csaeum
1
Solve proxy_set_header via Traefik
I ran Zammad under a subdomain via Traefik.
After the first login, no further logins are possible, the message "CSRF Token verification failed" always appears
According to the Zammad forum: https://community.zammad.org/t/fresh-install-3-2-x-csrf-token-verification-failed/3080/17
or
https://community.zammad.org/t/fresh-install-3-2-x-csrf-token-verification-failed/3080/20
would have to add this to the NGNIX.
proxy_set_header X-Forwarded-Proto https;
My question is can I also solve this via Traefik?
LFACHE
2
Hi,
Yes you can add custom headers via Traefik :
https://docs.traefik.io/middlewares/headers/
In your case, try : - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Forwarded-Proto=https"
And use the middleware 
csaeum
3
Thank you for your help
I have now tried to implement it as follows.
Even after 2-3 attempts with testHeader and the name of the middleware, I still get the error.
I have to admit that I still have problems with the names as in your example testHeader.
I will send you my 2 yml files with maybe you can help me better.
My docker-compose File:
version: "2"
services:
traefik:
image: traefik:v2.1
container_name: Traefik
command:
- "--log.level=INFO"
- "--api"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.httpchallenge=true"
- "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myresolver.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
- "--certificatesresolvers.myresolver.acme.email=infos@leder-stoffe-online.de"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- 80:80
- 443:443
volumes:
- ./letsencrypt:/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
labels:
traefik.enable: true
# Routers
traefik.http.routers.traefik.rule: Host(`traefik.leder-stoffe-online.de`)
traefik.http.routers.traefik.entrypoints: websecure
traefik.http.routers.traefik.service: api@internal
traefik.http.routers.traefik.tls.certresolver: myresolver
traefik.http.routers.traefik.middlewares: traefik-auth
# global redirect to https
traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
traefik.http.routers.http-catchall.entrypoints: web
traefik.http.routers.http-catchall.middlewares: redirect-to-https
# Middleware
traefik.http.middlewares.traefik-auth.basicauth.removeheader: true
traefik.http.middlewares.traefik-auth.basicauth.users: csaeum:$$1$$X[kMyb^l$$Npy/uslnNuMB4pK0focS00
# middleware redirect
traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https
portainer:
image: portainer/portainer
container_name: Portainer
command: -H unix:///var/run/docker.sock
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- portainer_data:/data
labels:
traefik.enable: true
# Routers
traefik.http.routers.portainer.rule: Host(`portainer.leder-stoffe-online.de`)
traefik.http.routers.portainer.entrypoints: websecure
traefik.http.routers.portainer.tls.certresolver: myresolver
traefik.http.routers.portainer.service: portainer_svc
traefik.http.services.portainer_svc.loadBalancer.server.port: 9000
zammad-backup:
command: ["zammad-backup"]
depends_on:
- zammad-railsserver
entrypoint: /usr/local/bin/backup.sh
environment:
- BACKUP_SLEEP=86400
- HOLD_DAYS=10
- POSTGRESQL_USER=${POSTGRES_USER}
- POSTGRESQL_PASSWORD=${POSTGRES_PASS}
image: ${IMAGE_REPO}:zammad-postgresql${VERSION}
links:
- zammad-postgresql
restart: ${RESTART}
volumes:
- zammad-backup:/var/tmp/zammad
- zammad-data:/opt/zammad
zammad-elasticsearch:
environment:
- discovery.type=single-node
image: ${IMAGE_REPO}:zammad-elasticsearch${VERSION}
restart: ${RESTART}
volumes:
- elasticsearch-data:/usr/share/elasticsearch/data
zammad-init:
command: ["zammad-init"]
depends_on:
- zammad-postgresql
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-elasticsearch
- zammad-postgresql
restart: on-failure
volumes:
- zammad-data:/opt/zammad
zammad-memcached:
command: memcached -m 256M
image: memcached:1.5.22-alpine
restart: ${RESTART}
zammad-nginx:
command: ["zammad-nginx"]
expose:
- "80"
depends_on:
- zammad-railsserver
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-railsserver
- zammad-websocket
restart: ${RESTART}
volumes:
- zammad-data:/opt/zammad
zammad-postgresql:
environment:
- POSTGRES_USER=${POSTGRES_USER}
- POSTGRES_PASSWORD=${POSTGRES_PASS}
image: ${IMAGE_REPO}:zammad-postgresql${VERSION}
restart: ${RESTART}
volumes:
- postgresql-data:/var/lib/postgresql/data
zammad-railsserver:
command: ["zammad-railsserver"]
depends_on:
- zammad-memcached
- zammad-postgresql
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-elasticsearch
- zammad-memcached
- zammad-postgresql
restart: ${RESTART}
volumes:
- zammad-data:/opt/zammad
zammad-scheduler:
command: ["zammad-scheduler"]
depends_on:
- zammad-memcached
- zammad-railsserver
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-elasticsearch
- zammad-memcached
- zammad-postgresql
restart: ${RESTART}
volumes:
- zammad-data:/opt/zammad
zammad-websocket:
command: ["zammad-websocket"]
depends_on:
- zammad-memcached
- zammad-railsserver
image: ${IMAGE_REPO}:zammad${VERSION}
links:
- zammad-postgresql
- zammad-memcached
restart: ${RESTART}
volumes:
- zammad-data:/opt/zammad
volumes:
portainer_data:
elasticsearch-data:
driver: local
postgresql-data:
driver: local
zammad-backup:
driver: local
zammad-data:
driver: local
my docker-compose.override
in the override file I also added the NGINX container
version: '2'
services:
zammad-backup:
container_name: Zammad-Backup
zammad-elasticsearch:
container_name: Zammad-ElasticSearch
zammad-init:
container_name: Zammad-Init
zammad-memcached:
container_name: Zammad-MemCached
zammad-postgresql:
container_name: Zammad-PostgreSQL
zammad-railsserver:
container_name: Zammad-RailsServer
zammad-scheduler:
container_name: Zammad-Scheduler
zammad-websocket:
container_name: Zammad-WebSocket
zammad-nginx:
container_name: Zammad-NGINX
labels:
traefik.enable: true
# Routers
traefik.http.routers.zammad-nginx.rule: Host(`service.leather-fabrics-online.com`)
traefik.http.routers.zammad-nginx.entrypoints: websecure
traefik.http.routers.zammad-nginx.tls.certresolver: myresolver
traefik.http.routers.zammad-nginx.service: zammad_svc
traefik.http.services.zammad_svc.loadBalancer.server.port: 80
traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Forwarded-Proto: https
LFACHE
4
The declaration of middleware is fine but you need use it :
traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Forwarded-Proto: https
traefik.http.routers.zammad-nginx.middlewares: testHeader
You can check if the header is realy pass with firefox by example.
csaeum
5
Ok I used it as you wrote it.
Under Treafik I can also see this in the menu http.
But Zammad still doesn't let me log in.
I can't find a solution to this in the Zammad Forum.
How can I see this in the FireFox that it is really running properly? In the developer tools?
1 Like
7tobias
6
I also had the CSRF token verification error - took me a while to figure out what to do.
I wrote my solution here: