Be able to use reverse / SSL proxy

[t3easy]

Infos:

• Docker version: 17.09
• Docker-compose version: 1.16.1
• Operating system (Docker host): Ubuntu 16.04

Expected behavior:

• Run zammad with a reverse proxy like jwilder/nginx-proxy

Actual behavior:

• The docker-compose.yml maps container port 80 to host port 80
• It's not possible to map a port twice

Steps to reproduce the behavior:

• Start a reverse proxy that maps port 80 and 443 and then start zammad

Possible solution

• Use https://docs.docker.com/compose/extends/#multiple-compose-files
• Move the mapping of port 80 to docker-compose.override.yml
• Add a docker-compose.prod.yml as example how to connect to the external reverse proxy
• This would be non breaking because the docker-compose.override.yml is always used if it exists.

If you're ok with this I could prepare a PR.

[waja]

You can also do something like this (like I did) in a docker-compose.prod.yml and use the existing nginx image:

version: '3.3'

services:

  zammad-nginx:
    ports:
      - "443:443"
    volumes:
      - "/srv/docker/zammad/container.conf/nginx-zammad.conf:/etc/nginx/conf.d/zammad.conf:ro"
      - "/etc/ssl/certs/zammad.pem:/etc/ssl/certs/zammad.pem:ro"
      - "/etc/ssl/private/zammad.key:/etc/ssl/private/zammad.key:ro"

You just need to provide your own nginx-zammad.conf and the crypto files. You can also use some letsencrypt container to create/renew your crypto files.

[t3easy]

@waja Yes, but not if you have a fat docker host with multiple web services on it.

[t3easy]

Main problem is, that you can't remove an option with an override file:
docker/compose#3729

[waja]

Main problem is, that you can't remove an option with an override file: docker/compose#3729

Yes ... In this case you need to adjust the docker-compose.yml itself, which might be a pita.

[waja]

@t3easy Which proxy are you using in front of zammad and how do you route to the zammad-websocket and zammad-railsserver container? Running a container outside the zammad stack you can't use the container names (like in the zammad-nginx nginx config) or are I'm wrong?

[sandrodz]

I had same issue a while back #18

@t3easy thanks!

[t3easy]

ATM I use the alpine tag of https://hub.docker.com/r/jwilder/nginx-proxy/ therefore the VIRTUAL_HOST var in my example. https://github.com/zammad/zammad-docker-compose/pull/57/files. I don’t route anything to websocket or railsserver because that’s the job of the shipped nginx.

[sandrodz]

I'm using the same alpine (nginx-proxy) image, I updated zammad from 1.4 and your example helped.

[t3easy]

If you have proposals for my example, please comment to my PR or send a PR to the branch of my fork. :)

[waja]

I'm actually looking into caddy as it hat included LE and http/2 support. Routing against the nginx in this case might not an issue in the first place cause nobody need to know the real client IP, but chaining up http proxies might get complicated at some point.

[monotek]

If you're looking for a proxy https://traefik.io is maybe also worth a look ;-)

[doludizgin]

Should i remove the zammad-nginx container then ?

Or does traefik takes over the the port 80 ?

[monotek]

I think this would work if you configure the proxy to also handle the websocket stuff but it should be easier to keep the nginx part and just proxy port 80...

[doludizgin]

will this not conflict with the zammad-nginx port 80 ?

[monotek]

you can change it: https://github.com/zammad/zammad-docker-compose/blob/master/docker-compose.override.yml

[doludizgin]

oke, so lets say i change that to 8080:8080 i let treaffik do the reverse to 443 to 8080 with ssl ?

[monotek]

Yes, but you have to use 8080:80, as the nginx config uses 80 internally.

[t3easy]

@doludizgin If you use a proxy, you don't have to map port 80 of zammad-nginx service to any port of your host.
The proxy will connect to the zammad-nginx over an internal docker network.
Just load an own override.yml instead of the docker-compose.override.yml

[doludizgin]

can you help me with the override ? so i remove the ports in the override and just install nginx reverse proxy that will automatically connect to the port 80 of zammad ?

[t3easy]

?
https://github.com/zammad/zammad-docker-compose#using-a-reverse-proxy

[doludizgin]

i changed the virtualhost settings and copied the file run the command on the page but i get this error.

sudo docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
ERROR: Version mismatch: file ./docker-compose.yml specifies version 2.0 but extension file ./docker-compose.prod.yml uses version 3.3

Can i just change the version then ?

[t3easy]

Yes. @monotek changed the docker-compose file version, but not from the examples. I'll send a PR...
Yes you can change the version

[t3easy]

@doludizgin Did you get it run?
I've seen that compose v2 may have a problem with the external network...
https://docs.docker.com/compose/compose-file/compose-file-v2/#external-1

Not supported for version 2 docker-compose files. Use network_mode instead.

[monotek]

@doludizgin
update first, to get the most recent version of all files and images.

• docker-compose stop
• git pull
• docker-compose pull
• do your proxy changes
• docker-compose start

[doludizgin]

i am unable to create a connection now:

docker-compose.prod.yml
zammad-nginx:
environment:
- VIRTUAL_HOST=ticket.sdfsdf.sdf.nl
networks:
- default
- proxy_2_zammad

networks:
proxy_2_zammad:
external:
name: proxy_2_apps

docker-compose.override.yml
version: '3'
services:
zammad-nginx:
ports:
- "8080:80"

[hashwagon]

@doludizgin Did you ever get this working?

[t3easy]

@hashwagon
I run this stack behind Traefik now.
I had to change the version of the docker-compose.yml to 3.5 and my override file is:

version: '3.5'
services:
  zammad-nginx:
    networks:
    - default
    - frontend
    labels:
      traefik.enable: "true"
      traefik.docker.network: ${FRONTEND_NETWORK}
      traefik.frontend.rule: Host:${VHOST}

networks:
  frontend:
    external: true
    name: ${FRONTEND_NETWORK}

and my .env

# don't forget to add the minus before the version
# example: VERSION=-2.1.0-13
IMAGE_REPO=zammad/zammad-docker-compose
VERSION=-2.6.0-XX
RESTART=always
FRONTEND_NETWORK=frontend
VHOST=helpdesk.mydomain.tld

I use the following project as frontend:
https://github.com/t3easy/docker-frontend

[raffisweb]

Hi there, does anybody have a step-by-step instruction for traefik?

[MrGeneration]

@raffisweb please don't recycle closed issues.
As Traefik is no official supported application from our end, there's no official step by step instructions.

It's out of scope of the application Zammad.
However, this community post might help you:

https://community.zammad.org/t/docker-treafik-csrf-token-validation-failed/4144