

Hi,

I was wondering if there were any instructions for how to use your own webserver instead of the builtin nginx one? eg. what ports from which other containers, where does the websocket have to go to.

If it's fine however to just proxy the nginx one again, then that's fine, I can do that instead. I read in the documentation this may cause issues with CSRF authentication.

Thanks :)

bundabrg commented 1 year ago

I have mine behind haproxy.

The only thing I had to add was the following to .env:

NGINX_SERVER_SCHEME=https
RAILS_TRUSTED_PROXIES=['127.0.0.1', '::1', 'proxy_ip']

I also had to modify docker-compose.yml (or you could do the override one instead) to pass those variables in. IE for zammad-init:

  zammad-init:
    command: ["zammad-init"]
    depends_on:
      - zammad-postgresql
    environment:
      - MEMCACHE_SERVERS=${MEMCACHE_SERVERS}
      - POSTGRESQL_USER=${POSTGRES_USER}
      - POSTGRESQL_PASS=${POSTGRES_PASS}
      - REDIS_URL=${REDIS_URL}
      - RAILS_TRUSTED_PROXIES=${RAILS_TRUSTED_PROXIES}
    image: ${IMAGE_REPO}:${VERSION}
    restart: on-failure
    volumes:
      - zammad-data:/opt/zammad

and zammad-nginx

  zammad-nginx:
    command: ["zammad-nginx"]
    ports:
      - "8002:8080"
    depends_on:
      - zammad-railsserver
    environment:
      - NGINX_SERVER_SCHEME=${NGINX_SERVER_SCHEME}
    image: ${IMAGE_REPO}:${VERSION}
    restart: ${RESTART}
    volumes:
      - zammad-data:/opt/zammad

This tells it to trust headers from the proxy_ip and thus you will get proper IP's instead of everyone coming from the proxy ip.

I wouldn't bother trying another reverse proxy direct to the zammad ports and just use your own reverse proxy to reverse to the nginx one who then sends it correctly otherwise you'll get caught each time you update.

HTH

Appel-flappen commented 1 year ago

Ah that's perfect thank you!